Data handling guidelines
Data handling guidelines
Description
A set of handling procedures for the protection of Institutional Data.
The University of Iowa relies upon various collections of data to support its academic, service and research missions. In order to protect this data from many types of risk, and in order to support legal and regulatory requirements, these guidelines describe the technical and operational controls required for minimizing the risks associated with each level of data classification.
Activities
The following table outlines the minimum guidelines for each data classification level. Note that specific laws, regulations or contracts may require additional requirements beyond those described below.
| Activity | Critical | Restricted | University-Internal | Public |
| Disposal | All data will be rendered unrecoverable using industry best practices, and sensitive data disposal will be accompanied with documentation indicating that it was properly destroyed. | All data will be rendered unrecoverable using industry best practices, and sensitive data disposal will be accompanied with documentation indicating that it was properly destroyed. | All data will be rendered unrecoverable using industry best practices.
| No controls required. |
| Email (Internal) | OK to send | OK to send | OK to send | OK to send |
| Email (External) | Encryption required | Encryption required | OK to send | OK to send |
| Non-email electronic transmission | Encryption required | Encryption required | Encryption recommended | Encryption recommended |
| Paper | OK for internal use; shred for disposal | OK for internal use; shred for disposal
| OK for internal use; shred when appropriate
| OK for any use |
| Mail/Shipping | OK to known recipient | OK to known recipient | OK to known recipient | OK |
| Fax | OK to Fax to known recipient | OK to Fax to known recipient | OK to Fax to known recipient | OK |
| Database storage | OK with authenticated access control | OK with authenticated access control
| OK with authenticated access control
| OK with or without authenticated access control |
| Internal file storage (managed by IT) | OK with authenticated access control
| OK with authenticated access control
| OK with authenticated access control
| OK with or without authenticated access control |
| Archive/backup storage (managed by IT) | Encryption required | Encryption required | Encryption recommended | OK to store |
| Storage manged by user (university-owned: external drive, DVD, etc.) | Encryption required | Encryption required | Encryption recommended | Encryption recommended
|
| University device (workstation, laptop, mobile) | Encryption required | Encryption required | OK to store | OK to store |
| Personal/non-university device | Not permitted | Not permitted | Not recommended | OK to store |
| University cloud storage | OK with authenticated access control | OK with authenticated access control | OK with authenticated access control | OK |
| Personal cloud storage (including email) | Not permitted | Not permitted | Not permitted | OK |
| Retention | Documented and monitored | Documented and monitored | Documented | Documented |
| Logging/auditing | Logs forwarded to SEIM | Logs Forwarded to SEIM | Logging recommended | Logging recommended |
| Artificial Intelligence (AI) | Security review required | Security review requried | Security review required | OK |
Related Policies and Guidelines
Classifying Institutional Data
Data Classification Guide to IT Services
Security Review Frequently Asked Questions
Last updated 6/10/2025