Policy Number: IT-19

Date Drafted: 01/02/2003
Approved Date: 04/12/2005
Approved Date: 02/04/2007
Approved Date: 04/09/2019
Reviewed Date: 09/27/2023


All electronic information that constitutes an official record, or has institutional value as defined in the University Operations Manual (Chapter 17.3 Records Management Program) shall be managed responsibly with regard to data access, backup, and disposal.  This policy describes the requirements for proper management of institutional data records.
Institutional data is information that supports the mission and operation of The University of Iowa. It is a vital asset and considered essential to the University.  The confidentiality, integrity and availability of institutional data must be ensured to comply with legal, regulatory, and administrative requirements.

Classifying Institutional Data

The overall sensitivity of institutional data encompasses not only its confidentiality, but also its integrity and availability.  Many confidentiality obligations exist, such as those required for personal information and to meet contractual or regulatory requirements.  Integrity, or trustworthiness, of institutional data must also be considered and aligned with institutional risk; that is, the impact on the institution should the data not be accurate.  Availability relates to the impact on the institution’s ability to function if the institutional data is not reliably accessible to authorized users.
Four levels of sensitivity apply to institutional data:

 Classification Level

Description

Institutional Data Examples

Critical
  • Inappropriate handling or disclosure of this data could cause severe harm to individuals and the university, including exposure to criminal and civil penalties, identity theft, personal financial loss, or invasion of privacy.
  • Only selective access (on a need-to-know basis) may be granted.
  • Has the most stringent legal or regulatory requirements and requires the most prescriptive security controls.
  • Patient health, payment/insurance, and treatment data
  • Social Security Number
  • Credit card information
  • Personal identifiers (e.g., passport, driver's license)
  • ITAR data
  • Investigative reports

Restricted
  • Disclosure could cause significant harm to individuals and the university, including exposure to civil liability. Because of legal, ethical, or other constraints, this data may not be accessed without specific authorization.
  • Only selective access (on a need-to-know basis) may be granted.
  • Usually subject to legal and regulatory requirements due to data that are individually identifiable, highly sensitive and/or confidential.
  • Financial aid data
  • Student transcripts
  • Identifiable human subject research data

University-Internal
  • Disclosure could cause limited harm to individuals and the university with some risk of civil liability. 
  • This data may be accessed by eligible employees and designated appointees of the University for the purpose of university business. Access restrictions should be applied accordingly.
  • Either subject to contractual agreements or regulatory compliance or is individually identifiable, confidential, and/or proprietary.
  • Financial reports
  • Departmental memos
  • Committee meeting minutes
  • De-identified human subject research data

Public
  • Encompasses information for which disclosure poses little to no risk to individuals or the university.
  • Few restrictions are placed on this data, as it is generally releasable to a member of the public upon request, or is published. 
  • Anyone regardless of institutional affiliation can access without limitation.
  • Collegiate and departmental websites
  • News releases
  • Information subject to open records requests (email, financial, etc)

 

Policy Statements

  1. The Information Security and Policy Office (ISPO) will maintain a web resource that explains the process for determining the correct classification level for any data. (https://itsecurity.uiowa.edu/classifying-institutional-data)
  2. Data Trustees will assess institutional risks and threats to the data for which they are responsible.
  3. Data Trustees will classify the data as Public (low sensitivity), University-Internal (moderate sensitivity), Restricted (high sensitivity), or Critical (very high sensitivity). 
  4. Unless otherwise classified, institutional data is University-Internal.
  5. Institutional Data that is moved, copied, extended or propagated is still considered Institutional Data and all Institutional Data Policies still apply.
  6. No individual is authorized to change the classification level of institutional data without authorization from the Data Trustee.
  7. Data Trustees must ensure that all decisions regarding the collection and use of institutional data are in compliance with applicable laws and regulations, and with University policy and procedure.
  8. Users must report to their immediate supervisor or the Information Security & Policy Office, instances in which institutional data is at risk of unauthorized modification, disclosure, and/or destruction.

 

Access to Institutional Data

Authorization to access institutional data varies according to the need for care or caution in handling. For each classification, data handling requirements are defined to appropriately safeguard the information.
University personnel shall not change the classification level of institutional data (if moved, copied, extended, or propagated) without authorization from the Data Trustee.

Secondary Use

An Authorized User of Public or University-Internal data may repurpose the information for another reason or a new application when it is authorized by the Data Trustee. Secondary use or repurposing of Restricted or Critical data is strictly prohibited.

Policy Statements

  1. Authorization to access restricted and critical institutional data is approved by the Data Steward, and is typically made in conjunction with the requestor’s department head, supervisor, or other authority. 
  2. Where access to non-public institutional data has been authorized, use of such data shall be limited to the purpose for which access was granted.
  3. Data Stewards must ensure that appropriate security practices, consistent with the data handling requirements in this policy, are used to protect institutional data.  These requirements also apply to copies of the data.
  4. University faculty and staff must affirmatively accept the University’s institutional data confidentiality agreement in Employee Self Service on an annual basis as a prerequisite for obtaining access to non-public data.
  5. Legal counsel must review external data sharing agreements to ensure appropriate enforcement of confidentiality.
  6. In addition to providing classification of the data, Data Trustees may offer guidance on appropriate use of data. 

