Policies & Regulations
Administration & Finance


Data Classification & Security
Number: 6.0220P
Checked

New Policy

Not Checked

Major Revision of Existing Policy

Not Checked

Minor/Technical Revision of Existing Policy

Not Checked

Reaffirmation of Existing Policy

Not Checked

Repealed Policy

Effective Date: 9/25/2016
Revised Date:
Responsible Division/Department:
Information Technology Services


 
I. OBJECTIVE & PURPOSE


To educate the University community about the importance of protecting data generated, accessed, transmitted and stored by the University, to identify procedures that should be in place to protect the confidentiality, integrity and availability of University data, and to comply with local and federal regulations regarding privacy and confidentiality of information.

II. STATEMENT OF POLICY

All members of the University community have a responsibility to protect University data from unauthorized generation, access, modification, disclosure, transmission or destruction, and are expected to be familiar with and comply with this policy. Violations of this policy can lead to disciplinary action up to and including dismissal, expulsion, and/or legal action. Any known violations of this policy are to be reported to the University's Compliance Officer and Director of Networking, Systems and Security (NSS).

A. RESPONSIBILITY FOR DATA MANAGEMENT

Data is a critical asset of the University. All members of the University community have a responsibility to protect the confidentiality, integrity, and availability of data generated, accessed, modified, transmitted, stored or used by the University, irrespective of the medium on which the data resides and regardless of format (electronic, paper or other physical form).

Departments are responsible for implementing appropriate managerial, operational, physical, and technical controls for access to, use of, transmission of, and disposal of University data in compliance with this policy.

Data owned, used, created or maintained by the University is classified into the following three categories:

• Public
• Internal Use
• Restricted
Departments should carefully evaluate the appropriate data classification category for their information and ensure compliance with applicable procedures and guidelines.

B. DATA CLASSIFICATIONS
PUBLIC DATA

Public data is information that may or must be open to the general public. It is defined as information with no existing local, national or international legal restrictions on access or usage. Public data, while subject to University disclosure rules, is available to all members of the University community and to all individuals and entities external to the University community.

INTERNAL USE DATA

Internal Use Data is information that must be guarded due to proprietary, ethical, or privacy considerations, and must be protected from unauthorized access, modification, transmission, storage or other use. This classification applies even though there may not be a civil statute requiring this protection. Internal Use Data is information that is restricted to members of the University community who have a legitimate purpose for accessing such data.

RESTRICTED DATA

Restricted Data is information protected by statutes, regulations, University policies or contractual language.

Restricted Data may be disclosed to individuals on a need-to-know basis only. Disclosure to parties outside the University should be authorized by the General Counsel’s Office.

The classifications and examples of each type of data are summarized in table 1.


 

Table 1: Data Classification Categories

Class Restricted Internal Use Public
Legal Requirements       Protection of data is
required by law or best
practices
UNF has best practice
(due care) reasons to
protect data      
Data approved for general
access by appropriate UNF
authority
Risk Level  High      Medium Low
Consequences of Exposure The University's reputation
is tarnished by public reports
of its failures to protect
restricted records of students,
employees, clients, or research.
Such failure may subject the
University to litigation. 
Data is disclosed
unnecessarily or in an untimely
fashion, which causes harm to
UNF business interests or to 
the personal interests of an
individual.  
Confusion is caused by corrupted 
information that may be displayed.
Examples of Specific Data
  • HIPAA protected data
  • FERPA protected data
  • Research - export controls,

       EAR, ITAR, safeguarding

       confidential information 

  • Faculty promotion, tenure,
       evaluations  
  • Aggregate human subjects
       research data  
  • Animal research 
  • Information required to be
       protected by contract 
  • Human subjects identifiable
       research data 
  • Trade secrets, intellectual
       property and/or proprietary 

       research 

  • Attorney/client privileged
       records 
  • Payment Card Industry (PCI)
       data 
  • University banking records
  • Restricted police records 
       (e.g., victim information,  

       juvenile records) 

  • Computer account passwords
  • Gramm-Leach-Bliley 

 

  • Specific technical security  
       measures
  • Employment data
  • Supporting documents for 
       UNF business functions
  • Proposal records
 
  • Campus promotional material
  • Annual reports
  • Press statements
  • Tuition information
  • Course schedules
  • University maps
  • Job titles
  • Job descriptions
  • Employee work phone 
       numbers (with special 
       exceptions
  • Employee locations (with 
       special exceptions) 
  • Employee email addresses
       (with special exceptions) 


 
III. STATEMENT OF PROCEDURES

The Compliance Officer and Director of Networking, Systems and Security (NSS) are the primary entities charged with developing policy and procedures subordinate to and in support of this policy. They are charged with the promotion of awareness within the University community, as well as responsibility for the creation, maintenance, enforcement and design of training on relevant security standards in support of this policy and other applicable policies.

The Director of NSS will receive and maintain reports of incidents, threats and malfunctions that may have a security impact on the University's information systems, and will receive and maintain records of actions taken or policies and procedures developed in response to such reports. The Director of NSS will assist the Internal Audit Department and the Compliance Officer, as appropriate, in conducting periodic audits to determine University compliance with this policy.

The Director of NSS and the Compliance Officer must be notified in a timely manner if data classified as Restricted is lost, disclosed to unauthorized parties or suspected of being lost or disclosed to unauthorized parties, or if any unauthorized use of the University's information systems has taken place or is suspected of taking place.