Texas A&M Identity Services collects demographic, role and contact data to support identity
management, provisioning, authentication, and authorization. Texas A&M service providers may
request limited access to approved datasets. All requests are subject to a rigorous, cross
functional review to determine appropriateness of use.
The following data governance policies are designed to ensure compliant use
of that information, protecting the security and privacy of that data.
Texas A&M Identity Services data use must be authorized by the appropriate data
custodians for student, employee or other data using the identity data request form
- This form is used by the service provider to specify what data elements are needed
for what purpose.
- The data obtained must be used only for the specific purpose and by the named requestor
identified on the request form. The data may not be redistributed, cannot be used for any
other purpose, and cannot be supplied to other applications. The data may not be used to
produce derivative works or in the creation and/or publication of reports without
- Texas A&M Identity Services data consumers will be contacted annually to verify
continued need for data access.
Texas A&M Identity Services data use must comply with the applicable Federal and State of Texas
regulations concerning privacy and security as well as complying with applicable University policy.
- Texas A&M Identity Services data use is specifically bound by the University
FERPA Policy and University
Acceptable Use Guidelines.
- Campuses or units that have local applicable laws such as the Qatar "Data Protection Law" and,
when applicable, GDPR for EU citizens resident in the EU must ensure these protections are followed.
- If there is a third party contractual obligation that has specific identity data protection requirements
it is the responsibility of the requesting unit or program to first discuss with Texas A&M Identity
Texas A&M Identity Services data consumers must provide information on what Texas A&M
Identity Services data they store locally.
Texas A&M Identity Services data consumers must apply all required controls to ensure the
security and privacy of identity data whether at rest (stored) or in motion (transmitted).
- All systems receiving data must have an annual risk assessment completed and a current
(less than 30 days old) vulnerability scan performed by Division of IT Security Assessment.
- All systems receiving data must install Division of IT supplied forwarder and provide
data (access logs and other system logs) to the SIEM operated by IT Security Operations.
- Utilize security best practices as posted at
Consumers of Texas A&M Identity Services data responsible for any security breach
traceable to their use or specific authorization will be reported to the Chief Information
All systems receiving data are subject to periodic audits, annual risk assessments, and monthly vulnerability