Policy Number: 
IT-19
Date Drafted: 
01/02/2003
Date Drafted: 
09/15/2006
Date Posted for Review: 
09/15/2006
Version: 
V2
Date Posted for Review: 
11/20/2014
Approved Date: 
04/12/2005
Version: 
V1
Approved Date: 
02/04/2007
Version: 
V2
Revision Date: 
07/07/2004
Revision Date: 
09/15/2006
Revision Date: 
09/19/2013
Revision Date: 
05/15/2015
Description: 
To establish policy for the classification and use of University institutional data and the responsibilities for the protection of such data.

Institutional data is information that supports the mission and operation of The University of Iowa. It is a vital asset and is owned by the University. It is likely that some institutional data will be distributed across multiple units of the University, as well as entities outside. Institutional data is considered essential, and its quality must be ensured to comply with legal, regulatory, and administrative requirements. Business Owners (as defined in the Roles and Responsibilities for Information Security Policy) will assess institutional risks and threats to the data for which they are responsible, and accordingly classify its relative sensitivity as Level I (low sensitivity), Level II (moderate sensitivity), or Level III (high sensitivity). Unless otherwise classified, institutional data is Level II. University personnel may not broaden access to institutional data without authorization from the Business Owner. This limitation applies to all means of copying, replicating, or otherwise propagating institutional data.

Data Classification
Authorization to access institutional data varies according to its sensitivity (the need for care or caution in handling).   For each classification, several data handling requirements are defined to appropriately safeguard the information.  It’s important to understand that overall sensitivity of institutional data encompasses not only its confidentiality (need for privacy), but also the need for integrity and availability.  The need for integrity, or trustworthiness, of institutional data should be considered and aligned with institutional risk; that is, what is the impact on the institution should the data not be trustworthy?  Finally, the need for availability relates to the impact on the institution’s ability to function should the data not be available for some period of time.  There are three classification levels of relative sensitivity which apply to institutional data:
Level I: Low Sensitivity:
Access to Level I institutional data may be granted to any requester, or it is published with no restrictions.  Public data is not considered sensitive. The integrity of “Public” data should be protected, and the appropriate Business Owner must authorize replication or copying of the data in order to ensure it remains accurate over time.  The impact on the institution should Level I data not be available is typically low, (inconvenient but not debilitating).  Examples of Level I  “Public” data include published “white pages” directory information, maps, departmental websites, and academic course descriptions.

Level II: Moderate Sensitivity:
Access to Level II institutional data must be requested from, and authorized by, the Business Owner who is responsible for the data. Access to internal data may be authorized to groups of persons by their job classification or responsibilities (“role-based” access), and may also be limited by one’s employing unit or affiliation. Non-Public or Internal data is moderately sensitive in nature.  Often, Level II data is used for making decisions, and therefore it’s important this information remain timely and accurate.  The risk for negative impact on the institution should this information not be available when needed is typically moderate.  Examples of Level II “Non-Public/Internal”  institutional data include project information, official university records such as financial reports, human resources information, some research data, unofficial student records, and budget information.

Level III: High Sensitivity:
Access to Level III institutional data must be controlled from creation to destruction, and will be granted only to those persons affiliated with the University who require such access in order to perform their job, or to those individuals permitted by law.  Access to confidential/restricted data must be individually requested and then authorized by the Business Owner who is responsible for the data. Level III data is highly sensitive and may have personal privacy considerations, or may be restricted by federal or state law.   In addition, the negative impact on the institution should this data be incorrect, improperly disclosed, or not available when needed is typically very high. Examples of Level III “Confidential/Restricted” data include official student grades and financial aid data; social security and credit card numbers; individuals’ health information, and human subjects research data that identifies an individual.
To comply with federal Health Insurance Portability and Accountability Act (HIPAA) regulations, the location of all Protected Health Information (“PHI”) must be registered with the University’s HIPAA Privacy Officer.  (PHI includes any health information that pertains to an individual.)  Contractual “Business Associate Agreements” may be required to share PHI with external entities.
Policy Statement:
 

  • Institutional data must be protected from unauthorized modification, destruction, or disclosure. Permission to access institutional data will be granted to all eligible University employees for legitimate university purposes.
  • Authorization for access to Level II and Level III institutional data comes from the Business Owner, and is typically made in conjunction with an acknowledgement or authorization from the requestor’s department head, supervisor, or other authority.
  • Where access to Level II and Level III institutional data has been authorized, use of such data shall be limited to the purpose for which access to the data was granted. 
  • University employees must report instances in which institutional data is at risk of unauthorized modification, disclosure, or destruction.
  • Business Owners must ensure that all decisions regarding the collection and use of institutional data are in compliance with the law and with University policy and procedure.
  • Business Owners must ensure that appropriate security practices, consistent with the data handling requirements in this policy, are used to protect institutional data.
  • Users will respect the confidentiality and privacy of individuals whose records they access, observe ethical restrictions that apply to the information they access, and abide by applicable laws and policies with respect to accessing, using, or disclosing information.

Data Handling Requirements:

  LEVEL I Low  Sensitivity (Public Data) LEVEL II Moderate Sensitivity (Non-Public/Internal Data) LEVEL III High Sensitivity (Confidential/Restricted Data)
Mailing & Labels on Printed Reports None May be sent via Campus Mail; No labels required Must be sent via Confidential envelope; Reports must be marked “Confidential”
Electronic Access No controls Role-based authorization Individually authorized, with a confidentiality agreement
Secondary Use (re-purposing data) As authorized by Business Owner As authorized by Business Owner Prohibited
Physical Data/Media Storage No special controls Access Controlled  area Access controlled and monitored area
External Data Sharing No special controls As allowed by Iowa Open Records Law, FERPA restrictions; or Non-UI project/study participants As allowed by Federal regulations; Iowa Open Records Law; FERPA restrictions; and Business Associate Agreement (for PHI);
Electronic Communication No special controls Encryption recommended for external transmission Encryption required for external transmission
Data Tracking None None Social Security Numbers, Credit Cards,  and PHI locations must be registered
Data Disposal No controls Recycle reports; Wipe/erase media Shred reports; DOD-Level Wipe or destruction of electronic media
Auditing No controls Logins Logins, accesses and changes
Mobile Devices - University-owned Password protected; Secure storage when not in use; Full disk encryption required (unless granted an exception). Password protected; Secure storage when not in use; Full disk encryption required (unless granted an exception). Password protected; Locked when not in use; Full Disk Encryption required, no exceptions are allowed.
Mobile Devices - User-owned Password protection and secure storage is recommended. Password protected; Secured when not in use, full disk encryption recommended. Password protected, secured when not in use, full disk encryption required.

Control Definitions:
Mailing & Labels on Printed Reports – A requirement for the heading on a printed report to contain a label indicating that the information is confidential, and/or a cover page indicating the information is confidential is affixed to reports.  
Electronic Access – How authorizations to information in each classification are granted.
Secondary Use – Indicates whether an authorized user of the information may repurpose the information for another reason or for a new application. 
Physical Data/Media Storage – The protections required for storage of physical media that contains the information. This includes, but is not limited to workstations, servers, storage devices, media, and mobile devices.
External Data Sharing – Restrictions on appropriate sharing of the information outside of the University of Iowa
Electronic Communication – Requirements for the protection of data as transmitted over telecommunication and data networks. 
Data Tracking – Requirements to centrally report the location (storage and use) of information with particular privacy considerations.
Data Disposal - Requirements for the proper destruction or erasure of information when decommissioned (transfer or surplus), as outlined in the University’s Computer Data and Media Disposal Policy.
Auditing – Requirements for recording and preserving information accesses and/or changes, and who makes them.
Mobile Devices – Requirements for the protection of information stored locally on mobile devices. This includes, but is not limited to laptops, tablets, and external storage devices that are university owned, as well as for personal devices that are utilized to store institutional data.

Related Policies, References and Attachments:
This collection of University of Iowa Information Technology policies and procedures contain acceptable use, security, networking, administrative, and academic policies that have been developed to supplement and clarify University of Iowa policy.
They are incorporated into the University of Operations Manual (http://opsmanual.uiowa.edu/) by reference, per the Policy on Acceptable Use of Information Technology Resources (http://opsmanual.uiowa.edu/community-policies/acceptable-use-information-technology-resources)

Computer Data and Media Disposal Policy
Information Security Framework Policy
Roles and Responsibilities for Information Security
Backup and Recovery Policy
Social Security Numbers Policy
Data Classification Guidelines
Records Management Program
Encryption Resources
How to register your system(s) in the Uiowa System Registry (USR)
Iowa Regents Institutions Security and Network Log Retention Guidelines