The University Policy Manual

  • Home »
  • Data Classification Policy

Data Classification

The University of North Carolina at Greensboro

  • (Approved by the Chancellor, July 19, 2004)
  • (Approved by the Chancellor, May 15, 2010)
  • (Approved by the Chancellor, July 16, 2012)
  • Approved by the Chancellor, July 21, 2014

Purpose

UNCG administrative data are an asset owned by the University of North Carolina at Greensboro (hereinafter "University") and must be protected accordingly. A data policy is necessary to provide a framework for securing data from risks including, but not limited to, unauthorized destruction, modification, disclosure, access, use, and removal. This policy outlines measures and responsibilities required for securing data resources. It shall be carried out in conformity with state and federal law.

This policy serves as a foundation for the University's information security policies, and is consistent with the University's data management and records management standards. The University recognizes that the value of its data resources lies in their appropriate and widespread use. It is not the purpose of this policy to create unnecessary restrictions to data access or use for those individuals who use the data in support of University business or academic pursuits.

Scope

This policy applies to all University data and to all user-developed data sets and systems that may access these data, regardless of the environment where the data reside (including cloud systems, servers, personal computers, mobile devices, etc.). The policy applies regardless of the media on which data reside (including electronic, microfiche, printouts, CD, etc.) or the form they may take (text, graphics, video, voice, etc.).

Policy

Data must be maintained in a secure, accurate, and reliable manner and be readily available for authorized use. Data security measures will be implemented commensurate with data sensitivity and risk.

  1. To implement security at the appropriate level, establish guidelines for legal/regulatory compliance, and reduce or eliminate conflicting standards and controls over data, data will be classified into one of the following categories and will be stored in means appropriate to that level of confidentiality:
    1. High Risk: Data with a known protection or disclosure standard whose release to an unauthorized person would be a violation of Federal or State laws, and would potentially result in criminal penalties. Some examples include SSN data, data covered by Health Insurance Portability and Accountability Act (HIPAA), The Federal Information Security Management Act (FISMA), the North Carolina Identity Theft Protection Act, and data covered by Payment Card Industry (PCI) compliance requirements.
      1. The storage security level for these data would be what Information Technology Services (ITS) calls "3-lock storage".
    2. Moderate Risk: Data not covered by one of the known protection or disclosure standards listed in section I.A above whose loss, corruption, or unauthorized disclosure would constitute a violation of Federal or State laws, and would potentially result in civil penalties. Some examples include certain types of grant-funded research data, data deemed confidential in contract agreements, Family Educational Rights and Privacy Act (FERPA) data, and Banner Internet Native Banner data (excluding SSN and other data as designated in I.A above).
      1. The storage security level for these data would be what Information Technology Services (ITS) calls "2-lock storage".
    3. Low Risk: Data not designed for public dissemination, but not falling in the “High Risk” or "Moderate Risk" categories.
      1. The storage security level for these data would be what Information Technology Services (ITS) calls "1-lock storage".
    4. Minimal Risk: Data designed for public dissemination.
      1. The storage security level for these data would be what Information Technology Services (ITS) calls "1-lock storage".
      Data classified as Low Risk and Minimal Risk (and in some circumstances, Moderate Risk) are subject to disclosure in accordance with NC General Statute 132 (Public Records Act). Requests for release of any of these data must be made and approved in accordance with the University's Public Records Policy.
    Data in both categories will require varying security measures appropriate to the degree to which the loss or corruption of the data would impair the business or research functions of the University, result in financial loss, or violate law, policy or University contracts.
  2. Security measures for data are set by the data custodian, working in cooperation with the data stewards, as defined below.

    The following roles and responsibilities are established for carrying out data policy:
    1. Data Trustee: Data trustees are senior University officials (or their designees) who have planning and policy-level responsibility for data within their functional areas and management responsibilities for defined segments of institutional data. Responsibilities include assigning data stewards, participating in establishing policies, and promoting data resource management for the good of the entire University.
    2. Data Steward: Data stewards are University officials having direct operational-level responsibility for information management - usually department directors. Data stewards are responsible for data access and policy implementation issues.
    3. Data Custodian: Information Technology Services (ITS) is the data custodian. The custodian is responsible for providing a secure infrastructure in support of the data, including, but not limited to, providing physical security, backup and recovery processes, granting access privileges to system users as authorized by data trustees or their designees (usually the data stewards), and implementing and administering controls over the information.
    4. Data User: Data users are individuals who need and use University data as part of their assigned duties or in fulfillment of assigned roles or functions within the University community. Individuals who are given access to sensitive data have a position of special trust and as such are responsible for protecting the security and integrity of those data.
    Clarification and communication of roles in data classification are responsibilities of the Data Management group in the ITS Division.

Data Security Measures

Measures implemented for data security will be dictated by the data-classification level. Measures will include an appropriate combination of the following:

  1. Encryption requirements
  2. Data protection and access control
  3. Documented backup and recovery procedures
  4. Change control and process review
  5. Data-retention requirements
  6. Data disposal
  7. Audit controls
  8. Storage locations
  9. User awareness

Enforcement

ITS, in cooperation with other University authorities and administrators, will enforce this Policy, and establish standards, procedures, and protocols in support of the policy.

Any violation of this policy by a University student is subject to the Student Code of Conduct in the student handbook. For employees, any violation of this policy is "misconduct" under EPA policies (faculty and EPA non-faculty) and "unacceptable personal conduct" under SPA policies, including any appeal rights stated therein. Violations of law may also be referred for criminal or civil prosecution. Additionally, violations of this policy may result in termination or suspension of access, in whole or in part, to University information systems at the discretion of ITS where such action is reasonable to protect the University or the University information infrastructure.

Review

The Chancellor has approved the Data Classification Policy. ITS will review the policy periodically.

Links to Related University Policies

Contact

Comments or questions? Email the Policy Administrator.