Case #1: Maintain information security with appropriate electronic safeguards.

Marvin has a demanding schedule filled with clinic, research, and teaching obligations.  He has just hired a new assistant, Jan, who will support his calendar and handle other administrative matters on his behalf.  At the end of a particularly busy quarter, Marvin is traveling when he remembers that his effort report is due.  He does not have internet access in transit, so he telephones Jan to use his BlazerID and password to access his account and certify his effort report.

Is this a concern?

  1. No.  Marvin is merely being efficient, knowing that delinquent effort reports are a violation of UAB’s Effort Reporting Policy.
  2. No, since Marvin gave his BlazerID and password only for an emergency situation.
  3. No.  Certifying effort reports is merely an administrative function that can easily be fulfilled by an assistant.
  4. Yes.  Sharing BlazerID passwords is a violation of UAB’s Data Protection and Security Policy.
D.  BlazerIDs and passwords are electronic representations of individuals.  When a process requires the use of BlazerIDs and passwords, the data entered, certified, approved, or rejected can be attributed to a particular person or role within the university.  As such, BlazerIDs and passwords should never be shared.  Despite Marvin's busy schedule, he should not ask Jan to use his access to handle his personal information.  In this case, the best option is for Marvin to find a few minutes to review and certify his effort report or request that any necessary changes be made.  In the absence of time or capacity to do that, Marvin should let someone know that he recognizes the importance of accurate, timely effort reporting, but that this quarter he will be a bit late.

Case #1 Continued

In the case above, Marvin is in such a rush to get his effort report submitted that he decides – against better judgment – to give his BlazerID and password to Jan.  At the time, he made a mental note to change his password, but when he arrives back in the office, his daily activities distract him, and he forgets.  Several months later, Marvin gets a call from his department chair, asking him about excessive overtime pay, computer equipment purchases, and meal reimbursements that he approved for Jan during that previous quarter.  Marvin knows that he did not approve those and realizes that Jan must be using his BlazerID and password to approve Oracle documents on his behalf.

What should Marvin do?

  1. Tell his chair that she had been working on a big project that involved additional data entry, entertaining collaborators, and working from home, and then immediately discipline Jan for abusing his access.
  2. Tell his chair that he did notice Jan’s overtime, purchases, and reimbursements and that he must have approved them by mistake.
  3. Tell Department Chair Bert that he made a mistake by giving Jan his BlazerID and password to handle some administrative functions and that he is concerned she is now abusing his access for personal gain.

C.  An important component of integrity is admitting one’s mistakes.  In this instance, Marvin does himself and UAB a service by telling the chair about the error in giving Jan his BlazerID and password, so that the issue related to the fraudulent activities can be addressed directly and with full information.  The sooner these circumstances come to light, the better for all those involved.  By telling his chair about the mistake now, Marvin will provide opportunity to gather information, records, or other evidence needed to review the case and may prevent Jan from committing other acts of non-compliance.