DRAFT

University Institutional Data Policy

December 4, 2006

I. Background and Purpose

The OhioStateUniversity and university community members require reliable and ubiquitous access to institutional data to support the university’s teaching, research and outreach missions. The university’s institutional data is a valuable resource and asset and must be maintained and protected as such. In addition, the privacy of university community members and clients must be protected to the greatest possible extent. The purpose of this policy is to ensure the protection of the university’s institutional data resources from accidental or intentional unauthorized access, damage, alteration or disclosure while preserving authorized users ability to access and use institutional data.

Institutional data is defined as all data created, collected, maintained, recorded or managed by the university, its staff, and all agents working on its behalf. It includes data relevant to planning, managing, operating, controlling, or auditing functions of university units; especially data used by multiple university units and data used for official university reports.

  1. Scope and Applicability

This policy applies to enterprise-level administrative data and all developed systems and data sets that may access these data, regardless of the environment where the data resides, for example the university mainframe enterprise server, other enterprise servers, distributed departmental servers, or personal workstations and mobile devices. Extracts of data, data feeds, and data within shadow or secondary database systems must have the same data classification level and utilize the same protective measures as prescribed by the data steward for the primary source systems.

This policy applies regardless of the media on which data resides, for example electronic, microfiche, paper, CD\DVD, or other media. It also applies regardless of the form the data may take, for example text, graphics, video or audio, or their presentation. University units, data trustees, or data stewards may have additional policies for institutional data within their areas of operational or administrative control. Consult your supervisor, unit management, the data trustee or data steward for further information.

This policy applies to all university community members, whether students, faculty, staff, or agents, who have access to university institutional data and to all university units and their agents including external third-party relationships.

Administrative Areas covered by this policy include but are not limited to:
Administrative Functional Area / Data Trustee
Fund Raising and Alumni Relations / Vice President for Development
Budget and Planning
Financial (General Ledger, Procurement, Accounts Payable)
Student Billing and Accounts Receivable
Facilities and Space Management
Equipment and Asset Management / Senior Vice President for Business and Finance
Human Resources (Compensation, Benefits, Payroll) / Associate Vice President for Human Resources
Research / Senior Vice President for Research
Student Records
Student Admissions
Student Financial Aid
Learning Management / Vice Provost and Dean for Enrollment Services and Undergraduate Education
Student Affairs / Vice President for Student Affairs
GraduateSchool / Dean of the GraduateSchool
More to be added…..

Special Note: The Health System\Medical Center is included in the scope of this policy due to the fact that they participate in the usage of many of the systems identified above. Other systems maintained specifically for the Health System\Medical Center, such as patient care systems, are not specifically covered by this policy.

III.Roles and Responsibilities:

A. Data Trustee

Data Trustees are senior university officials (or their designees) who have planning and policy-level responsibility for data within their functional areas and management responsibility for defined segments of institutional data. The Data Trustees work with the Chief Information Officer to ensure that the appropriate resources (staff, technical infrastructure, etc)are available to support the data needs of the entire university.

Responsibilities include:

  1. Assigning data stewards
  2. Overseeing the establishment of data policies
  3. Determining legal and regulatory requirements for data
  4. Promoting appropriate data use and data quality

B. Data Steward

Data Stewards are university officials having direct operational-level responsibility for information management. <HTTP Link to Listing of Current Data Stewards>

Responsibilities include:

  1. Developing, implementing, and managing data access policies.
  2. Developing and maintaining data classification policies.
  3. Ensuring that data quality and data definition standards are developed and implemented.
  4. Interpreting and assuring compliance with Federal, State, and University policies and regulations regarding the release of, responsible use of, and access to institutional data.
  5. Resolving stewardship issues and data definitions of data elements that cross multiple functional units.
  6. Developing, implementing, and maintaining a Business Continuity Plan for institutional data under their control. Business Continuity isan ongoing process supported by senior management and funded to ensure that the necessary steps are taken to identify the impact of potential losses, maintain viable recovery strategies and plans, and ensure the continuity of operations through personnel training, plan testing, and maintenance.
  7. Providing communication and education to data users on appropriate use and protection of institutional data.
  8. Developing, implementing, and communicating record retention requirements to the university community in conjunction with University Archives.

C. Data Custodian:

Data Custodians are university computer system administrators that are responsible for the management of the systems which collect, manage, and provide access to institutional data. These individuals could be part of the enterprise-level computing staff or distributed computing staff.

