The University of North Carolina at Greensboro (hereinafter “University” or “UNCG”) is strongly committed to maintaining the security and privacy of confidential information and other data it collects or stores. This confidential information and other data must be protected accordingly. The purpose of this policy is to outline the responsibilities required for securing data resources and provide a framework for securing data from risks including, but not limited to, unauthorized destruction, modification, disclosure, access, use, and removal.
This policy serves as a foundation for the University’s information security policies, and is consistent with the University’s data management and records management standards. The University recognizes that the value of its data resources lies in their appropriate and widespread use. It is not the purpose of this policy to create unnecessary restrictions to data access or use for those individuals who use the data in support of University business or academic pursuits.
This policy applies to all data sets and systems that may access or integrate University data, regardless of the environment where the data resides (including cloud systems, servers, personal computers, mobile devices, etc.). This policy also applies regardless of the media on which data resides (electronic, microfiche, printouts, CD, etc.) or the form it may take (text, graphics, video, voice, etc.), and does not supplant federal and state laws and regulations, legal requirements, or contractual obligations for protecting data. This policy applies to all users who store, use, share, archive, or display University data.
3.Definitions and Roles & Responsibilities
3.1.1Confidential Personal Information:
Confidential Personal Information refers to information, in any form, that could reasonably be used to identify, contact, or locate an individual governed, regulated, or protected by one or more information privacy and security laws.
Data Classification organizes data into four categories (see below, 4.1 Data Classification Levels) for ease of retrieval, sorting and storing for future use, with the primary purpose of helping the University determine risk tolerance across all its data assets.
Data Sponsor the University official who provides executive-level support of UNCG data governance activities.
Data Steward is a University official with direct operational-level responsibility for information management.
3.1.5Information Privacy and Security Laws:
Information Privacy and Security Laws: federal and state laws that classify data and/or establish specific requirements regarding security. Examples include, but are not limited to, the Family Educational Rights and Privacy Act (FERPA), the Health Information Portability and Accountability Act of 1996 (HIPAA), and the North Carolina Identity Theft Protection Act (NC IDTPA).
3.1.6Institutional or University Data:
Institutional or University Data refers to data elements that are relevant to the operations, plans, or management of a UNCG academic, financial, or administrative unit, or used in reporting, decision-making, business, or administrative processes. This includes data that falls under information privacy and security laws or regulations (ex. FERPA, HIPAA, etc.) and may be created at the University or imported through various processes into University data systems.
Research Data is defined as recorded, tangible, or intangible research information, regardless of form or the media on which it is recorded, that are created or collected in the process of performing research, whether supported in whole or in part by University resources or by external funders.
Unauthorized Access refers to an individual gaining logical or physical access without permission to a network, system, application, data, or other resource.
3.2Roles & Responsibilities
3.2.1Chairs, Directors/Deans, and Administrators:
Chairs, Directors/Deans, and Administrators are accountable for the security of stored, collected, transmitted, or displayed University data within their departments.
3.2.2Chief Information Officer:
Chief Information Officer has the overall responsibility for the Information Technology Services division of ITS, which ensures compliance with University policies, procedures, and guidelines established to maintain the privacy and security of confidential information collected or stored by the University.
3.2.3Chief Information Security Officer:
Chief Information Security Officer has the overall responsibility to evaluate the management, storage, transmission, and/or collection of information collected or stored by the University.
Data Trustee is a senior University official (or their designee) who has planning and policy-level responsibilities for data within their functional areas and management responsibilities for defined segments of University data.
Data Users are individuals who need and use University data as part of their assigned duties or in fulfillment of assigned roles or functions within the University community, including but not limited to, those working on sponsored research.
3.2.6Faculty, Staff, Students, Affiliates:
Faculty, Staff, Students, Affiliates assigned a user account with access to information stored, collected, transmitted, or displayed by the University must comply with this policy in its entirety along with published data storage and handling standards and any other guidance that is applicable to the data with which they are working.
Governance Custodians are responsible for the execution and enforcement of policies and processes over the definition, production, and usage of University data. Exercising authority and control, Governance Custodians are responsible for data quality and metadata management.
3.2.8Technology Custodians or Data Technology Custodians (DTC):
Technology Custodians or Data Technology Custodians (DTC) provide a secure infrastructure in support of University data including, but not limited to, providing physical security, backup and recovery processes, granting access privileges to system users with approvals as required by the Data Trustees (or their designees), and implementing and administering controls over the information. Technology Custodians may include approved delegates, such as a vendor or consultant, who may handle University data.
The University will use data classification to develop other policies and guidelines and for risk-based protection of information and systems. Data classifications are based upon the expected risk of harm to individuals and the University if the data were to be subject to unauthorized destruction, modification, disclosure, access, use, and/or removal.
4.1Data Classification Levels
To implement security at the proper level, establish guidelines for legal/regulatory compliance, and reduce or eliminate conflicting standards and controls over data, data will be classified into one of the four levels described below and must be stored, collected, transmitted, or displayed in means appropriate to that level of classification.
