Data Governance & Classification Policy
Purpose
The purpose of this policy is to identify the different types of data and to establish a framework for classifying institutional data based on its level of sensitivity, value,and criticality to the University.
Data Governance
Data governance focuses on improving data quality, protecting access to data, establishing business definitions, maintaining metadata, and documenting data policies. The University's institutional information is a valuable asset and must be maintained and protected as such. It is vital to have accurate, trusted data in order to make sound decisions at all levels of an organization. Data governance helps to provide data transparency and results in confidence among College faculty, staff, and management to trust and rely on data for information and decision support.
Governing Institutional Data
The following principles are set forth as minimum standards to govern the appropriate use and management of institutional data:
- Institutional data is the property of Monroe University and shall be managed as a key asset.
- Unnecessary duplication of institutional data is discouraged.
- Institutional data shall be protected.
- Institutional data shall be accessible according to defined needs and roles.
- Institutional representatives will be held accountable to their roles and responsibilities.
- Necessary maintenance of institutional data shall be defined.
- Resolution of issues related to institutional data shall follow consistent processes.
- Data stewards are responsible for the subset of data in their charge.
Roles Required to Govern Data
No one person, department, school, or group "owns" data, even though specific units bear some responsibility for certain data. Several roles and responsibilities govern the management of, access to, and accountability for institutional data.
- Technology committee: This committee is comprised of a cross-section of College personnel responsible for functional areas, or major datasets, co-chaired by the Chief Financial Officer and Chief Information Officer. While the scope of the committee encompasses all technology components of the University, overall data governance falls under its charter.
- Data stewards: Data stewards are College business officials (excluding the IT department) who have direct operational-level responsibility for the management of one or more types of institutional data and have the authority to make decisions.
- Data trustees: Data trustees are defined as institutional officers (e.g., vice presidents and deans) who have authority over policies and procedures regarding business definitions of data and the access and usage of that data within their delegations of authority. Each data trustee appoints data stewards for specific subject area domains.
- Data custodians: Data custodians are system administrators responsible for the operation and management of systems and servers that collect, manage, and provide access to institutional data.
- Data users: Data users are departments or individual College members who have been granted access to institutional data in order to perform assigned duties or in fulfillment of assigned roles or functions within the University. This access is granted solely for the conduct of College business.
Supporting policies related to Data Governance and the roles outlined above include Data Classification Policy and Data Classification Guidelines.
Data Classification
Data classification, in the context of information security, is the classification of data based on its level of sensitivity and the impact to the University should that data be disclosed, altered, or destroyed without authorization. The classification of data helps determine what baseline security controls are appropriate for safeguarding that data. All institutional data should be classified into one of three sensitivity levels, or classifications:
Restricted Data
Data should be classified as Restricted when the unauthorized disclosure, alteration, or destruction of that data could cause a significant level of risk to the University or its affiliates. The highest level of security controls should be applied to Restricted data. Restricted data is any data that contains personally identifiable information (PII) concerning any individual, as well as any data that contains PII that is regulated by local, state, or Federal privacy regulations. These regulations may include, but are not limited to:
- Family Educational Rights and Privacy Act (FERPA)
- Gramm-Leach-Bliley Act (GLBA)
- Health Insurance Portability and Accountability Act (HIPAA)
- Payment Card Industry Data Security Standards (PCI DSS).
Private Data
Data should be classified as Private when the unauthorized disclosure, alteration or destruction of that data could result in a moderate level of risk to the University or its affiliates. By default, all Institutional Data that is not explicitly classified as Restricted or Public data should be treated as Private data. A reasonable level of security controls should be applied to Private data. Examples of some of the type of data included are budgets, contract negotiations, and compensation.
Public Data
Data should be classified as Public when the unauthorized disclosure, alteration, or destruction of that data would results in little or no risk to the University and its affiliates. While little or no controls are required to protect the confidentiality of Public data, some level of control is required to prevent unauthorized modification or destruction of Public data. Examples of Public data include press releases, course information, and any other data Monroe University makes available to the general public.
Default classification of data
Any data that contains PII concerning any individual or that is covered by local, state, or Federal regulations is classified as Restricted data by default. All other data is classified as Private data by default.
Privacy Regulations Referenced
FERPA
FERPA is a Federal law that protects the privacy of student education records. This law applies to all schools that receive funds under an applicable program of the U.S. Department of Education. FERPA provides students with the right to inspect and review certain education records maintained by the school and to request corrections if the records are inaccurate or misleading. It requires that schools obtain written permission before releasing information from a student’s education record. It also allows schools to publish certain “directory” information about students, unless the student has requested that the school not do so. The penalty for failing to comply with FERPA is loss of all federal funding, including grants and financial aid.
Additional information is available here.
GLBA
GLBA (the Gramm-Leach-Bliley Act) protects consumers’ personal financial information held by financial institutions. It requires that financial institutions provide customers with a privacy notice explaining what information is collected, how it is used, and how it is protected. The penalty for failing to comply with GLBA is a fine of up to $100,000 for the institution and of up to $10,000 for the officers and directors of the institution.
Additional information can be found here.
HIPAA
HIPAA protects the privacy of Protected Health Information (PHI). It establishes regulations for the use and disclosure of PHI, including a patient’s health status, provision of health care, medical records or payment history. Penalties for wrongfully disclosing PHI range from a $50,000 to a $250,000 fine and a one- to ten-year prison term, depending on the circumstances. These fines are for the individual, not the institution.
Additional information can be found here.
Payment Card Industry Data Security Standards (PCI DSS)
PCI DSS is an industry standard which protects credit card customer account data. The PCI DSS standard requires organizations that accept credit cards for payment to utilize a secure network and to adhere to specific procedures and standards to protect credit card data. Failing to comply with PCI DSS can result in significant fines. Credit card providers can fine merchants up to $500,000 per compromise if it is established that the merchant was not complaint at the time at which data was compromised. Merchants may also be banned from accepting certain types of credit cards.
Additional information is available here.