The purpose of an Information Technology Standard is to specify requirements for compliance with Old Dominion University Information Technology policies, other University policies, as well as applicable laws and regulations. Standards may include business principles, best practices, technical standards, migration and implementation strategies, that direct the design, deployment and management of information technology.

1. Purpose

   The purpose of this standard is to define the data administration and classification responsibilities and requirements used by Old Dominion University.

2. Definitions

   Data Compliance Owners - University employees (typically at the level of Unit Leader) who oversee data management functions related to the capture, maintenance, and dissemination of data for a particular operational area. They are responsible for decisions about the usage of institutional data under their purview. Data compliance owners understand the compliance requirements for their data, designate the compliance level of their data, and approve access to their data. University Data Compliance Owners oversee compliance for data that is shared or leveraged across the University, such as HR, Finance, Financial Aid, and Student FERPA data. Departmental Data Compliance Owners oversee the data that is specific to the departmental application or system that is not overseen by one or more of the University Data Compliance Owners.

   System Compliance Owners - Manager or departmental head responsible for operation and maintenance of a University IT system or overseeing hosted systems under their purview. System Compliance Owners are responsible for the overall compliance and security of their system.

   Data Management Group (DMG) - The group is comprised of representatives of Data Compliance Owners and technical leads at the University who are responsible for the review and operational effectiveness of data management policies and procedures.

   Data Management Executive Committee (DMEC) - A senior level team comprised of representatives from the executive level and the Data Trustee level which establishes overall policies for management and access to the institutional data of the University.

   Data Trustee - Senior University officials (typically at the level of Associate or Assistant Vice President) who have planning and policy-level responsibilities for university data and who assign accountability for data management. Data Trustees typically report to Vice Presidents who have oversight authority for compliance within their reporting structure.

   Data Users - Individuals and organizations that access institutional data and Information in order to perform their assigned duties or to fulfill their role in the University community.

   Institutional Data - Recorded information that documents a university business-related transaction or activity by or with any appointed board member, officer, or employee of the University. Regardless of physical form, characteristic, or source, the recorded information is a university record if it is produced, collected, received, or retained in pursuance of law or in connection with the transaction of university business. The medium upon which such information is recorded has no bearing on the determination of whether the recording is a University record. University records include but are not limited to personnel records, student records, academic records, financial records, patient records, and administrative records. Record formats/media include but are not limited email, electronic databases, electronic files, paper, audio, video, and images.

   Third Party Email System and Messaging Services - Any means or system for transmitting messages electronically (as between computers on a network) other than the University's official email or messaging systems.

3. Standards Statement

   Responsibility for Data Administration

   All institutional data is owned by Old Dominion University. As such, all members of the University community have the obligation to appropriately secure and protect the asset in all formats and in all locations. Roles and responsibilities for protecting and classifying the institutional data asset are defined in supporting IT Standards.

   Data Classification Levels

   The data classification levels are defined as follows and are listed in order from the most sensitive to the least sensitive:

   • Class 1 Restricted
     • Data classified as Class 1 (Restricted) may be subject to disclosure laws and warrant careful management and protection to ensure its integrity, appropriate access, and availability. This information must be guarded from disclosure. Unauthorized exposure of this information could contribute to identity theft, financial fraud, and violate state and/or federal laws. Unauthorized disclosure of this data could adversely affect the University, or the interests of individuals and organizations associated with the University. Systems containing restricted data must be approved by the Information Security Officer. Restricted data includes Social Security Number (SSN), Drivers License number, Federal ID, Health Insurance, Medical Record Number, Payment Card Holder Data, and Medical Information (PHI), when combined with identifying information.
     • Restricted data and systems should utilize measures such as encryption, two-factor authentication, or other added protections commensurate with the level of sensitivity and the compensating controls that are available.
     • If a file which would otherwise be considered confidential contains any element of restricted data, the entire file is considered to be restricted information..
   • Class 2 Confidential, Moderate Sensitivity
     • Data classified as Class 2 (Confidential, moderately sensitive) includes data that is not explicitly defined as restricted data but that is regulated and requires access control and contract language for hosted solutions. This data is not intended to be made publicly available or shared without authorization. Class 2 data is distributed on a need-to-know basis between members of the University staff, IT systems, and specific third parties when authorized. Unauthorized exposure of this information could violate state and federal laws and/or can adversely affect the University as a whole or in part, or the interests of individuals associated with the University. Class 2 data may only be disclosed to a third party with the permission of the Data Compliance Owner.
     • If a file which would otherwise be considered less sensitive but contains an element that are Confidential, Moderately Sensitive data, the entire file is considered to be Confidential, Moderately Sensitive information.
   • Class 3 Confidential, Low Sensitivity
     • Data classified as Class 3 (Confidential, Low Sensitivity) includes data that is not explicitly defined as Class 1 or Class 2 data but that is regulated while posing a lower risk to the individual and to the University, such as student email address. This data may require permission to share and contract language for hosted solutions. This data is not intended to be shared without authorization. Class 3 data is distributed on a need-to-know basis between members of the University staff, IT systems, and specific third parties when authorized. Unauthorized exposure of this information could violate state and federal laws and/or can adversely affect the University as a whole or in part, or the interests of individuals associated with the University. Class 3 data may only be disclosed to a third party with the permission of the Data Compliance Owner.
     • If a file which would otherwise be considered less sensitive but contains an element that are Confidential, Low Sensitivity, then the entire file is considered to be low sensitivity confidential information.
   • Class 4 Confidential, non-regulated
     • Data classified as Class 4 (Confidential, non-regulated) includes data that is not explicitly defined as Class 1 through 3, and that is not regulated and poses a lower risk to the individual and to the University. This data may require permission to share and contract language for hosted solutions. This data is not intended to be shared without authorization. Class 4 data is distributed on a need-to-know basis between members of the University staff, IT systems, and specific third parties when authorized. Unauthorized exposure of this information could adversely affect the University as a whole or in part or the interests of individuals associated with the University. Class 4 data may only be disclosed to a third party with the permission of the Data Compliance Owner.
     • If a file which would otherwise be considered Class 4 but contains an element that are Class 1 through 3, the entire file may be considered to be the classification of the most sensitive data.
   • Class 5 Public
     • Data classified as public includes all data that are published and broadly available, including student directory information as defined by the Student Records Policy. The types of data classified as public should be as broad as possible. Anyone may access public data. Care should be taken to use all University information appropriately and to respect all applicable laws. Information that is subject to copyright must only be distributed with the permission of the copyright holder.

