Institutional Data Policy

Everyone at Ohio State handles data. Whether it's their personal information, someone else's or valued research, we're often balancing our need for security with our desire to preserve the open, information-sharing mission of our academic culture.

The Institutional Data Policy tries to set that balance. It outlines requirements for protecting institutional data in accordance with legal, regulatory, administrative and contractual requirements; intellectual property and ethical considerations; strategic or proprietary value; and/or operational use.

All institutional data is assigned one of four data classification levels that define the level of protection based on compliance, privacy, sensitivity, operational usage and risk. We have to protect institutional data with the security controls and access authorization mechanisms identified in The Ohio State University’s Information Security Standard and Information Security Control Requirements

Three reference documents have been developed as “job aids,” to help better understand and implement this important policy:

The Institutional Data Policy (IDP) Calculator is now available to provide a better understanding of how singular or combined data elements directly relate to security classification levels.  For more information on how to use the IDP Calculator, please refer to the IDP Calculator Job Aid

What is Institutional Data?

  • Institutional data includes, but is not limited to, information in paper, electronic, audio, and visual formats.
  • Institutional data is information created, collected, maintained, transmitted or recorded by or for the university to conduct university business.
  • It includes: (a) data used for planning, managing, operating, controlling, or auditing university functions, operations, and mission; and (b) data outlined by requirements in the Research Data policy, information created, collected, and maintained in the conduct or reporting of research at or under the authority of Ohio State, as applicable.
  • It does NOT include personal data, which is information that is personal in nature and not related to university business.
  • All data created, collected, maintained, transmitted, or recorded by university owned devices, media, or systems must be used in accordance with the Responsible Use of University Computing and Network Resources policy

All university data have Data Stewards, designated university officials whose functional areas of responsibility include the creation or origination of institutional data.

FAQ - Frequently Asked Questions

Q. Contacts:  Who can I contact with comments, questions, and suggestions?

Submit comments, questions, and suggestions to ITPolicy@osu.edu.
 

Q. Related Materials:  Where can I acquire the Institutional Data policy and related materials?

Q. Changes:  What are the substantive changes from the previous (2007) version of the Institutional Data Policy?

Substantive changes from the previous (2007) version of the Institutional Data policy’s Policy section include:

  • Restructured and simplified policy for enhanced clarity and readability.
  • Clarified existing institutional data definition in regard to research data and data formats.
  • Added definition for personal data.
  • Updated Data Classifications:
    • Changed the name of “Limited Data” to “Internal Data” to better reflect classification description.
    • Added an additional classification of “Private Data” to allow for more flexibility in the application of controls for data access, protection and management.
  • Integrated data classifications to the Information Security Standard for data security controls.
  • Addressed additional areas of data lifecycle management in regard to institutional data, including records management, release and data disposal.

Substantive changes from the previous (2007) version of the Institutional Data policy’s Procedures section include:

  • Introduced reference documents:
    • Institutional Data Element Classification Assignments maps institutional data elements to the appropriate data classification levels.
    • Permitted Data Usage By Activity identifies which classifications of institutional data are permitted for specific data user activities.
    • Permitted Data Usage By Service identifies which classifications of institutional data are permitted for specific core or hosted services.
  • Updated data roles and responsibilities:
    • Replaced Data Trustee role with Institutional Data Classification Committee (IDCC).
    • Added Data Manager role to reflect operational and functional management responsibilities at a unit level.
    • Clarified responsibilities of each role (and IDCC) and moved to “Responsibilities” section.
  • Clarified institutional data training requirement for Restricted Data classification.
  • Articulated steps to take for a suspected data exposure or loss.
  • Clarified user and university responsibility for Private Data.
  • Updated contacts to add additional university offices pertinent to data classification and management.
     

Q.  Data Classifications:  While talking about the IDP, why do the people in my organization’s IT group use terms like “S3 data” and “S4 data”?

  • The Information Security Control Requirements (ISCR) provides detailed implementation specifications for the security controls defined in Ohio State’s Information Security Standard (ISS). The ISCR is also linked to Ohio State’s Institutional Data Policy (IDP). The control requirements in the ISCR are specified according to the level of institutional data being protected, as defined by the IDP.
  • The data classification level is a formal categorization and labeling of data based upon the sensitivity and regulatory privacy requirements for protecting the data. Ohio State’s IDP defines four levels of data classification. The ISCR associates an “S-level” with each IDP classification level: S1 (Public), S2 (Internal), S3 (Private), and S4 (Restricted).

Q.  Computer Based Training:  When will the Institutional Data policy training be available on BuckeyeLearn?

Data users who are required to complete the training in order to get access to systems or to meet local unit requirements should refer to the “Institutional Data Policy Training” knowledge base record to learn how to self-enroll in the training.

After completing the training, you will be able to:

  • Explain your responsibilities for accessing and handling institutional data
  • Identify the four classifications of institutional data
  • Describe how you are permitted to use each type of institutional data
  • Explain what you should do if you suspect the loss, unauthorized access, or exposure of institutional data

The Institutional Data Policy Course includes the Institutional Data Usage and Confidentiality Agreement as part of the final quiz.

Training

Data users who are required to complete the training in order to get access to systems or to meet local unit requirements should refer to the “Institutional Data Policy Training” knowledge base record to learn how to self-enroll in the training.