Old Dominion University
Information Technology Standard
02.3.0 Data Administration & Classification Standard
|Date of Current Revision or Creation:||November 1, 2021|
The purpose of an Information Technology Standard is to specify requirements for compliance with Old Dominion University Information Technology policies, other University policies, as well as applicable laws and regulations. Standards may include business principles, best practices, technical standards, migration and implementation strategies, that direct the design, deployment and management of information technology.
The purpose of this standard is to define the data administration and classification responsibilities and requirements used by Old Dominion University.
Data Compliance Owners - University employees (typically at the level of Unit Leader) who oversee data management functions related to the capture, maintenance, and dissemination of data for a particular operational area. They are responsible for decisions about the usage of institutional data under their purview. Data compliance owners understand the compliance requirements for their data, designate the compliance level of their data, and approve access to their data. University Data Compliance Owners oversee compliance for data that is shared or leveraged across the University, such as HR, Finance, Financial Aid, and Student FERPA data. Departmental Data Compliance Owners oversee the data that is specific to the departmental application or system that is not overseen by one or more of the University Data Compliance Owners.
System Compliance Owners - Manager or departmental head responsible for operation and maintenance of a University IT system or overseeing hosted systems under their purview. System Compliance Owners are responsible for the overall compliance and security of their system.
Data Management Group (DMG) - The group is comprised of representatives of Data Compliance Owners and technical leads at the University who are responsible for the review and operational effectiveness of data management policies and procedures.
Data Management Executive Committee (DMEC) - A senior level team comprised of representatives from the executive level and the Data Trustee level which establishes overall policies for management and access to the institutional data of the University.
Data Trustee - Senior University officials (typically at the level of Associate or Assistant Vice President) who have planning and policy-level responsibilities for university data and who assign accountability for data management. Data Trustees typically report to Vice Presidents who have oversight authority for compliance within their reporting structure.
Data Users - Individuals and organizations that access institutional data and Information in order to perform their assigned duties or to fulfill their role in the University community.
Institutional Data - Recorded information that documents a university business-related transaction or activity by or with any appointed board member, officer, or employee of the University. Regardless of physical form, characteristic, or source, the recorded information is a university record if it is produced, collected, received, or retained in pursuance of law or in connection with the transaction of university business. The medium upon which such information is recorded has no bearing on the determination of whether the recording is a University record. University records include but are not limited to personnel records, student records, academic records, financial records, patient records, and administrative records. Record formats/media include but are not limited email, electronic databases, electronic files, paper, audio, video, and images.
Third Party Email System and Messaging Services - Any means or system for transmitting messages electronically (as between computers on a network) other than the University's official email or messaging systems.
Responsibility for Data Administration
All institutional data is owned by Old Dominion University. As such, all members of the University community have the obligation to appropriately secure and protect the asset in all formats and in all locations. Roles and responsibilities for protecting and classifying the institutional data asset are defined in supporting IT Standards.
Data Classification Levels
The data classification levels are defined as follows and are listed in order from the most sensitive to the least sensitive:
- Class 1 Restricted
- Data classified as Class 1 (Restricted) may be subject to disclosure laws and warrant careful management and protection to ensure its integrity, appropriate access, and availability. This information must be guarded from disclosure. Unauthorized exposure of this information could contribute to identity theft, financial fraud, and violate state and/or federal laws. Unauthorized disclosure of this data could adversely affect the University, or the interests of individuals and organizations associated with the University. Systems containing restricted data must be approved by the Information Security Officer. Restricted data includes Social Security Number (SSN), Drivers License number, Federal ID, Health Insurance, Medical Record Number, Payment Card Holder Data, and Medical Information (PHI), when combined with identifying information.
- Restricted data and systems should utilize measures such as encryption, two-factor authentication, or other added protections commensurate with the level of sensitivity and the compensating controls that are available.
- If a file which would otherwise be considered confidential contains any element of restricted data, the entire file is considered to be restricted information..
- Class 2 Confidential, Moderate Sensitivity
- Data classified as Class 2 (Confidential, moderately sensitive) includes data that is not explicitly defined as restricted data but that is regulated and requires access control and contract language for hosted solutions. This data is not intended to be made publicly available or shared without authorization. Class 2 data is distributed on a need-to-know basis between members of the University staff, IT systems, and specific third parties when authorized. Unauthorized exposure of this information could violate state and federal laws and/or can adversely affect the University as a whole or in part, or the interests of individuals associated with the University. Class 2 data may only be disclosed to a third party with the permission of the Data Compliance Owner.
- If a file which would otherwise be considered less sensitive but contains an element that are Confidential, Moderately Sensitive data, the entire file is considered to be Confidential, Moderately Sensitive information.
