UConn Logo banner
 
University Policies e-Library
 
Search for a Policy
 
Browse UConn Policies
Policies By Title
Policies By Effective Date
Policies By Applies To
 
Browse Department Guidelines/Policies
Policies By Title
Policies By Effective Date
Policies By Department
Policies By Applies To
 
Text Only Version
 
ePolicy Administration
University Policy Details Print View
Title: Data Classification
Author: University Information Technology Services
Effective Date: 01/31/2005
Applies To: Employees
Last Reviewed Date: 05/21/2009
Description: Data Classification
For More Information Contact: Director of IT Security, Policy and Quality Assurance
Contact Telephone Number: 860-486-4357

 

Data Classification Policy

 

Background and Reasons for the Policy: The University of Connecticut views University Data, in all its forms and throughout its life cycle, as an asset of the University.  There is a wide assortment of University Data ranging from materials that are available to the entire University community and beyond, to materials which if exposed to any security risk or improperly disclosed would violate Federal or State laws such as the:

  • Family Rights to Privacy Act (FERPA)
  • Health Insurance Portability and Accountability Act (HIPAA)
  • Electronic Communications Privacy Act (ECPA)
  • Gramm-Leach-Bliley Act (GLBA)
  • Children's Online Privacy Protection Act (COPPA)
  • Freedom of Information Act (FOIA)
  • Connecticut Personal Data Act

 

Therefore, it is important to develop a classification system to insure that all University Data is handled appropriately.

 

Purpose of Policy: The purpose of this policy is to establish a University-wide approach for the consistent handling and control of all University Data with respect to security, access and confidentiality.

 

Expected Institutional Outcome: It is expected that this policy will improve the ability of the University community to properly manage, protect and share University Data in accordance with Federal and State laws and regulations, and other University policy requirements.

 

Definitions:

University Data: Items of information that are collected, maintained, and utilized by the University for the purpose of carrying out institutional business subject to or limited by any overriding contractual or statutory regulations. University Data may be stored either electronically or on paper and may be of many forms (including but not limited to: text, graphics, images, sound, or video). Research data, scholarly work of faculty or students, and intellectual property that do not contain personally identifiable information or other data protected by law or University policy are not covered by this policy.

 

Data Steward:The entity/entities or office/offices that are delegated by the President and/or his designee(s) with the policy-level responsibility for establishing definitions of the data assigned to him/her (i.e. defined portions of University Data) and developing general procedures and guidelines for the management, security and access to those data sets, as appropriate.

 

System of Record: The information storage system (electronic or otherwise) that is considered the definitive and authoritative information source for a given data element or piece of information. It is the system that is auditable and which conforms to internally and/or externally mandated regulations and standards.

 

Shadow System: Any non-System of Record information storage system that exists in one part of the organization, and, at least in part, duplicates data and/or functionality that already exists in another part of the organization.

 

Recognized Data Collection Point: An operational information storage system that captures information and which interfaces directly (either in real-time or through a batch process) with a system of record. Recognized data collection points must have the approval of the appropriate Data Steward.

 

Applicability of Policy: This policy applies to all University Data regardless of its medium and/or form.

 

Policy Statement: All University Data will be classified according to one of the following classification levels:

  • Registered Confidential: Information, which exposed to any security risk or otherwise disclosed, would violate Federal or State law or University contract or policy.
  • Confidential:  Information that is not to be disclosed externally except where required by law. Internal access is restricted to a limited group of authorized individuals on a 'need to know' basis.
  • For Internal Use: Information that is intended to be generally releasable within the University but not publicly published. Such information may be shared externally if there is a legitimate business need to know.
  • Public/Unclassified: Information that is authorized for release to the public domain in an easily accessible manner (e.g. brochures, news releases, fact sheets, marketing materials, etc.)

All University Data must be consistently protected throughout its life cycle (from its creation to its destruction) in a manner commensurate with its sensitivity and/or criticality regardless of where it resides, what form it takes, what technology is used to handle it, or what purpose(s) it serves.

 

Responsibilities:

As defined by the Policy on Roles and Responsibilities with Respect to University Data, each Data Steward will be responsible for classifying all University Data (and any other applicable information) assigned to him/her using one of the classifications noted above. University Data not otherwise specified will be considered to be For Internal Use data.

 

The classification level applied to specific information will be based on statutory requirements, University policies, the sensitivity of the data, its criticality to the University and its use.

 

Aggregates of data shall be classified as to the most secure classification level of any individual component.

 

The Data Stewards (both individually and collectively) will determine the appropriate protective measures required for each classification level.

 

Extracts of data, data within a recognized data collection point, data feeds and data within Shadow Systems shall have the same classification level and utilize the same protective measures as the same data in the System of Record.

 

Computer systems used to support data will be required to adhere to the specific protective measures for the classification level.

 

Enforcement and Review:

The President, and/or his designee(s), has overall responsibility for implementation and enforcement of this policy.

Review of this policy by the President and/or his designee(s) will occur on a bi-annual basis.

All University Data (and any other applicable information) will be reviewed on a periodic basis and classified according to its use, sensitivity and importance to the University and in compliance with Federal and/or State laws.

 

Any individual who suspects a violation of this policy may report it to the Compliance Office in the Office of Audit, Compliance and Ethics at (860) 486-4526, or anonymously through the Reportline (https://www.compliance-helpline.com/uconncares.jsp).

Violations of this policy may result in appropriate disciplinary measures in accordance with University Laws and Bylaws, General Rules of Conduct for All University Employees, applicable collective bargaining agreements, and the University of Connecticut Student Conduct Code.

 

 

Last updated: August 2008

Any questions concerning the University Policies e-Library contact:
UITS Help-Center (860-486-4357) or Email: HelpCenter


       
A-Z INDEX        UCONN HOME        TEXT-ONLY