Policy Type
Administrative
Effective Date
May 2021
Last Revised
August 2022
Review Date
August 2022
Owner
Chief Information Security Officer
Contact Name
Blake Penn
Contact Title
Chief Information Security Officer
Contact Email
Reason for Policy
The °Ä²Ê¿ª½± Data Categorization Policy provides guidance for the organization of University data. Organizing University data into sensitivity categories allows the University to better protect the confidentiality, integrity, availability, and privacy of University data. These guidelines are also critical in ensuring compliance to data privacy and security laws and regulations including, but not limited to, the New York Stop Hacks and Improve Electronic Data Security (SHIELD) Act, the Family Educational Rights & Privacy Act (FERPA) , the European Union's General Data Protection Regulation (GDPR), the Payment Card Industry Data Security Standard (PCI DSS), the FTC's Safeguards Rule under the Gramm-Leach-Bliley Act (GLBA), and Health Insurance Portability and Accountability Act of 1996 (HIPAA).
Policy Statement
University data should be organized into categories that are defined as described in this section.
- Public: This information is targeted for general public use. Examples may include internet website content and press releases. This could include directory information.
- Protected: Information not generally available to parties outside the University community. This information is considered private and should be protected in accordance with the current University Data Protection Guidelines (currently under development) which are based on the concept of least privilege. Examples may include data that if compromised could lead to financial fraud and/or violate laws and regulations
- Regulated: In addition to organizing data into public or private categories, laws and regulations that apply to specific data should be identified and documented and this regulated data should be protected in accordance with the rules and safeguards that are specified in these laws and regulations in addition to the appropriate University guidelines.
Scope
This policy applies to all University data regardless of where the data exists and whether the data exists on University resources or not.
Guidance
As members of the °Ä²Ê¿ª½± community we often manage University data in the course of our job duties. Because of this we often serve as data custodians to this data.
University data can be categorized into either public or private categories. Public data is data that does not require specific protection and is designed for general public use such as data published on public web sites or paper handouts or bulletin board announcements. Private data is all data that is not designed for public consumption and is reserved for the internal business purposes of the University including, but not limited to, administration, instruction, and research. Private data should be protected in accordance with the °Ä²Ê¿ª½± Data Protection Standards.
A key responsibility of data custodians is to protect the data under their custodianship (see related documents). In order to do this properly, data custodians need to understand the types of data under their custodianship and need to categorize this data into the proper categories so that this data can be managed and protected in accordance with its import and sensitivity.
In addition to being public or private, some University data is subject to data protection regulations that protect the security and/or privacy of that data. Data custodians should understand which regulations apply to the data under their custodianship and ensure that the protections specified in those regulations are met.
Related Documents
°Ä²Ê¿ª½± Data Protection Standards