Title: |
Data Classification Policy |
Policy Owner: |
Information Technology Services / Chief Information Security Officer |
Applies to: |
All students, faculty, staff, volunteers, and contractors |
Campus Applicability: |
All Campuses except UConn Health |
Effective Date: |
August 30, 2021 |
For More Information, Contact |
UConn Information Security Office |
Contact Information: |
techsupport@uconn.edu or security@uconn.edu |
Official Website: |
https://security.uconn.edu/ |
PURPOSE
This policy defines the classifications of institutional data (i.e., the categories of data that the University is responsible for safeguarding) and the associated measures that are necessary to safeguard each classification. Institutional data commonly exists in many forms, including electronic, magnetic, optical, and traditional paper documents. Common types of electronic data include email messages, spreadsheets, word processing documents, PDF reports, and university managed databases and file storage systems.
APPLIES TO
This policy applies to all University faculty, staff, students, student employees, volunteers, and contractors who have access to protected or confidential information. This policy covers data that is stored, accessed, or transmitted in all formats, including electronic, magnetic, optical, paper, or other non-digital formats.
DEFINITIONS
Cloud: Any environment not operated by UConn. This includes cloud-based services that provide basic infrastructure including operating system and storage or services that provide a full software stack for an intended purpose or platform offering multiple services.
Confidential Data: Institutional information protected by law, government regulations, statutes, industry regulations, contractual obligations, or specific university policies. Examples of confidential data may include Personally Identifiable Information (PII), Protected Health Information (PHI), Educational Records (FERPA), Credit Card Information (PCI-DSS). An extended list of Confidential Data can be found in Appendix A of this policy.
Protected Data: Institutional information that must be guarded due to proprietary, ethical, privacy, or business process considerations. By default, most administrative data will fall into this classification or if data is not confidential or public.
Public Data: Institutional information that may or must be freely available to the general public. Such information has no local, national, international, or contractual restrictions on access or usage.
POLICY STATEMENT
Through the normal course of business, many individuals at the University of Connecticut collect, maintain, transmit, and/or have access to personal information, financial data, and other information which is protected or confidential in nature. The protection of some types of data is governed by industry or governmental regulations. While other types of information may not be covered by specific legal requirements, it is in the University of Connecticut’s best interest to take steps to safeguard all university information reasonably and responsibly.
Except for those classes of data expressly protected by statute, contract, or industry regulation, the data classification examples presented in this policy are guidelines. Ultimate responsibility for the classification in the university environment is determined by the Data Steward, as defined in the University’s Data Roles and Responsibilities Policy, and the Office of General Counsel for any given set of data.
Data Protection
The University of Connecticut has established the following requirements and guidelines in order to protect each classification of data.
Public Data
While there are few restrictions on public data, such data should be properly secured to prevent unauthorized modification, unintended use, or inadvertent/improper distribution. It should be understood that any information that is widely disseminated within the university community is potentially available to the public at large.
The following guidelines are for information systems that are used to store and share the University’s public data.
- When practical, public data should only be shared via systems over which the University maintains full administrative control, which includes the ability to remove or modify the data in question.
- Information systems, such as web servers or cloud services that are used to share public data, must be properly secured to prevent the unauthorized modification of published public data.
- Interactive access to databases containing public data, such as online directories or library catalogs, should be properly secured using query rate limiting, CAPTCHA’s or similar technology to impede bulk downloads of entire collections.
Protected Data
Protected data requires additional levels of protection because its unauthorized disclosure, alteration, or destruction could cause damage to the University or its constituents.
In addition to the requirements outlined for public data, protected data must also meet these requirements:
- If stored in the cloud, stored only on cloud-based information systems managed or contracted by the University.
- Protected through the use of authenticated access in order to prevent loss, theft, or unauthorized access, disclosure or modification.
- Printed sensitive data including reports must be stored in a secure manner (file cabinet, closed office, or department where electronic/physical access control systems are in place) when not in use.
Confidential Data
Confidential data (see Appendix A) requires the highest level of protection due to the risk and magnitude of loss or harm that could result from disclosure, alteration, or destruction of the data. Certain types of information, such as health information, may have additional requirements for protection. Wherever possible, confidential information should remain in source systems and not propagated through saved files, spreadsheets, or other file formats. Whenever storage of confidential data is required outside the source system, it should be limited to the minimum amount, and for the minimum time, required to perform the business function, or as required by law and/or State of Connecticut Data Retention requirements.
In addition to the requirements for protected data, confidential data must be:
- Protected with strong passwords and should leverage Multi-Factor Authentication whenever such capabilities exist.
- Stored on devices that have appropriate protection, monitoring and encryption measures in order to protect against theft, unauthorized access and unauthorized disclosure.
- Transmitted using approved encryption methods.
- Accessed via approved remote access services such as VPN when accessed remotely.
- Stored on university-owned devices. Confidential data is not permitted to be stored on any personally owned devices including mobile phones, laptops, or home computers.
- Stored, if printed material, only in a locked drawer; a locked room; an area where access is controlled by a guard, cipher lock, and/or card reader; or an area that has sufficient physical access control measures to afford adequate protection and prevent unauthorized access by members of the public, visitors, or other individuals not on a need-to-know basis.
The University’s Confidential Data may not be accessed, transmitted, or stored using public computers or via email.
Encryption
To maintain its confidentiality, all data shall be encrypted while in transit across communication networks or when stored. Stored data may only be encrypted using current encryption methodologies. To ensure that data is available when needed, each department or user of encrypted University data will ensure that encryption keys are adequately protected and that procedures are in place to allow data to be recovered by another authorized University employee. In employing encryption as a privacy tool, users must be aware of, and are expected to comply with, Federal Export Control Regulations.
Service Providers
Departments shall take steps to ensure that third-party service providers understand the University’s Data Classification Policy and protection of the University’s Data. No user may give a third-party access to the University’s Protected or Confidential Data or to systems that store or process Protected or Confidential Data without permission from the Data Steward and a standard Confidentiality Agreement from University Procurement in place.
Disposal
Systems administrators will ensure that all data stored on electronic media is properly destroyed or wiped to current Department of Defense Data Wipe standards prior to the disposal or transfer of the equipment.
Confidential Data maintained in hard copy form will be properly disposed of when no longer required for business or legal purposes.
ENFORCEMENT
Violations of this policy may result in appropriate disciplinary measures in accordance with University By-Laws, General Rules of Conduct for All University Employees, applicable collective bargaining agreements, and the Student Code.
Questions about this policy or suspected violations may be reported to any of the following:
Office of University Compliance – https://compliance.uconn.edu (860-486-2530)
Information Technology Services Tech Support – https://techsupport.uconn.edu (860-486-4357)
Information Security Office – https://security.uconn.edu
REFERENCES
Data Roles and Responsibilities, Policy On
POLICY HISTORY
Policy created: May 16, 2012
Revisions: August 30, 2021