This policy will provide for a way for the UO Community to classify data according to its level of sensitivity. The associated procedures detail how classified data should be protected.
All University of Oregon data users
Enacted as a permanent policy by President Schill on 04/25/2016.
Extended by President Michael Schill on December 15, 2015.
Enacted as an emergency policy by Dr. Scott Coltrane, Interim President on June 25, 2015.
This policy supersedes Fiscal Policy Manual 56.350.200-230 and UO Policy 10.00.01.
The purpose of this policy is to protect the information resources of the University from unauthorized access or damage. The requirement to safeguard information resources must be balanced with the need to support the pursuit of legitimate academic objectives. The value of data as an institutional resource increases through its widespread and appropriate use; its value diminishes through misuse, misinterpretation, or unnecessary restrictions to its access.
Classification of Data
All University data is classified into levels of sensitivity to provide a basis for understanding and managing University data. Accurate classification provides the basis to apply an appropriate level of security to University data. These classifications of data take into account the legal protections (by statute or regulation), contractual agreements, ethical considerations, or strategic or proprietary worth. Data can also be classified as a result of the application of “prudent stewardship,” where the best reason to protect the data is to reduce the possibility of harm to individuals or to the institution.
The classification level assigned to data will guide Data Trustees, Data Stewards, Data Custodians, business and technical project teams, and any others who may obtain or store data, in the security protections and access authorization mechanisms appropriate for that data. Such categorization encourages the discussion and subsequent full understanding of the nature of the data being displayed or manipulated. Data is classified as one of the following:
- Public (low level of sensitivity)
Public data is not considered confidential. Examples of Public data include published directory information and academic course descriptions. The integrity of Public data must be protected, and the appropriate Data Trustee or Steward must authorize replication of the data. Even when data is considered Public, it cannot be released (copied or replicated) without appropriate approvals.
- Internal (moderate level of sensitivity)
Access to “Internal” data must be requested from, and authorized by, the Data Trustee or Steward who is responsible for the data. Data may be accessed by persons as part of their job responsibilities. The integrity of this data is of primary importance, and the confidentiality of this data must be protected. Examples of Internal data include purchasing data, financial transactions (that do not include sensitive data), and information covered by non-disclosure agreements.
- Sensitive (highest level of sensitivity)
Access to “Sensitive” data must be controlled from creation to destruction, and will be granted only to those persons affiliated with the University who require such access in order to perform their job, or to those individuals permitted by law. The confidentiality of data is of primary importance, although the integrity of the data must also be ensured. Access to sensitive data must be requested from, and authorized by, the Data Trustee or Steward who is responsible for the data. Sensitive data includes information protected by law or regulation.
In addition to the Sensitive classification, there are two subsections of Sensitive data.
- Regulated sensitive data includes data governed by state or federal law such as the Family Educational Rights and Privacy Act, Health Insurance Portability and Accountability Act, Gramm–Leach–Bliley Act, and the Oregon Consumer Identity Theft Protection Act. It also may be governed by other federal, state, or local laws, or contractual obligations.
- Unregulated sensitive data includes data that is not regulated by statute, but still considered sensitive due to proprietary, ethical, or privacy considerations. This generally includes all forms of research.
Data Associated with Selected Regulations
Health Insurance Portability and Accountability Act (HIPAA): Personal Health Data
Family Educational Rights and Privacy Act (FERPA): Student Data (Education Records)
Payment Card Industry Data Security Standard (PCI DSS): Credit Card Data
Gramm-Leach-Bliley Act (GLBA): Financial Data, Social Security Numbers
Oregon Consumer Identity Theft Protection Act (CITPA): Social Security number, Driver license number, state identification number, Passport number/U.S.-issued, identification number, Financial Data
Data Security Recommendations for the Classification Levels
The Chief Information Security Officer will create and maintain security procedures for the various types of data use by the University. These are the Minimum Security Procedure for Devices with Sensitive Information and Minimum Security Procedure for Devices with Public or Internal Information. In addition, a security guide is available for the handling of physical data. This is the Minimum Security Procedure for Handling Physical University Data. Finally, Information Services has developed an Employee Electronic Records Access Procedure.
Roles and Responsibilities
Chief Information Security Officer
The Chief Information Security Officer implements policies and procedures to comply with the various state and federal laws and regulations applicable to the University of Oregon.
The Data Trustee for all University data is the Provost or their designees who have planning, policy-level and management responsibility for data within their functional areas. Data Trustee responsibilities include:
- Assigning and overseeing Data Stewards
- Overseeing the establishment of data policies in their areas
- Determining statutory and regulatory requirements for data in their areas
- Promoting appropriate use and data quality
Data Stewards are University officials having direct operational-level responsibility for the management of one or more types of data. Data Stewards must be authorized by the appropriate Data Trustee and are generally associate deans, associate vice presidents, directors or managers. Data Steward responsibilities include:
- The application of this and related policies to the systems, data, and other information resources under their care or control
- Assigning data classification labels using the University's data classification methodology
- Identifying and implementing safeguards for Sensitive Data
- Communicating and providing education on the required minimum safeguards for protected data to authorized data users and data custodians
- Authorize access, both logical and physical, only to authorized personnel who have a business need to access specific data or other information assets
- Authorize remote access to information assets to only Authorized Personnel who have a business need to access specific data through a secured system approved by the Chief Information Security Officer of the University
In cases where multiple Data Stewards collect and maintain the same sensitive data elements, the Data Stewards must work together to implement a common set of safeguards.
Data Custodians are Information & Technology or computer system administrators responsible for the operation and management of systems and servers which collect, manage, and provide access to University data. Data Custodians must be authorized by the appropriate Data Stewards. Data Custodian responsibilities include:
- Maintaining physical and system security and safeguards appropriate to the classification level of the data in their custody
- Complying with applicable University computer security standards
- Managing Data Consumer access as authorized by appropriate Data Stewards
- Following data handling and protection policies and procedures established by Data Stewards and Information Security
Data Consumers are the individual University community members who have been granted access to University data in order to perform assigned duties or in fulfillment of assigned roles or functions at the University. This access is granted solely for the conduct of University business. Data Consumer responsibilities include:
- Following the policies and procedures established by the appropriate Data Stewards and Information Security;
- Complying with federal and state laws and regulations, and University policies associated with the University data used;
- Implementing safeguards prescribed by appropriate Data Stewards for Sensitive Data; and
- Reporting any unauthorized access or data misuse to Information Security as well as the appropriate Data Trustee, Steward, and Custodian, for remediation.
- Volume IV: Finance, Administration and Infrastructure
- Chapter 6: Information technology
For questions about this policy, please contact the Chief Information Security Officer at 541-346-9700 or firstname.lastname@example.org.