- Class 3 Confidential, Low Sensitivity
- Data classified as Class 3 (Confidential, Low Sensitivity) includes data that is not explicitly defined as Class 1 or Class 2 data but that is regulated while posing a lower risk to the individual and to the University, such as student email address. This data may require permission to share and contract language for hosted solutions. This data is not intended to be shared without authorization. Class 3 data is distributed on a need-to-know basis between members of the University staff, IT systems, and specific third parties when authorized. Unauthorized exposure of this information could violate state and federal laws and/or can adversely affect the University as a whole or in part, or the interests of individuals associated with the University. Class 3 data may only be disclosed to a third party with the permission of the Data Compliance Owner.
- If a file which would otherwise be considered less sensitive but contains an element that are Confidential, Low Sensitivity, then the entire file is considered to be low sensitivity confidential information.
- Class 4 Confidential, non-regulated
- Data classified as Class 4 (Confidential, non-regulated) includes data that is not explicitly defined as Class 1 through 3, and that is not regulated and poses a lower risk to the individual and to the University. This data may require permission to share and contract language for hosted solutions. This data is not intended to be shared without authorization. Class 4 data is distributed on a need-to-know basis between members of the University staff, IT systems, and specific third parties when authorized. Unauthorized exposure of this information could adversely affect the University as a whole or in part or the interests of individuals associated with the University. Class 4 data may only be disclosed to a third party with the permission of the Data Compliance Owner.
- If a file which would otherwise be considered Class 4 but contains an element that are Class 1 through 3, the entire file may be considered to be the classification of the most sensitive data.
- Class 5 Public
- Data classified as public includes all data that are published and broadly available, including student directory information as defined by the Student Records Policy. The types of data classified as public should be as broad as possible. Anyone may access public data. Care should be taken to use all University information appropriately and to respect all applicable laws. Information that is subject to copyright must only be distributed with the permission of the copyright holder.
Data Compliance Owners will establish standard rules, guidelines, and profiles for data access, and decide about individual requests to access data in compliance with local, state, and federal laws and regulations.
Access to University data should be based on the business needs of the organization and should enhance the ability of the University to achieve its mission. Employees should have access to the data needed to perform their responsibilities, without regard to arbitrary barriers. Where necessary, Data Compliance Owners may specify some data as restricted or confidential, regardless of how it is made available. This data may only be used by those whose positions requiring such access and for the purpose authorized. When data is designated as restricted or confidential, the Data Compliance Owner will cite the specific legal, regulatory, or other references and/or the descriptions of the users who are typically given access to the data and under what conditions the access is granted.
Access Approval and Appeal Process
Any Data User may request that a Data Compliance Owner review the restrictions placed on a data element or data view or review a decision to deny access to restricted or confidential data. If a request is denied or not addressed by a Data Compliance Owner, the requester may appeal the Data Compliance Owner's decision by forwarding the request to the Data Management Group (DMG). The DMG will review the request, receive input from the Data Compliance Owner and the requester, and will render a decision regarding the appeal.
When necessary, the Data Management Executive Committee (DMEC) will make the final determination on data restrictions and requested access rights to institutional data.
Data Classification, Transmittal and Storage
- Class 1 Restricted Data
Industry encryption is required when transmitting restricted data through a network. Sending email to or from a third-party email or messaging service is prohibited for transmitting restricted data, unless an encryption method and storage option are used that have been approved by the Information Security Officer. Restricted numbers may be masked by an approved masking technology instead of encryption. For storage, industry-standard encryption is required if data is not stored on secured servers in the University's administrative network. Third party processing or storage services are prohibited from receiving or storing restricted data unless approved by the Data Compliance Owner and Information Security Officer.
- Class 2 through 4 Confidential Data
Industry encryption is recommended when transmitting confidential data through a network. Internal email services may be used between authorized employees to conduct University business. Sending email to or from a third-party email or messaging service is discouraged for transmitting confidential data. For storage, industry-standard encryption is not required for storage. Third party processing or storage services are appropriate for receiving or storing confidential data with Data Compliance Owner approval.
- Class 5 Public Data
No encryption is required for public data. Care should still be taken to protect the integrity and availability of public information.
- Class 1 Restricted
Procedures, Guidelines & Other Related Information
Federal and State Law
University Policy 3504 - Data Administration and Classification Policy
University Policy 3505 - Security Policy
University Policy 3700 - Records Management
University Policy 5350 - Research and Scholarly Digital Data Management Policy
IT Standard 01.2.0 - IT Roles and Responsibilities
Date Responsible Party Action October 2008 CIO/ITAC Created October 2009 CIO/ITAC Reaffirmed October 2010 CIO/ITAC Reaffirmed October 2011 CIO/ITAC Reaffirmed October 2012
Reaffirmed December 2012
IT Policy Office
Minor rewording for clarity Organizational revision
June 2015 IT Policy Office Data administration requirements and responsibilities defined. Clarifying language on data classification levels and use; DMAG review August 2015 ITAC/CIO Revision affirmed July 2018 IT Policy Office Definitions and links checked November 2021 ITAC/CIO Revised Classifications to align with Shared Vendor Assessment Classes, revised definition of PII