Administering Office: Office of CIO
Approved by: Executive Council 3/5/2007
Posted: March 22, 2007
Revised: March 21,2011
Institutional data is both a valuable asset and a potential liability to the University. As such, the stewardship and security of university data are important responsibilities for every member of the university that has access to it. As an academic institution we must encourage the free flow of most information, while protecting critical operational information.
a. To protect the university’s data and to protect the University from misuse of its data.
b. To provide a framework defining the appropriate protection required for each broad category of data.
c. To define how categories of data are established and assigned.
d. To define who is responsible for ensuring that data is handled in an appropriate manner.
a. The Policy applies to all university enterprise-level data, whether or not it is centrally managed. Enterprise-level data is defined as data that the University has regulatory responsibility for, or is critical for the operation of the University.
b. The Policy applies to data housed on the campus itself or hosted on an outsourced system.
c. The Policy applies to paper as well as electronic records.
d. The policy addresses both access to and disclosure of data.
a. The Chancellor, Provost, Vice Chancellors, General Counsel, and the Director of Athletics are responsible for ensuring the appropriate handling of the enterprise-level data produced and managed by their division/unit. These positions are the institutional Data Stewards.
b. The Information Technology Division is responsible for ensuring that the appropriate technologies and system policies and permissions are in place to ensure appropriate access to electronic data.
c. The Office of Institutional Planning and Effectiveness (OIPE) has primary responsibility for meeting the University's reporting obligations and overseeing the movement of unit record data between the campus and the University of North Carolina. It is the responsibility of all other divisions/units charged with the reporting of institutional data to ensure that OIPE has a record of the parameters of such reporting and timelines that OIPE will maintain as part of an inventory updated annually.
d. The Chancellor will establish a Data Security and Stewardship Committee, which reports to the Chancellor. The charge of this Committee is to oversee the implementation of this policy, ensure procedures are up to date, coordinate all relevant security policy reviews, and assist offices with risk assessments, etc. The members of this Committee are: the FERPA Officer, HIPAA Officers, GLBA Officers, Internal Auditor representative, a General Counsel representative, the CIO, IT Security Analyst, representative of OIPE, a representative from Administration and Finance, a representative from Advancement and Public Relations, and a representative from the faculty (Appointed by the Chancellor in consultation with the Faculty Senate Chair. Term is 3 years). The CIO shall chair the committee.
All enterprise-level data will be assigned to one of the following categories by the
appropriate Data Steward. The categories are not mutually exclusive. Data is to be
handled according to the most sensitive category that it falls within.
i. Confidential – access to this data is limited to staff that need the data to perform their job functions. These data are protected by appropriate State or Federal laws.
ii. Third Party Confidential – access to this data is generally treated as confidential. How it is to be handled is specified in the University’s agreement with the third party. This is generally data that the University has access to through a research or other relationship with a third party, such as proprietary corporate data provided as part of a research project.
iii. Internal – access to this data is limited to staff that need the data to perform their job functions, however it may be released with approval from the Data Steward. This is data that is used for the operation of the university, but should not be generally shared, such as the location of all wiring closets within the university. This is the default classification for all data.
iv. Public – is any information that is deemed part of the public domain by State or Federal legislation or regulation, or has been expressly deemed not to pose an exposure risk to the institution by the appropriate Data Steward.
b. Requirements for how each category of data is to be stored, transmitted, retained, etc. are specified in the document Procedures for Data Handling.
c. Review of the classification of all data within the “Public” category will occur at least annually. Classification requirements may change due to changes in laws or contractual obligations.
d. Staff authorized to access or disclose Confidential or Internal information are required to sign a confidentiality statement each year as part of their evaluation process.
a. Willful inappropriate access to or disclosure of data will result in appropriate disciplinary action, up to and including dismissal, or legal action being taken.
b. Liability for the willful inappropriate access to or disclosure of data may, in certain circumstances, rest with the individual and not the institution.