   Data Access

   Data Compliance Owners will establish standard rules, guidelines, and profiles for data access, and decide about individual requests to access data in compliance with local, state, and federal laws and regulations.

   Access to University data should be based on the business needs of the organization and should enhance the ability of the University to achieve its mission. Employees should have access to the data needed to perform their responsibilities, without regard to arbitrary barriers. Where necessary, Data Compliance Owners may specify some data as restricted or confidential, regardless of how it is made available. This data may only be used by those whose positions requiring such access and for the purpose authorized. When data is designated as restricted or confidential, the Data Compliance Owner will cite the specific legal, regulatory, or other references and/or the descriptions of the users who are typically given access to the data and under what conditions the access is granted.

   Access Approval and Appeal Process

   Any Data User may request that a Data Compliance Owner review the restrictions placed on a data element or data view or review a decision to deny access to restricted or confidential data. If a request is denied or not addressed by a Data Compliance Owner, the requester may appeal the Data Compliance Owner's decision by forwarding the request to the Data Management Group (DMG). The DMG will review the request, receive input from the Data Compliance Owner and the requester, and will render a decision regarding the appeal.

   When necessary, the Data Management Executive Committee (DMEC) will make the final determination on data restrictions and requested access rights to institutional data.

   Data Classification, Transmittal and Storage

   • Class 1 Restricted Data
     Industry encryption is required when transmitting restricted data through a network. Sending email to or from a third-party email or messaging service is prohibited for transmitting restricted data, unless an encryption method and storage option are used that have been approved by the Information Security Officer. Restricted numbers may be masked by an approved masking technology instead of encryption. For storage, industry-standard encryption is required if data is not stored on secured servers in the University's administrative network. Third party processing or storage services are prohibited from receiving or storing restricted data unless approved by the Data Compliance Owner and Information Security Officer.
   • Class 2 through 4 Confidential Data
     Industry encryption is recommended when transmitting confidential data through a network. Internal email services may be used between authorized employees to conduct University business. Sending email to or from a third-party email or messaging service is discouraged for transmitting confidential data. For storage, industry-standard encryption is not required for storage. Third party processing or storage services are appropriate for receiving or storing confidential data with Data Compliance Owner approval.
   • Class 5 Public Data
     No encryption is required for public data. Care should still be taken to protect the integrity and availability of public information.

4. Procedures, Guidelines & Other Related Information

   Federal and State Law

   University Policy 3504 - Data Administration and Classification Policy

   University Policy 3505 - Security Policy

   University Policy 3700 - Records Management

   University Policy 5350 - Research and Scholarly Digital Data Management Policy

   IT Standard 01.2.0 - IT Roles and Responsibilities

   IT Standard 08.1.0 - Risk Assessment

5. History

   Date	Responsible Party	Action
   October 2008	CIO/ITAC	Created
   October 2009	CIO/ITAC	Reaffirmed
   October 2010	CIO/ITAC	Reaffirmed
   October 2011	CIO/ITAC	Reaffirmed
   October 2012	CIO/ITAC	Reaffirmed
   December 2012	IT Policy Office	Minor rewording for clarity Organizational revision Numbering revision
   June 2015	IT Policy Office	Data administration requirements and responsibilities defined. Clarifying language on data classification levels and use; DMAG review
   August 2015	ITAC/CIO	Revision affirmed
   July 2018	IT Policy Office	Definitions and links checked
   November 2021	ITAC/CIO	Revised Classifications to align with Shared Vendor Assessment Classes, revised definition of PII