202: Information Systems – Data Classification and Stewardship Policy
Information Security Policies and Procedures Manual
Section 200: Information Systems Security
This policy applies to all academic, research, and administrative departments and offices at all Oregon State University locations. This policy applies to all University faculty, staff, students, visitors, contractors and affiliates.
This policy governs the confidentiality, integrity, and availability of university data and the responsibilities of institutional units and individuals for that data.
Oregon State University has an established history of sharing data with the many communities of which it is a part. We are also entrusted by our constituencies with data of a private or personal nature. These data are essential to our operation as an institution of higher education and we are obligated to protect them. Additionally, there are State and Federal laws that identify certain types of data that must be treated with care.
This policy establishes a framework to allow us to comply with these mandates and to protect the confidentiality, integrity, and availability of university data.
III. Information Classifications
Protected Information is the most restrictive information classification. There are four types of data that fit within this classification:
- Information of a personal nature that could lead to identity theft or exposure of personal health information if not safeguarded,
- Research data identified as highly sensitive by a funding agency or other research partner,
- Certain financial data, and
- Specific technical information about the mechanisms used to restrict access to, or otherwise secure, data within this classification.
Specific data elements classified as Protected Information are listed in Appendix A.
Access to Protected Information is on a need to know basis only and requires prior approval from the designated Records Custodian (see Acceptable Use of University Information Policy). The use or storage of Protected Information, either in paper or electronic form, must follow the Standards of Care for Protected Information
Unauthorized disclosure of Protected Information must be reported to the Chief Information Security Officer.
Sensitive Information is data that, by their very nature or regulation, are private or confidential and must not be disclosed except to a previously defined set of authorized users.
Some examples of Sensitive Information include data defined as confidential by the Family Educational Rights and Privacy Act (FERPA), employee performance evaluations, confidential donor information, some research data, accusations of misconduct, or any other information that has been identified by the University, its contractors or funding agencies, or Federal or State regulations, as private or confidential and not to be disclosed.
Specific data elements classified as Sensitive Information are listed in Appendix A.
Access to Sensitive Information is on a need to know basis only. The use or storage of Sensitive Information, either in paper or electronic form, must follow the Standards of Care for Sensitive Information
Unauthorized disclosure of Sensitive Information must be reported to the designated Records Custodian.
Unrestricted Information is data intended for general use.
In order to ensure the integrity of Unrestricted Information, the use or storage of that information must follow the Standards of Care for Unrestricted Information