Data Classification and Governance (VII.B.6)

Information Technology

Data Classification and Governance (VII.B.6C)

Volume VII: Information Technology
Chapter B: Security
Responsible Executive: Vice Chancellor for Information Services
Responsible Office: Office of the Vice Chancellor for Information Services
Date Issued: March 1, 2010
Date Last Revised: November 18, 2011
Revised for Purdue University Calumet: January 9, 2012

TABLE OF CONTENTS

Statement of Policy
Reason for This Policy
Individuals and Entities Affected by This Policy
Who Should Know This Policy
Exclusions
Web Site Address for This Policy
Contacts
Definitions
Responsibilities
Procedures
Related Documents, Forms, and Tools
History and Updates
Appendices

STATEMENT OF POLICY

Identification and classification of university data are essential for ensuring that the appropriate degree of protection is applied to university data. All Purdue University Calumet data will be reviewed on a periodic basis and classified according to its use, sensitivity, and importance to the University and in compliance with federal and/or state laws.

REASON FOR THIS POLICY

Purdue University Calumet academic and administrative data are important university resources and assets. Data used by the University often contains detailed information about Purdue University Calumet, as well as personal information about Purdue University Calumet students, faculty, staff, and other third parties affiliated with the University. Protecting such information is driven by a variety of considerations including legal, academic, financial, and other business requirements. This policy provides a framework for the governance and classification of university data in order to ensure the privacy and security of that data.

INDIVIDUALS AND ENTITIES AFFECTED BY THIS POLICY

All units, students, faculty, and staff of Purdue University Calumet are governed by this policy.

WHO SHOULD KNOW THIS POLICY

President
Chancellors
Vice Presidents
Deans
Directors
Department Heads and Chairs
Principal Investigators
Faculty and Staff
Students
Non-employee (third-party) users of University data

EXCLUSIONS

There are no exclusions to this policy.

WEB SITE ADDRESS FOR THIS POLICY

http://webs.purduecal.edu/security/data-classification-and-governance-vii-b-6/

CONTACTS

Subject

Contact

Telephone

E-mail/Web Address

Policy Clarification

Office of Information Services

vcis@purduecal.edu

Questions Regarding Data Classification

Office of Information Services

vcis@purduecal.edu

DEFINITIONS

Data Custodian
Individuals who need and use university data on a daily basis as part of their assigned employment duties or functions.

Data Steward
An individual assigned by an Information Owner to facilitate the interpretation and implementation of data policies and guidelines.

Information Owner
The unit administrative head who is the final authority and decision maker with respect to data used in university business. Information Owners have decision-making authority over any data used by the unit administrative function, as well as any data, forms, files, information, and records, regardless of format.

Public
Information that may or must be open to the general public that has no existing local, national, or international legal restrictions on access.

Restricted
Information protected due to protective statutes, policies, or regulations. This level also represents information that isn’t by default protected by legal statute, but for which the Information Owner has exercised his or her right to restrict access.

Sensitive
Information protected due to proprietary, ethical, or privacy considerations. This classification applies even though there may not be a direct statutory, regulatory, or common-law basis for requiring this protection.

RESPONSIBILITIES

Information Owner
Interpret and implement access and availability issues and safeguard university data, or delegate this responsibility to a Data Steward.

Chief Information Officer (CIO)
Serve as Information Owner, or designate an Information Owner, for those enterprise-wide directories and applications that serve a multitude of university functions and do not have a cross-functional team that acts as the Information Owner. In these instances, the CIO or designee is also responsible for identifying, communicating with, and building consensus among all parties, directors, deans, department heads, etc. whenever a decision regarding the data is needed.

Data Stewards
Facilitate the interpretation and implementation of data policies and guidelines to meet the needs of the University for the use of data.

Participate with Information Owners, business staff, IT data administration staff, application development teams, and knowledgeable departmental staff on projects creating, maintaining, and using university data.

Data Custodian
Be familiar with the university’s data governance and classification structure.

Comply with this policy and related standards, guidelines, and procedures issued by the University in support of this policy.

Non-Employee (Third-Party) Users of University Data
Be familiar with the university’s data governance and classification structure.

Comply with this policy and any additional stipulations outlined in written contracts with Purdue University.

PROCEDURES

Data Governance and Classification
The University’s data is organized by the area responsible for it. Every piece of data owned, used, or maintained by the University must have one or more Information Owner(s) identified in the event that questions concerning access and availability arise. Information Owners must designate a Data Steward for his or her administrative unit.

An Information Owner, in consultation with the relevant Data Steward, must classify the data and records used in his or her administrative unit into the following three risk categories: Public, Sensitive, or Restricted. Classification of university data is an ongoing process, and the definitions of university data, as well as the classification of specific data elements must be evaluated annually.

Any data item or information that is not classified will be assumed to be of the Restricted classification until otherwise determined, unless the data is known to be addressed by applicable law or statute (e.g., certain records that might be considered publicly available under applicable Indiana law).

Data Handling
The designated Data Stewards, both individually and collectively, must implement and interpret data handling requirements and guidelines for the use of university data and will post such information online. Data Custodians must follow the data handling requirements and guidelines issued by the Data Stewards. Information Owners and their designees may also issue additional guidelines, procedures, or other requirements as necessary to appropriately handle data used in his or her specific administrative unit.

Data Stewards are required to further consult with university-designated compliance officers for various laws, including but not limited to, the Family Educational Rights and Privacy Act (FERPA), the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Gramm-Leach-Bliley Act (GLBA), and the Indiana Access to Public Records Act regarding appropriate use of data according to such laws.

Purdue University Calumet policy for dealing with the disclosure of university records in response to a request for access under Indiana’s Access to Public Records Act or in response to a third-party subpoena is addressed in policy VIII.A.3, “Disclosure of University Records in Connection with the ‘Access to Public Records’ Act and in Response to Third-Party Subpoenas.” Nothing in this policy should be construed to conflict with policy VIII.A.3.

Violations of this policy or any other university policy or regulation may result in disciplinary action or sanctions in accordance with university policy and procedures.

RELATED DOCUMENTS, FORMS, AND TOOLS

Data Classification and Handling Web site:
http://webs.purduecal.edu/security/data-classification-handling/

Listing of Data Stewards for University Departments:
For information on Data Stewards for University Departments at Purdue Calumet, please call the Office of Information Services.

Listing of Information Owners and Administrative Data Classification by Area:
For information on Information Owners and Administrative Data Classification by Area at Purdue Calumet, please contact the Office of Information Services.

Purdue University Calumet Data Classification and Handling Requirements:
http://webs.purduecal.edu/security/data-classification-handling/

Purdue System Policy on Disclosure of University Records in Connection with the “Access to Public Records” Act and in Response to Third-Party Subpoenas, (VIII.A.3):
www.purdue.edu/policies/records/viiia3.html

HISTORY AND UPDATES

January 9, 2012: Policy changed for Purdue Calumet

November 18, 2011: Policy number changed to VII.B.6 (formerly V.1.8).

March 1, 2010: This is the first policy to address this issue. The implementation of this policy allows for policy V.1.5, Proper Disposal of Electronic Media, Interim, to be rescinded and incorporated into IT procedural guidelines.

APPENDICES

There are no appendices to this policy.