Institutional Data Policy

Everyone at Ohio State handles data. Whether it's their personal information, someone else's or valued research, we're often balancing our need for security with our desire to preserve the open, information-sharing mission of our academic culture. The Institutional Data Policy (IDP) outlines requirements for protecting institutional data in accordance with legal, regulatory, administrative and contractual requirements; intellectual property and ethical considerations; strategic or proprietary value; and/or operational use. All institutional data is assigned one of four data classifications and the university’s Information Security Standard and Information Security Control Requirements define the security and privacy controls required to protect it. To help understand institutional data, its use, and how to protect it, everyone must take training or awareness based on the type of data they can access.

What is Institutional Data?

Ohio State institutional data is information created, collected, maintained, transmitted, or recorded by, or for, the university to conduct university operations. It includes (a) research data and (b) data used for planning, managing, operating, controlling, or auditing university functions, operations, and mission, but does not include personally created data. Institutional data includes, but is not limited to, information in paper, electronic, audio, and visual formats.

The university’s institutional data are significant assets that must be properly managed and protected by all members of the university community. The Institutional Data Policy (IDP) establishes the need to protect institutional data. It goes further to require that all institutional data are assigned one of four data classification levels based on legal, regulatory, university, and contractual requirements; intellectual property and ethical considerations; strategic or proprietary value; operational use; and/or privacy.

Three reference documents have been developed as “job aids,” to help better understand and implement this important policy:

Approved
Solution
Data
Classification
Regulation                        

File Encryption/
Regulatory Compliance

Share
Externally

 HostingVendorAdditional Information
BuckeyeBoxS4 - Restricted

Gramm-Leach-Bliley Act (GLBA)
Ohio Revised Code 1347.12   

NoNoCloudBoxNone
BuckeyeMailS4 - RestrictedOther IDs: Med Center Badge IDYesNoCloudMicrosoft

When acting on behalf of the university

CarmenCanvasS3 - PrivateNoneNoNoCloudInstructureNone
CarmenZoomS3 - PrivateNoneNoNoCloudZoomNone
Central Log
Management
S4 - RestrictedNoneNoNoOn PremiseSplunkNone
Cloud Storage:
Others
S4 - RestrictedExport Control PolicyYesNoCloudN/APermitted as specified contractually or in
the Technology Control Plan
DocusignS4 - RestrictedOhio Revised Code 1347.12YesNoCloudDocusign 
eFaxS4 - RestrictedPayment Card Industriy (PCI)
Security Standards
(See "Additional Information")
NoNoOn PremiseRight-FaxPCI: Requires specific approval from the
Office of the Treasurer
Enterprise
Document
Management 
(EDM)
S3 - PrivateOther IDs: Med Center Badge IDNoNoOn PremiseOnBaseNone
        
        
        
        
        
        
        
        
        
        
        
        
        
        
        
        
        
        
        
        
        
        
        
        
        
        

The IDP Calculator is now available to provide a better understanding of how singular or combined data elements directly relate to security classification levels. For more information on how to use the IDP Calculator, please refer to the IDP Calculator Job Aid

S-Level Data Classificatins

S-level: a security level which links an institutional data classification with a level of effort to protect the institutional data. Four S-levels are defined:  S1, S2, S3, and S4.

  • S1: Public Institutional Data
  • S2: Internal Institutional Data
  • S3: Private Institutional Data
  • S4: Restricted Institutional Data

Protecting Institutional Data

Everyone at Ohio State interacts with institutional data and has a responsibility to be a caretaker of institutional data. Whether it's their personal information, someone else's data, valued research, or even incidentally, we're often balancing our need for security with the need to preserve the open, information-sharing mission of our academic culture. To protect the reputation of the university as a leader in higher education, research, business, and as a medical provider, everyone must understand how institutional data is classified and what is the authorized and appropriate use based on the classification.

Training and Awareness

The university assigns one of four data classifications that define the level of protection based on compliance, privacy, sensitivity, operational use, and risk. The university’s Information Security Standard and Information Security Control Requirements provide guidance to protect institutional data based on the classification level.

