Institutional Data Policy
Everyone at Ohio State handles data. Whether it's their personal information, someone else's or valued research, we're often balancing our need for security with our desire to preserve the open, information-sharing mission of our academic culture.
The Institutional Data Policy tries to set that balance. It outlines requirements for protecting institutional data in accordance with legal, regulatory, administrative and contractual requirements; intellectual property and ethical considerations; strategic or proprietary value; and/or operational use.
All institutional data is assigned one of four data classification levels that define the level of protection based on compliance, privacy, sensitivity, operational usage and risk. We have to protect institutional data with the security controls and access authorization mechanisms identified in The Ohio State University’s Information Security Standard and Information Security Control Requirements.
Three reference documents have been developed as “job aids,” to help better understand and implement this important policy:
- Institutional Data Element Classification Assignments. Maps institutional data elements to the appropriate data classification levels.
- Permitted Data Usage By Activity. Identifies which classifications of institutional data are permitted for specific data user activities.
- Permitted Data Usage By Service. Identifies which classifications of institutional data are permitted for specific core or hosted services.
The Institutional Data Policy (IDP) Calculator is now available to provide a better understanding of how singular or combined data elements directly relate to security classification levels. For more information on how to use the IDP Calculator, please refer to the IDP Calculator Job Aid.
What is Institutional Data?
- Institutional data includes, but is not limited to, information in paper, electronic, audio, and visual formats.
- Institutional data is information created, collected, maintained, transmitted or recorded by or for the university to conduct university business.
- It includes: (a) data used for planning, managing, operating, controlling, or auditing university functions, operations, and mission; and (b) data outlined by requirements in the Research Data policy, information created, collected, and maintained in the conduct or reporting of research at or under the authority of Ohio State, as applicable.
- It does NOT include personal data, which is information that is personal in nature and not related to university business.
- All data created, collected, maintained, transmitted, or recorded by university owned devices, media, or systems must be used in accordance with the Responsible Use of University Computing and Network Resources policy
All university data have Data Stewards, designated university officials whose functional areas of responsibility include the creation or origination of institutional data.
FAQ - Frequently Asked Questions
Q. Contacts: Who can I contact with comments, questions, and suggestions?
Submit comments, questions, and suggestions to ITPolicy@osu.edu.
Q. Related Materials: Where can I acquire the Institutional Data Policy and related materials?
- Institutional Data home page is the entry point to the 2014 revised policy, with links to other policies. Short URL: https://go.osu.edu/idp.
- Institutional Data policy is the most updated policy in .pdf format.
- Institutional Data Element Classification Assignments document maps institutional data elements to the appropriate data classification levels.
- Permitted Data Usage By Activity document identifies which classifications of institutional data are permitted for specific data user activities.
- Permitted Data Usage By Service document identifies which classifications of institutional data are permitted for specific core or hosted services.
Q. Changes: What are the substantive changes from the previous (2007) version of the Institutional Data Policy?
Substantive changes from the previous (2007) version of the Institutional Data Policy's Policy section include:
- Restructured and simplified policy for enhanced clarity and readability.
- Clarified existing institutional data definition in regard to research data and data formats.
- Added definition for personal data.
- Updated Data Classifications:
- Changed the name of “Limited Data” to “Internal Data” to better reflect classification description.
- Added an additional classification of “Private Data” to allow for more flexibility in the application of controls for data access, protection and management.
- Integrated data classifications to the Information Security Standard for data security controls.
- Addressed additional areas of data lifecycle management in regard to institutional data, including records management, release and data disposal.
Substantive changes from the previous (2007) version of the Institutional Data Policy's Procedures section include:
- Introduced reference documents:
- Institutional Data Element Classification Assignments maps institutional data elements to the appropriate data classification levels.
- Permitted Data Usage By Activity identifies which classifications of institutional data are permitted for specific data user activities.
- Permitted Data Usage By Service identifies which classifications of institutional data are permitted for specific core or hosted services.
- Updated data roles and responsibilities:
- Replaced Data Trustee role with Institutional Data Classification Committee (IDCC).
- Added Data Manager role to reflect operational and functional management responsibilities at a unit level.
- Clarified responsibilities of each role (and IDCC) and moved to “Responsibilities” section.
- Clarified institutional data training requirement for Restricted Data classification.
- Articulated steps to take for a suspected data exposure or loss.
- Clarified user and university responsibility for Private Data.
- Updated contacts to add additional university offices pertinent to data classification and management.
Q. Data Classifications: While talking about the IDP, why do the people in my organization's IT group use terms like "S3 data" and "S4 data"?
- The Information Security Control Requirements (ISCR) provides detailed implementation specifications for the security controls defined in Ohio State's Information Security Standards (ISS). The ISCR is also linked to Ohio State's Institutional Data Policy (IDP). The control requirements in the ISCR are specified according to the level or institutional data being protected, as defined by the IDP.
- The data classification level is a formal categorization and labeling of data based upon the sensitivity and regulatory privacy requirements for protecting the data. Ohio State's IDP defines four levels of data classfication. The ISCR associates an "S-level" with each IDP classification level: S1 (Public), S2 (Internal), S3 (Private), and S4 (Restricted).
- For more information about data classifications and the Information Security Control Requirements, see "Institutional Data Classifications: Basics".
- For more information about the ISS and ISCR, contact email@example.com
Q. Computer Based Training: When will the Institutional Data Policy training be available on BuckeyeLearn?
Data users are required to complete the training in order to get access to systems or to meet local unit requirements should refer to the Institutional Data Policy Training knowledge base record (go.osu.edu/idp-training) to learn how to self-enroll in the training.
After completing the training, you will be able to:
- Explain your responsibilities for accessing and handling institutional data
- Identify the four classifications of institutional data
- Describe how you are permitted to use each type of institutional data
- Explain what you should do if you suspect the loss, unauthorized access, or exposure of institutional data
The Institutional Data Policy Course includes the Institutional Data Usage and Confidentiality Agreement as part of the final quiz.
Data users who are required to complete the training in order to get access to systems or to meet local unit requirements should refer to the “Institutional Data Policy Training” knowledge base record to learn how to self-enroll in the training.