Institutional Data Backup

All institutional data must be copied onto a secure storage media on a regular basis (i.e., backed up), for disaster recovery and business continuity purposes.  This section outlines the minimum requirements for the creation and retention of backups. Special backup needs that exceed these minimum requirements should be implemented on an individual, as-needed basis. 
Data backup solutions by Enterprise Services at the university are provided in order to meet or exceed minimum backup requirements for typical applications, however, Data Custodians must verify that backups meet the requirements of the data collections for which they are responsible.  Services contracted from an outside vendor should be assessed to determine responsibility for backups, and ability to meet University of Iowa requirements.
Federal and state regulations pertaining to the long-term retention of information (e.g., financial records, research data) must be met using retention policies as described in the University of Iowa Records Management Program, or as described in research Data Management Plans. Long-term archive requirements are beyond the scope of this policy.

Policy statement

Data Custodians will document backup and recovery procedures for each collection of institutional data that they maintain, which address:

  1. Individuals (with contact information) responsible for performing backup and recovery operations.
  2. Individuals (with contact information) to be notified in the event recovery operations are required.
  3. Locations of backups, including requirements (if needed) for off-site storage.
  4. Rules governing who may access backups.
  5. Backup and retention schedules.
  6. Special requirements (e.g., data encryption, unique hardware, external regulations, etc.) 
  7. Step by step instructions on how to perform backup and recovery functions.
  8. Minimum backup requirements for all University of Iowa institutional data.  It is the responsibility of the Data Trustee and Data Steward to determine whether additional requirements, such as retaining multiple backup copies, are necessary.
    • Two individuals identified who can perform backup and recovery procedures.
    • A physically separated (remote/off-site) backup must be maintained.  Taking backup media to a personal residence is not permitted.
    • At least one current, complete backup will be retained at all times.  If the data is volatile, incremental backups may be used in conjunction with complete backups for efficiency. Other techniques, such as data replication or mirroring may also be acceptable.
    • Backup and recovery procedures will be tested at least once per year, and also when changes to the procedures are made (e.g., change of backup hardware).
    • Backup and recovery requirements and documentation will be reviewed at least once per year.
    • In the case of derived data or data obtained from outside sources, backups are not required if reobtaining or recreating the data is more efficient than performing backups.

Equipment Disposal

Digital storage devices that contain licensed software programs and/or institutional data must be reliably erased and/or destroyed before the device is transferred out of University control, or erased before being transferred from one University department or individual to another.  This does not preclude the use of physical media intended specifically for the purpose of data transfer.
The University of Iowa is committed to compliance with applicable laws and regulations associated with the protection of confidential information as well as ensuring compliance with software licensing agreements.
All computers and digital storage devices including, but not limited to desktop workstation, laptop, server, notebook, handheld computer, and hard drives; and all external data storage devices such as disks, SANs, optical media (e.g., DVD, CD), magnetic media (e.g., tapes, diskettes), and non-volatile electronic media (e.g., memory sticks), are covered under these requirements for disposal. 

Policy Statements

University-owned assets must have all institutional data and licensed software reliably erased from the device prior to its transfer out of University control, and/or the media must be destroyed, using current best practices for the type of media.

  1. All computer and digital storage media leaving the University’s possession and/or control while still intact must be transferred in accordance with the University of Iowa Equipment policy (Operations Manual Part V, Chapter 12), which covers both tagged and non-tagged equipment. University Surplus is ultimately responsible to perform the erasure of data using approved procedures prior to release, or they will destroy the media.
  2. Departmental IT support staff are recommended to erase computer and digital storage media prior to transfer within the University (to Surplus), or destroy/replace storage media, before equipment transfers take place.
  3. An organizational IT Director must review all computer and electronic storage equipment identified for title transfer.  Licensed software and institutional data deemed to be the property of the University of Iowa must be removed prior to title transfer of equipment from the University.  Units without an organizational IT Director should assign review to the senior administrative officer of the unit.
  4. Computer and digital storage media which are included as part of a trade-in purchase must be identified on the purchase order for new equipment. Documentation attesting to the erasure of licensed software and institutional data by an approved IT service provider will be required to complete the purchase.
  5. The University must have a confidentiality agreement in place with any vendor receiving devices for trade-in, or that must be replaced as part of a warranty or repair contract but which cannot be erased for technical reasons.

Appendix A: Related Policies, References and Attachments

The collection of University of Iowa Information Technology policies and procedures contain acceptable use, security, networking, administrative, and academic policies that have been developed to supplement and clarify University of Iowa policy.
Information technology policies are incorporated into the University of Iowa Operations Manual (available online at https://opsmanual.uiowa.edu), through the Policy on Acceptable Use of Information Technology Resources (see http://opsmanual.uiowa.edu/community-policies/acceptable-use-information-technology-resources).
All Information technology policies are available at https://itsecurity.uiowa.edu/university-it-policy. Best practices documents are available at (site link under development)

Best Practices for Managing Logs

Classifying Institutional Data

Data and Media Disposal Guidelines

Data Use Agreements

Enterprise Authentication, Authorization, and Access Policy

Security Policy

Requests for an exception to IT Policies & Standards can be submitted via the webform link here: Request a Security Exception