University of Minnesota
University Relations
http://www.umn.edu/urelate
612-624-6868
University of Minnesota
POLICY LIBRARY
POLICY
University of Minnesota
University of Minnesota
University M logo on red background
ADMINISTRATIVE POLICY
Home : Information Technology : Acceptable Use and Information Security

Data Security Classification

Effective Date: June 2013
Last Update: June 2013
Responsible University Officer:
  • Vice President for Information Technology
Policy Owner:
  • Vice President for Information Technology
Policy Contact:
CONSULTED WITH: Senate Committee on Information Technology

Printed on: . Please go to http://policy.umn.edu for the most current version of the Policy or related document.

POLICY STATEMENT

To protect the security and integrity of University of Minnesota data and comply with applicable state and federal laws and regulations, all University of Minnesota data must be classified appropriately. The University uses a data security classification system to ensure all data and the systems on which it is stored, accessed or transmitted have appropriate security controls.

The University's data security classifications are:

  • Private-Highly Restricted – Private-Highly Restricted data are University data that are not public and are available within the institution only to those with a legitimate need to know, and (1) are so highly sensitive that the loss of confidentiality, integrity, or availability of the data could cause significant personal, institutional, or other harm; (2) by law or regulation requires high-level security controls; or (3) by contract requires high-level security controls.
  • Private-Restricted - Private-Restricted data are University data that by law are not public and are available within the institution only to those with a legitimate need to know, but are not so highly sensitive that the loss of confidentiality, integrity, or availability would cause significant personal, institutional, or other harm, and no law, regulation, or contract requires a higher level of security.
  • Public - Public data are University data that by law are available to the public upon request.

Each University department or administrative unit with data that is subject to state or federal law or regulation without a designated Privacy Officer is responsible for designating a Data Custodian.

Data Custodians are responsible for setting the appropriate data security classification for the various types of data in that department or unit to meet state and federal regulations, specific contractual requirements, and appropriate security controls. Data Custodians must also communicate the data security classifications to affected groups and individuals.

University community members and data users must follow security controls that are appropriate for the data security classifications as identified by Data Custodians. For electronic data, the controls are specified in Administrative Policy: Securing Electronic Data, Computers, and Other Electronic Devices.

The Vice President for Information Technology will consult with the appropriate vice president to resolve any disputes as to the classification of data by the data custodian.

REASON FOR POLICY

University data are valuable assets. Often, University data are subject to state and federal regulations which outline various control requirements to ensure appropriate confidentiality, availability and integrity of the data. This policy provides a foundation for facilitating compliance with the related regulations and adherence to the appropriate security practices.

PROCEDURES

FORMS/INSTRUCTIONS

There are no forms associated with this policy.

APPENDICES

FREQUENTLY ASKED QUESTIONS

There is no FAQ associated with this policy.

ADDITIONAL CONTACTS

Subject
Contact
Phone
Fax/Email
Primary Contact(s)
612-625-1505
Financial Systems
Director, Controller's Office
612-624-1617
Information Security
University Chief Information Security Officer
612-625-1505
Health Information and HIPAA
HIPAA Privacy Officer
612-626-5844
 
Human Resources/Payroll
Director, Office of Human Resources
612-624-1370
612-626-8924
Legal Advice
General Counsel
612-624-4100
 
Student Systems
Director, Office of the Registrar
612-625-8098
612-626-1754
Public or Private Data
Coordinator, Records and Information; or Office of the General Counsel
612-625-4597
612-624-4100

DEFINITIONS

Acceptable Use
This term consists of these related concepts:
  • Data and systems may only be used by authorized individuals to accomplish tasks related to their jobs. Use of the data and systems for personal gain, personal business, or to commit fraud is prohibited.
  • All Private, Highly-Restricted and Private, Restricted data must not be disclosed without authorization. Unauthorized access, manipulation, disclosure, or secondary release of such data constitutes a security breach, and may be grounds for disciplinary action up to and including termination of employment.

Refer to Administrative Policy: Acceptable Use of Information Technology Resources for related information.

Data
Information collected, stored, transferred or reported for any purpose, whether electronically or hard copy.
Data Custodian
When a Privacy Officer has been assigned for a type or set of data (e.g. HIPAA, PCI DSS, FERPA, contracted data), the Data Custodian is an individual responsible for following the procedures determined by the assigned Privacy Officer.
When a Privacy Officer has not been assigned, the Data Custodian is an individual with responsibility for setting the security classifications for University data, and developing procedures for creating, maintaining, and using University data, consistent with University policy and all applicable state and federal laws.
Data Owner
An Individual with primary authority and accountability for specified information (e.g., a specific business function) or type of data. This individual is responsible for delegating responsibility to appropriate Data Custodians and ensuring the accuracy, integrity, and timeliness of the data.
Data User
Individuals, who in the course of carrying out official University business, may collect, store, transfer or report data consistent with their function at the institution.
Family Educational Rights & Privacy Act
Federal law (P.L. 93-568, 2) as amended in 1974 (with updates). Specifies rights and responsibilities of students and colleges regarding access to student data.
Privacy Officer
The individual responsible for setting the security classifications for a broad type of data (e.g. HIPAA, PCI DSS, FERPA) across the University or set of data (e.g. research set), and developing procedures for creating, maintaining, and using assigned University data, consistent with University policy and all applicable state and federal laws.
University Community Members
University faculty, staff, students, and alumni are generally defined as members of the University community. The General Counsel may designate additional groups as members of the University Community.
University Information
Information collected, manipulated, stored, reported or presented in any format, on any medium, by any unit of the University.

RESPONSIBILITIES

Data Custodian
When a Privacy Officer has been assigned for a type or set of data (e.g. HIPAA, PCI DSS, FERPA, contracted data), the Data Custodian is responsible for following the procedures determined by the assigned Privacy Officer.
When a Privacy Officer has not been assigned, the Data Custodian is responsible for setting the security classifications for University data, and developing procedures for creating, maintaining, and using University data, consistent with University policy and all applicable state and federal laws.
Data Owner
Accountable for specified information (e.g., a specific business function) or type of data. Responsible for delegating responsibility to appropriate Data Custodians and ensuring the accuracy, integrity, and timeliness of the data.
Data User
Responsible for the accuracy of University data that they manage and for following all University policies, procedures, and standards related to the data security classification, as designated by Data Custodians.
Privacy Officer
Responsible for setting the security classifications for a broad type of data (e.g. HIPAA, PCI DSS, FERPA) across the University or set of data (e.g. research set), and developing procedures for creating, maintaining, and using assigned University data, consistent with University policy and all applicable state and federal laws.
University Chief Information Security Officer or Designate
Specifies the information security controls for each level of data security classification. Assists data users in classifying their data that is not currently classified.

RELATED INFORMATION

HISTORY

Effective:
June 2013 - New Policy. 1. Establishes more refined data security classifications, so that data can be accorded the appropriate level of security controls according to the characteristics of the data, with the most sensitive data receiving the highest security. Prior to this policy, there were only two classifications (public and nonpublic). 2. Specifies who is responsible for classifying the data for which they are responsible.

Document Feedback

Did this document successfully answer your questions?

Additional comments: (2000 character limit)

Email Address: (so we can respond to your questions)

© 2013 Regents of the University of Minnesota. All rights reserved.
The University of Minnesota is an equal opportunity educator and employer.
Last modified on September 24, 2013