4.1.1Level 4 – Restricted (Red)
This data classification is for data that is high risk because it is sensitive data that is highly confidential in nature. The loss of the data’s confidentiality, integrity, or availability will cause exceptionally grave damage to UNCG’s mission, safety, finances, or reputation. Privacy and security for this data classification are typically required by law or contract. Access to this type of data shall require authorization and legitimate need-to-know by University employees.
Examples include but are not limited to: Protected Health Information (PHI), Personally Identifiable Information (PII), Social Security Numbers, Payment Card Industry Data Security Standard (PCI DSS), Gramm-Leach-Bliley Act (GLBA) data, Controlled Unclassified Information (CUI), Federal Information Security Management Act (FISMA) regulated data, , and information protected by non-disclosure agreements. For additional information, see Data Classification Reference Chart.
4.1.2Level 3 – Confidential /Sensitive (Orange)
This data classification is for data that is moderate risk because it should be kept confidential. The loss of the data’s confidentiality, integrity, or availability can cause harm to UNCG’s mission, safety, finances, or reputation. Privacy and security for this data classification may be required by law or contract. Access to this type of data shall require authorization from appropriate leadership and legitimate need-to-know by University employees.
Examples include but are not limited to: Family Educational Rights and Privacy Act (FERPA), proprietary business plans, patent pending information, personnel records, login credentials, non-public contracts, and intellectual property. For additional information, see Data Classification Reference Chart.
4.1.3Level 2 – Internal Use (Yellow)
This data classification is for data that is low risk and includes information that is not openly shared with the public but is not specifically required to be protected by statute or regulation. The loss of the data’s confidentiality, integrity, or availability will not directly cause financial loss or any legal, contractual, or regulatory violations, but might otherwise cause unintended/unnecessary/unfavorable impact to the university, individuals, or affiliates.
Note: While some forms of internal data can be made available to the public, this data classification is not freely disseminated without appropriate authorization from respective management and senior leadership.
Examples include but are not limited to: budgetary plans, salary information, personal cell phone numbers, departmental policies and procedures, internal memos, unpublished research, routine business records and email. For additional information, see Data Classification Reference Chart.
4.1.4Level 1 – Public Use (Green)
This data classification is for data that is minimal risk. The loss of the data’s confidentiality, integrity or availability will not cause harm to UNCG’s mission, safety, finances, or reputation, and the University has chosen or is required to disclose it to the public.
Examples include but are not limited to: public phone directory, course catalogs, public research findings, enrollment figures, public websites, general benefits data, press releases, and newsletters. For additional information, see Data Classification Reference Chart.
4.2Classifying Research Data
The classification of research data depends on several factors such as type of data, and/or contractual elements and thus may fall into any of the classifications defined herein. Likewise, time of release and collaboration affect the classification of research data. As such, certain unpublished research data may be classified as Level 3 – Confidential/Sensitive (Orange) until such time as the research is published. Additionally, federal laws, rules, and regulations (including but not limited to FISMA, HIPAA, FERPA, and Export Controls), sponsor requirements, and University policies and guidelines will necessitate a certain classification.
In accordance with sponsor, federal and state classification requirements, and in collaboration with the Data Steward, it is incumbent upon researchers to know the classification of their data and the circumstances governing it, and to classify it accordingly. Once classified, the researcher will need to maintain the data using the appropriate UNCG data storage location with the appropriate access and security controls aligning to the Data Classification Reference Chart.
4.3Data Security Measures
Measures implemented for data security will be dictated by the data-classification level. Measures will include an appropriate combination of the following:
- Encryption requirements
- Data protection and access control
- Documented backup and recovery procedures
- Change control and process review
- Data-retention requirements
- Data disposal
- Audit controls
- Storage locations
- User awareness
Security measures for data are set by the Technology Custodian, working in cooperation with the Data Stewards. Further detail of roles and responsibilities for carrying out data policy are provided in the UNCG Data Governance Structure Policy.
The Vice Chancellor of Information Technology Services and Chief Information Officer (CIO), or assigned delegate, has the sole authority to make exceptions, in writing, to this policy.
5.Compliance and Enforcement
Any violation of this policy by a University student is subject to the Student Code of Conduct in the Student Policy Handbook. For employees, violation of this policy will be subject to consideration as “misconduct” under EHRA policies (faculty and EHRA non-faculty) or “unacceptable personal conduct” under SHRA policies, including any appeal rights stated therein.
If violation of this policy also results in a violation of law, the violation may also be referred for criminal or civil prosecution.
Violations of this policy may result in termination or suspension of access, in whole or in part, to University information systems at the discretion of ITS where such action is reasonable to protect the University or the University information infrastructure.
- Portions of this document were informed by the language found in multiple regulations, including the ISO/IEC 27002:2022 Standard, and FIPS Publication 199.
The Chancellor is responsible for approval of this policy.
6.4Contacts for Additional Information and Reporting
Responsible Executive: Vice Chancellor for Information Technology Services and Chief Information Officer (CIO)
Responsible Administrator: Chief Information Security Officer (CISO)