The University Policy Manual

  • Home »
  • Data Classification Policy

Data Classification

The University of North Carolina at Greensboro

  • (Approved by the Chancellor, July 19, 2004)
  • (Approved by the Chancellor, May 15, 2010)
  • (Approved by the Chancellor, July 16, 2012)

Purpose

UNCG administrative data are an asset owned by the University of North Carolina at Greensboro (hereinafter "University") and must be protected accordingly. A data policy is necessary to provide a framework for securing data from risks including, but not limited to, unauthorized destruction, modification, disclosure, access, use, and removal. This policy outlines measures and responsibilities required for securing data resources. It shall be carried out in conformity with state and federal law.

This policy serves as a foundation for the University's information security policies, and is consistent with the University's data management and records management standards. The University recognizes that the value of its data resources lies in their appropriate and widespread use. It is not the purpose of this policy to create unnecessary restrictions to data access or use for those individuals who use the data in support of University business or academic pursuits.

Scope

This policy applies to all University administrative data and to all user-developed data sets and systems that may access these data, regardless of the environment where the data reside (including cloud systems, servers, personal computers, mobile devices, etc.). The policy applies regardless of the media on which data reside (including electronic, microfiche, printouts, CD, etc.) or the form they may take (text, graphics, video, voice, etc.).

Policy

Data must be maintained in a secure, accurate, and reliable manner and be readily available for authorized use. Data security measures will be implemented commensurate with data sensitivity and risk.

  1. To implement security at the appropriate level, establish guidelines for legal/regulatory compliance, and reduce or eliminate conflicting standards and controls over data, data will be classified into one of the following categories:
    1. Restricted - data whose disclosure to unauthorized persons would be a violation of federal or state laws or University contracts.
    2. Public - data to which the general public may be granted access in accordance with the North Carolina Public Records Act.
    Data in both categories will require varying security measures appropriate to the degree to which the loss or corruption of the data would impair the business or research functions of the University, result in financial loss, or violate law, policy or University contracts.
  2. B. Security measures for data are set by the data custodian, working in cooperation with the data stewards, as defined below.

    The following roles and responsibilities are established for carrying out data policy:
    1. Data Trustee: Data trustees are senior University officials (or their designees) who have planning and policy-level responsibility for data within their functional areas and management responsibilities for defined segments of institutional data. Responsibilities include assigning data stewards, participating in establishing policies, and promoting data resource management for the good of the entire University.
    2. Data Steward: Data stewards are University officials having direct operational-level responsibility for information management - usually department directors. Data stewards are responsible for data access and policy implementation issues.
    3. Data Custodian: Information Technology Services (ITS) is the data custodian. The custodian is responsible for providing a secure infrastructure in support of the data, including, but not limited to, providing physical security, backup and recovery processes, granting access privileges to system users as authorized by data trustees or their designees (usually the data stewards), and implementing and administering controls over the information.
    4. Data User: Data users are individuals who need and use University data as part of their assigned duties or in fulfillment of assigned roles or functions within the University community. Individuals who are given access to sensitive data have a position of special trust and as such are responsible for protecting the security and integrity of those data.
    Clarification and communication of roles in data classification are responsibilities of the Data Management group in the ITS Division.

Data Security Measures

Measures implemented for data security will be dictated by the data-classification level. Measures will include an appropriate combination of the following:

  1. Encryption requirements
  2. Data protection and access control
  3. Documented backup and recovery procedures
  4. Change control and process review
  5. Data-retention requirements
  6. Data disposal
  7. Audit controls
  8. Storage locations
  9. User awareness

Enforcement

ITS, in cooperation with other University authorities and administrators, will enforce this Policy, and establish standards, procedures, and protocols in support of the policy.

Any violation of this policy by a University student is subject to the Student Code of Conduct in the student handbook. For employees, any violation of this policy is "misconduct" under EPA policies (faculty and EPA non-faculty) and "unacceptable personal conduct" under SPA policies, including any appeal rights stated therein. Violations of law may also be referred for criminal or civil prosecution. Additionally, violations of this policy may result in termination or suspension of access, in whole or in part, to University information systems at the discretion of ITS where such action is reasonable to protect the University or the University information infrastructure.

Review

The Chancellor has approved the Data Classification Policy. ITS will review the policy periodically.

Links to Related University Policies

Contact

Comments or questions? Email the Policy Administrator.