Data Classification Policy
Purpose
Institutional data supports the mission and operation of Pittsburg State University. It is a vital asset and is owned by the University. Some institutional data will be shared with multiple units of the University, as well as entities outside. Institutional data are an important asset of the university and must be protected from loss of integrity, confidentiality, or availability in compliance with university policy and guidelines, Board of Regents policy, and state and federal laws and regulations.
Objectives
Data Stewards will assess institutional risks and threats to the data for which they are responsible, and accordingly classify its relative sensitivity as Level I (low sensitivity), Level II (moderate sensitivity), or Level III (high sensitivity). Unless otherwise classified, institutional data are Level II. University personnel may not broaden access to institutional data without authorization from the appropriate Data Steward. This limitation applies to all means of copying, replicating, or otherwise disseminating institutional data.
Scope
This policy applies to all university colleges, departments, administrative units, and affiliated organizations. For the purposes of this policy, affiliated organization refers to any organization associated with the University (e.g. University Advancement) that uses university information technology resources to create, access, store, or manage University Data to perform their business functions. It also applies to any third party vendor creating, storing, or maintaining University Data per a contractual agreement.
Policy
• Institutional data must be protected from unauthorized modification, destruction, or disclosure. Permission to access institutional data will be granted to all eligible University employees for legitimate university purposes.
• Authorization for access to Level II and Level III institutional data comes from the appropriate Data Steward, and is typically made in conjunction with an acknowledgement or authorization from the requestor's department head, supervisor, or other authority.
• Where access to Level II and Level III institutional data has been authorized, use of such data shall be limited to the purpose for which access to the data was granted.
• University employees must report instances in which institutional data are at risk of unauthorized modification, disclosure, or destruction.
• Data Stewards must ensure that all decisions regarding the collection and use of institutional data are in compliance with the law and with University policy and procedure.
• Data Stewards must ensure that appropriate security practices, consistent with the data handling requirements in this policy, are used to protect institutional data.
• Users will respect the confidentiality and privacy of individuals whose records they access, observe ethical restrictions that apply to the information they access, and abide by applicable laws and policies with respect to accessing, using, or disclosing information.
Related Laws, Regulations, and Policies
The state of Kansas ITEC Information Technology Policy 8000 - Data Administration Program
(http://www.da.ks.gov/itec/Documents/ITECITPolicy8000.htm) requires state agencies, including Regents' institutions, to "develop, implement, and maintain an Agency Data Administration Program" that incorporates data polices with appropriate security controls.