Guidelines for Storing Regulated Data at ODU
As an employee of ODU, you are responsible for all university data that is sent, stored or shared on all personal or university-owned devices that you use. Part of this responsibility includes choosing appropriate technology to manage and store the data, some of which may be confidential or restricted.
We have multiple options for data storage -- from University servers to cloud-based services -- but not all options are appropriate for all types of data. To help you choose the proper solutions for your university data, we've developed a matrix that outlines what can be stored where.
What is the Regulated Data Storage Matrix?
The Regulated Data Storage Matrix is a table that helps you choose appropriate technology tools for sending, storing and sharing institutional information. It has information about cloud-based and on-premise services that you are likely to use as part of your daily work at ODU.
Before choosing a tool for storing your sensitive data, check the matrix to see if the service is permitted for use with the type of data you have, and make sure that the data owner has approved the tool for use with that data. If you're not sure, ask your supervisor. The offices of data stewards can also help:
|Registrar (Student Data Owner):||(757) 683-4425|
|Human Resources (Employee Records Data)
|Finance (Payment Card Data):||(757) 683-6274|
|Financial Aid (GLBA or FISMA):||(757) 683-3683|
|CISO's Office (HIPAA, Personally Identifiable Information or questions about Departmental Data Owners or Application Owners):||(757) 683-5424|
|Technology Solutions (Administrative System Owner):||(757) 683-3209|
Important notes for Matrix users:
- Information in the matrix applies to ODU enterprise versions of the services listed. This should not be confused with consumer versions of these services or third party applications associated with these services. Consumer versions place institutional information outside of the protected technical environment required by ODU's contracts with the vendors. Enterprise versions of cloud services are very similar to consumer versions in terms of features and capabilities. However, for enterprise versions, ODU
- Negotiates institution-wide terms and prices.
- Vets the service with its legal, policy, supply management, audit, and security specialists.
- Integrates the service into the ODU environment (so you can use your MIDAS ID and password to log in, for example).
- The Regulated Data Storage Matrix does not necessarily apply to data associated with faculty research. Research data that involves regulated data should have a Data Management Plan and should fulfill the security requirements of the granting agency as well as the policies and standards of ODU.
- The Regulated Data Storage Matrix only indicates if appropriate technical safeguards and contractual protections are in place for storing or sharing regulated or confidential data using a particular technology.
Example: Google's G Suite and Microsoft Office 365 have cloud storage services. ODU's contracts with these services require that if the company retains any ODU education records, such as a student class schedule or graded assignments, that it must do so in a technical environment that protects against inadvertent disclosure and that the company implement privacy practices that meet FERPA standards. The contracts also assign Google and Microsoft as representatives of the University in supporting the business need for the vendors to store the FERPA-protected data. Because the vendors are obligated to provide this level of protection, it is possible from a strictly contractual perspective to store or share certain FERPA records within Google Drive or OneDrive. This contractual provision is the minimum, necessary requirement for permitted use of these services with FERPA data. Even though the chart indicates it is possible, the data owner for FERPA-covered data (the University Registrar) has authority to establish specific types of data that can be stored or shared. FERPA data that is approved for storage in Google Drive or OneDrive may not be approved for storage on a local device, so care should be taken to not download the document to the local device. Files that are opened in Google Drive or OneDrive should be saved to the cloud and not to a local folder. See ODU Policy 3504 Data Administration Policy.
Why must we limit what can be stored where?
Our institutional information is protected under federal laws (in the areas of education, financial and health care records), as well as state data breach notification and privacy laws and contractual provisions in government research grants. These laws and provisions impose legal and technical restrictions on the appropriate use of institutional information, and the university must comply with these restrictions.
As a matter of university policy (ODU Policy 3504 Data Administration Policy, ITS Standard 01.2.0 IT Security Roles and Responsibilities), data users should follow data management guidelines set by the University and the Data Owner.
It is not possible to use all institutional information on all IT services offered at ODU. University Counsel, the Procurement Office and the Chief Information Security Officer work together to obtain proper agreements and technical safeguards on all IT systems so that appropriate technology can be used for the proper conduct of University business.