To help everyone understand these classifications and how to properly secure institutional data, three educational methods have been developed. The IDP requires everyone take only one of these based on the type of data they access. The educational options and respective timelines follow:

If you have access to PHI data:

  • You must take training labelled “HIPAA and Institutional Data Compliance”
  • You can find this in BuckeyeLearn
  • After completion you will take an assessment and will need to agree to the “OSU Acceptance of Compliance” and the "OSU Institutional Data Acceptance”

NOTE: Medical Center employees must take the HIPAA and Institutional Data Compliance training by June 30 of each year. All other others taking this training must complete it between February 1 and April 29. If you take this course and sign the agreements, you do not need to take “Institutional Data Policy” training or the “IDP awareness Activity”

If you access to other Restricted (S4)/non-PHI data:

  • You must take the training labelled “Institutional Data Policy”
  • You will take IDP Training through BuckeyeLearn.
  • After completion you will sign the Institutional Data Usage and Confidentiality Agreement

NOTE: This Training is open from February 1 through April 29. If you complete this course and sign the agreement you do not need to take the “IDP Awareness” activity.

If you do not have access to Restricted (S4) data:

  • You must take the IDP Awareness activity which is available on Cybersecurity for You.

In the educational method which you are required to complete, you will learn about useful resources to help you to understand your responsibilities and how to securely handle institutional data and how to use Institutional Data Policy (IDP) Calculator.

FAQ - Frequently Asked Questions

What is Institutional Data?

  • Institutional data includes, but is not limited to, information in paper, electronic, audio, and visual formats.
  • Institutional data is information created, collected, maintained, transmitted or recorded by or for the university to conduct university business.
  • It includes: (a) data used for planning, managing, operating, controlling, or auditing university functions, operations, and mission; and (b) data outlined by requirements in the Research Data policy(link is external), information created, collected, and maintained in the conduct or reporting of research at or under the authority of Ohio State, as applicable.
  • It does NOT include personal data, which is information that is personal in nature and not related to university business.
  • All data created, collected, maintained, transmitted, or recorded by university owned devices, media, or systems must be used in accordance with the Responsible Use of University Computing and Network Resources policy

 

What is Restricted (S4) data?

Institutional data that requires the highest level of protection due to legal, regulatory, administrative, contractual, rule, or policy requirements.

 

Who is required to take this?

The Institutional Policy states, based on data access, training or awareness is required for all faculty, staff, students, student employees, contractors, volunteers, visitors, sponsored guests of units, and affiliated entities who are acting on behalf of the university.

 

My job doesn’t require I access institutional data. Do I need to take this?

Yes. The Institutional Data Policy states that everyone the policy applies to is a caretaker of institutional data. 

 

Do I need to take all three?

No. If you have access to HIPAA data, you only need to take the HIPAA training. If you do not have access to HIPAA data but you do have access to other Restricted (S4) data you only need to take IDP Training. If you do not have access to any Restricted (S4) data you need to take Institutional Data Policy Awareness.

 

How much time should I plan to complete?

Both the IDP training and HIPAA training take approximately 45 – 60 minutes.

Institutional Data Policy Awareness takes approximately 10 minutes.

 

What happens if I do not take this by the April 29 deadline

IDP Training and Institutional Data Policy Awareness are due by the end of April. Reminders will be sent to you and your manager in May and will be reported to your senior management at the beginning of June. Access to systems may also be impacted.

 

Do I need to complete the “HIPAA and Institutional Data Compliance" training by April?

Medical Center employees are required to complete "HIPAA and Institutional Data Compliance" training by June. If you are not a Medical Center employee but you take this training, you must complete it during the February 1 - April 29 window. 

 

What if I cannot access IDP Awareness on C4U?

IDP Awareness is also available on BuckeyeLearn

 

Can my department require that I take higher level training even though I do not access it?

Yes.  If you have questions regarding training assigned to you, please contact your manager.

 

Who can I contact with comments, questions, and suggestions?

Start with your manager. If you still have questions, please submit to IDP-Support@osu.edu.

 

I started recently and took this before the window opened. Do I need to take it again?

Yes. However, the IDP offers a test-out option. If you feel you know the topic go ahead and take the test-out. If you do not pass, you will need to complete the course.