Responsibilities include:

  1. Implementing physical security and system hardening measures that prevent or deter attackers from physically accessing a facility, resource, or information system. System Hardening is the process of securing a computer system in order to protect the systems against attackers. This typically includes removal of unnecessary usernames or logins and the disabling or removal of unnecessary services.
  2. Disaster Recovery which encompasses the data, hardware, software, and processes critical for an organization or business to restart operations in the event of a natural or human-caused disaster. Technologies would include backup and recovery solutions, uninterruptible power supplies, storage area networks (SAN), hardware replacement insurance, etc.
  3. Managing user access as authorized by the data stewards.
  4. Following the policies and procedures established by the data stewards
  5. Complying with all federal and state laws, regulations, and policies associated with institutional data.
  6. Implementing and administering controls to safeguard institutional data based on the data classification policies developed by the data stewards.

Note: Areas that develop databases and\or systems from institutional data sources and then provide access to this data to other users are considered data custodians. These data custodians must be authorized by the appropriate data steward, approved to further redistribute institutional data, and must implement the minimum required safeguards for the source data as prescribed by the data steward.

D. Data Users

Data Users are individuals who have been granted access to institutional data as part of their assigned duties or in fulfillment of assigned university roles or functions. This access is granted solely for the conduct of university business.

Responsibilities include:

  1. Following the policies and procedures established by the data stewards
  2. Complying with all federal and state laws, regulations, and policies associated with institutional data
  3. Using institutional data only as required for the conduct of university business within the scope of the users job responsibility
  4. Implementing the minimum safeguards as required by the data stewards for sensitive and protected data
  5. Ensuring the appropriateness, accuracy, and timeliness of institutional data used for the conduct of university business
  6. Report any unauthorized access, data misuse, or data quality issues to the data steward for remediation

IV. Data Classification

By default, all institutional data will be designated as internal data for use within the university or to satisfy external reporting requirements to the Ohio Board of Regents, and to State, Federal, or other external agencies. University employees will have access to these data for use in the conduct of university business. These data, while available within the university, are not designated as open to the general public unless otherwise required by law. The permission to view or query institutional data will be granted to all data users for all legitimate university purposes.

Data classification provides a basis for understanding and managing institutional data based on the level of confidentiality and criticality of the data. Accurate classification provides the basis to apply an appropriate level of security to institutional data. As part of the data classification process, data stewards will assign each data element and each data view in institutional data to one of three categories: unrestricted, sensitive, or protected. The data stewards will then be responsible for reviewing these data classifications as required and at a minimum every two years.

Note: In some circumstances, as long as specific identifying data elements are removed, a data view may include elements of institutional data that would otherwise be sensitive or protected.

A. Unrestricted Data

Where appropriate, data stewards may identify institutional data elements that have no access restrictions as available to the general public. These data will be designated as unrestricted or public data.

Examples: High-level Enrollment Statistics

Course Catalog

Current Funds Budget

Financial Statements

B. Sensitive Data

Where necessary, data stewards may specify institutional data elements as sensitive data for which users must obtain specific authorization to access since the data's unauthorized disclosure, alteration, or destruction will cause perceivable damage to the university.

Note: All institutional data in the enterprise-level administrative systems is classified as sensitive unless otherwise indicated.

Examples:Date of Birth

Ethnicity

C. Protected Data

Where required, data stewards may identify institutional data elements as protected, for which the highest levels of restriction should apply, both internally and externally, due to the risk or harm that may result from disclosure or inappropriate use. This includes information whose improper use or disclosure could:

  1. Adversely affect the ability of the university to accomplish its mission.
  2. Lead to the possibility of identity thief by release of personally identifiable information of university constituents.
  3. Put the university into a state of non-compliance with various state and federal regulations such as FERPA, HIPPA, GLBA, or Ohio Public Records Law.
  4. Put the university into a state of non-compliance with contractual obligations such as payment card industry data security standards.

The specification of data as protected should include reference to the legal or externally imposed constraint that requires this restriction, the categories of users typically given access to the data, and under what conditions or limitations access is typically given.

Data stewards and data custodians are responsible for defining and implementing safeguards for protected data. If the applicable laws and regulations do not specify how to safeguard protected data, then the data steward is responsible for developing safeguards based on information security best practice working in cooperation with the Office of the CIO and Legal Affairs. In some cases, multiple data stewards may collect and maintain the same protected data element. In these cases, these data stewards must work together to implement a common set of safeguards.

