Data Classification Policy

Purpose

University enterprise-level administrative data are assets owned by Western Michigan University and must be protected accordingly. A data policy is necessary to provide a framework for securing data from risks including, but not limited to: access, use, disclosure, modification, removal, and destruction.

This policy serves as a foundation for the University’s data classification security policies, and is consistent with the University’s data and records management standards. The University recognizes that the value of its data and data resources lies in their appropriate and widespread use. It is not the purpose of this policy to create unnecessary restrictions to data access or to impede use for those individuals who use the data in support of University business or academic pursuits. This policy also serves to assure faculty, staff, and students that the expectation of privacy and confidentiality of their personal data will be maintained as outlined according to University policy and all state and federal laws and regulations.

All members of the University community have a responsibility to protect the confidentiality, integrity, and availability of data irrespective of the medium on which the data resides and regardless of format (such as, but not limited to: electronic, paper and any other physical form). Some examples of responsible data stewardship may include storing data in secured areas, not placing sensitive data on public web sites, proper disposition of antiquated data, strong passwords on computing devices, and utilizing adequate access control procedures.

Scope

This policy applies to all centrally managed university enterprise-level administrative data and to all user-developed data stores and systems that may access university data, regardless of the environment where the data reside including, but not limited to: midrange systems, servers, desktop computers, laptop computers, USB keys, flash drives, and any other mobile computing device. The policy applies regardless of the media on which data reside including, but not limited to: electronic, microfiche, printouts, and CD, as well as the form the data may take including, but not limited to: text, graphics, video, and voice.

This Policy does not apply to protected health information as defined by the Health Insurance Portability and Accountability Act (HIPAA) as such information shall be handled in accordance with the HIPAA Policies and Procedures adopted by the entity covered by HIPAA. Questions or concerns should be directed to the University HIPAA Privacy and Contact Officer currently located in the Office of the Vice President for Legal Affairs and General Counsel

Policy

Data must be maintained in a secure, accurate, and reliable manner and be readily available for authorized use. Data security measures will be implemented commensurate with the value, sensitivity, and risk involved.

To implement security at the appropriate level, to establish guidelines for legal/regulatory compliance, and to reduce or eliminate conflicting standards and controls, data will be classified into one of the following categories:

  • Restricted/Confidential: data that, if disclosed to unauthorized persons, would be a violation of federal or state laws or, university policy, or university/contracts. Any file or data that contains personally identifiable information of a trustee, officer, agent, faculty, staff, retiree, student, graduate, donor, or vendor may also qualify as restricted/confidential data. By way of illustration only, some examples of confidential data include, but are not limited to:
    • Medical records of any kind.
    • Student records (except for that information designated by the university as directory information under FERPA) and other non-public student data.
    • Unique identifiers such as social security numbers or Western Identification Numbers.
    • Certain personnel records such as benefits records, health insurance information, retirement documents and/or payroll records.
    • Any data identified by state or federal law or government regulation, or by order of a court of competent jurisdiction to be treated as confidential or sealed by order of a court of competent jurisdiction.
  • Internal: internal data is information that must be guarded due to proprietary, ethical, or privacy considerations and must be protected from unauthorized access, modification, transmission, storage or other use. This classification applies even though there may not be any law or other regulation requiring this protection. Internal data is information that is restricted to personnel designated by the University who have a legitimate business purpose for accessing such data. By way of illustration only, some examples of internal data include, but are not limited to:
    • Employment data.
    • Business partner information where no more restrictive confidentiality agreement exists.
    • Internal directories and organization charts.
    • Planning documents.
  • Public: data to which the general public may be granted access in accordance with Western Michigan University policy or standards. By way of illustration only, some examples of public data include, but are not limited to:
    • Publicly posted press releases.
    • Publicly posted schedules of classes.
    • Posted interactive University maps, newsletters, newspapers and magazines.
    • Telephone directory information.
    • Information posted on the University’s public website including the website for Student Academic and Institutional Research.

Measures for data security are set by the data custodian working in conjunction with the data stewards, utilizing a combination of acceptable technology protocols and standards. Examples may include data encryption, data access controls, data retention and disposal procedures, data storage management, and end user training and awareness programs.

Responsibilities

The following roles and responsibilities are established for carrying out this data policy:

  • Executive sponsors are senior University officials who have planning and policy responsibility and accountability for major administrative data systems (e.g. student, human resources, financial, research, etc.) within their functional areas. By understanding the planning needs of the institution, they are able to anticipate how data will be used to meet institutional needs. Executive sponsors meet as part of the Information Technology Executive Advisory Board to approve policy or administrative decisions that promote data quality, security, integration, and alignment.
  • Data stewards are appointed by the executive sponsors to implement established data policies and general administrative data security policies for their functional areas.  Data stewards are responsible for safeguarding the data from unauthorized access and abuse through established security and authorization procedures and educational programs. They authorize the use of data within their functional areas and monitor this use to verify appropriate data access. They support access by providing appropriate documentation and training to support University data users. Data stewards, having served informally at the institution, will be identified and serve on existing change management committees and the Campus Information Security Committee as appropriate.
  • Data administrators are University employees who most often report to data stewards and whose duties provide them with an intricate understanding of the data in their area. They work with the data stewards to establish procedures for the responsible management of data, including data entry, auditing and reporting. Some data administrators may work in a technology unit outside of the functional unit, but have responsibilities such as security and access as decided by the stewards. Technical data administrators may also be responsible for implementing backup and retention plans or ensuring proper performance of database software and hardware. Data administrators, having served informally at the institution, will be identified and called upon for their subject matter expertise.
  • Director of data management is responsible for facilitating the coordination of data and systems governance to optimize data integration. The director coordinates and promotes data policies and procedures in the primary enterprise data systems — student, human resources, finance, research, etc. — ensuring representation of the interests of data stewards, managers, and key users. This individual is also responsible for promoting a University culture that supports data governance in all areas, including those with critical peripheral databases that exist beyond the primary systems. The director works with the campus community to define a campus-wide structure of data stewardship by making explicit the roles and responsibilities associated with data management and compliance monitoring. The director of data management provides input to the agendas for the Information Technology Executive Advisory Board meetings. The director of data management is appointed by the executive sponsors.

Enforcement

Any person found to be in violation of this policy will be subject to appropriate disciplinary action as defined by current university policy or contract.

References

Document action

Reviewed by: WMU LAN Managers Group, Aug. 2008
Reviewed by: Office of Information Technology leadership team, Aug. 2008
Revised by: Campus Information Security Committee, Sept. 2008
Revised by: Campus Information Security Committee, Jan. 2009
Approved by: Campus Information Security Committee, Jan. 2009
Revised by: IT Executive Advisory Board, July 2014