I. OBJECTIVE & PURPOSE
To educate the University community about the importance of protecting data generated, accessed, transmitted and stored by the University, to identify procedures that should be in place to protect the confidentiality, integrity and availability of University data, and to comply with local and federal regulations regarding privacy and confidentiality of information.
II. STATEMENT OF POLICY
All members of the University community have a responsibility to protect University data from unauthorized generation, access, modification, disclosure, transmission or destruction, and are expected to be familiar with and comply with this policy. Violations of this policy can lead to disciplinary action up to and including dismissal, expulsion, and/or legal action. Any known violations of this policy are to be reported to the University's Compliance Officer and Director of Networking, Systems and Security (NSS).
A. RESPONSIBILITY FOR DATA MANAGEMENT
Data is a critical asset of the University. All members of the University community have a responsibility to protect the confidentiality, integrity, and availability of data generated, accessed, modified, transmitted, stored or used by the University, irrespective of the medium on which the data resides and regardless of format (electronic, paper or other physical form).
Departments are responsible for implementing appropriate managerial, operational, physical, and technical controls for access to, use of, transmission of, and disposal of University data in compliance with this policy.
Data owned, used, created or maintained by the University is classified into the following three categories:
- Internal Use
Departments should carefully evaluate the appropriate data classification category for their information and ensure compliance with applicable procedures and guidelines.
B. DATA CLASSIFICATIONS
Public data is information that may or must be open to the general public. It is defined as information with no existing local, national or international legal restrictions on access or usage. Public data, while subject to University disclosure rules, is available to all members of the University community and to all individuals and entities external to the University community.
INTERNAL USE DATA
Internal Use Data is information that must be guarded due to proprietary, ethical, or privacy considerations, and must be protected from unauthorized access, modification, transmission, storage or other use. This classification applies even though there may not be a civil statute requiring this protection. Internal Use Data is information that is restricted to members of the University community who have a legitimate purpose for accessing such data.
Restricted Data is information protected by statutes, regulations, University policies or contractual language.
Restricted Data may be disclosed to individuals on a need-to-know basis only. Disclosure to parties outside the University should be authorized by the General Counsel's Office.
The classifications and examples of each type of data are summarized in table 1.
Table 1: Data Classification Categories
||Protection of data is required by law or best practices
||UNF has best practice (due care) reasons to protect data
||Data approved for general access by appropriate UNF
|Consequences of Exposure
||The University's reputation is tarnished by public reports of its failures to protect restricted records of students, employees, clients, or research. Such failure may subject the University to litigation.
||Data is disclosed unnecessarily or in an untimely fashion, which causes harm to UNF business interests or to the personal interests of an individual.
||Confusion is caused by corrupted information that may be displayed.
|Examples of Specific Data
- HIPAA protected data
- FERPA protected data
- Research - export controls, EAR, ITAR, safeguarding confidential information
- Faculty promotion, tenure, evaluations
- Aggregate human subjects research data
- Animal research
- Information required to be protected by contract
- Human subjects identifiable research data
- Trade secrets, intellectual property and/or proprietary research
- Attorney/client privileged records
- Payment Card Industry (PCI) data
- University banking records
- Restricted police records (e.g., victim information, juvenile records)
- Computer account passwords
- Employment data
- Supporting documents for UNF business functions
- Proposal records
- Campus promotional material
- Annual reports
- Press statements
- Tuition information
- Course schedules
- University maps
- Job titles
- Job descriptions
- Employee work phone numbers (with special exceptions
- Employee locations (with special exceptions)
- Employee email addresses (with special exceptions)
III. STATEMENT OF PROCEDURES
The Compliance Officer and Director of Networking, Systems and Security (NSS) are the primary entities charged with developing policy and procedures subordinate to and in support of this policy. They are charged with the promotion of awareness within the University community, as well as responsibility for the creation, maintenance, enforcement and design of training on relevant security standards in support of this policy and other applicable policies.
The Director of NSS will receive and maintain reports of incidents, threats and malfunctions that may have a security impact on the University's information systems, and will receive and maintain records of actions taken or policies and procedures developed in response to such reports. The Director of NSS will assist the Internal Audit Department and the Compliance Officer, as appropriate, in conducting periodic audits to determine University compliance with this policy.
The Director of NSS and the Compliance Officer must be notified in a timely manner if data classified as Restricted is lost, disclosed to unauthorized parties or suspected of being lost or disclosed to unauthorized parties, or if any unauthorized use of the University's information systems has taken place or is suspected of taking place.