Data stewards are responsible for communicating and providing education on the required minimum safeguards for protected data to authorized end users and data custodians. Failure to implement the required minimum safeguards will result in revocation of access to the protected data.

Examples:Social Security Number

Patient Care Data

Credit Card Information

  1. Data Access Control

Data stewards will work with the data custodians to develop policies and procedures for requesting and maintaining access to institutional data. These policies and procedures shall be developed taking into account the risk associated with the specific data and/or system being accessed. The following minimum standards must be incorporated into the individual data access policies and procedures created by the data stewards:

  1. Users shall have unique and individual user credentials (e.g. user ids).
  2. User account access shall be deactivated after a period of no activity not to exceed twelve months.
  3. Terminated employees shall have their access to sensitive and protected data removed as of their termination date.
  4. The data access request process shall be formalized and auditable. The request process must include appropriate approvals, the specific data requested, the level of access requested (read, write), and the purpose for accessing the data. Data access requests should be maintained in order to support the need to audit data access permissions throughout the complete data access lifecycle (creation through termination).
  5. Once data access is approved for a data user or data custodian, data stewards are responsible for providing access to the Institutional Data Policy and the following information specific to the data being requested: 1) data documentation and usage guidelines, 2) the data classification policy including information on associated state and federal regulations, and 3) required minimum safeguards for protected data.
  6. A more strict data access request policy shall be implemented for data custodians that recognize the additional responsibilities of this role.
  7. A robust authentication process is required for access to all sensitive and protected data. Possible authentication methods can include password or pass phrase protection, multi-factor authentication and digital certificates. The method employed should be commensurate with the risk associated with unauthorized access to the data.
  8. Security audit logging shall be implemented to provide a consistent and reliable record of system activity. These logs shall capture information sufficient to identify who is accessing institutional data resources, access attempts and failures, and violations of security policy.
  9. Data access processes and procedures will be reviewed on an annual basis by each data steward to ensure that access remains appropriate.
  1. Record Retention

The University Archivist ( provides guidance for the preservation and use of university records documenting organizational and operational activities. Much of the institutional data may be found in university records, is used to produce university records, and/or may be university records in and of themselves. The University Archives serves as the repository of records of enduring value once the current administrative, fiscal or legal values have expired. The University Archives develops specific records retention schedules for offices with unique records, as well as general schedules of common university records, for retention and disposition, based on legal and operational needs. Records not identified in an approvedRecords Retention and Disposition Schedule may not be discarded until the University Archives has appraised their value. It is a violation of Ohio state law to discard or destroy a record in advance of the authorized disposition date.

  1. OhioPublic Records Requests

Institutional data at The Ohio State University is a component of the public data held, maintained, and used in trust by the university for Ohio’s citizens. While the university’s institutional data is a part of this public store and is generally available to the public under Ohio’s Public Records Law, many portions of that data are protected by federal or state law or otherwise exempted from disclosure by Ohio law. As a result, public records requests for institutional data, especially protected data, must be handled with care. Individuals likely to receive a public records request are strongly encouraged to seek training in this area.

If you receive a public records request for records containing institutional data and your unit has a policy or procedure for public records requests, you should follow that direction. If not, you should notify your supervisor and comply with the request. If you have any questions about apublic records request, contact OSU Legal Affairs and/or the appropriate data steward.

  1. Enforcement

Individual university community members who violate this policy may be denied access to institutional data resources and may be subject to other penalties and disciplinary action, both within and outside of the university. Violations will normally be handled through the university disciplinary procedures applicable to the violator.

Violations of this policy by a university unit will be reported to unit management with recommendations for corrective measures. Uncorrected or repeated violations will be reported to the unit’s higher management with recommendations for corrective measures.

In a perceived emergency situation, the university staff may take immediate steps, including denial of access, to ensure the integrity of the university data and systems or protect the university from liability.

All decisions, notifications, or measures taken under this policy may be appealed to the CIO through the CIO Office Director of Information Technology Policy and Services by sending an e-mail to .

  1. Implementation

The Institutional Data Policy requires various processes and procedures be developed associated with the safeguarding of institutional data. Given the varying degrees of risk, complexity, and capability associated with each area of institutional data, compliance with specific requirements of this policy may require a lengthy development period.

In order to understand these challenges and assure timely implementation of this policy, each data steward is required to develop an action plan for implementing the Institutional Data Policy within 120 days after the effective date of this policy. The action plans will be reviewed and approved by the Chief Information Officer and should include the following: