MINES’ POLICY LIBRARY
Policies and Procedures by Subject
Mines’ Data Classifications & Roles Definitions
Responsible Administrative Unit2020欧洲杯正规平台: Information & Technology Solutions
Contact: Monique Sendze email@example.com
Colorado School of Mines’ (“Mines”, “the School”, or “the Institution”) institutional data must be managed and protected because it is a critical and valuable asset to the school and its mission. The purpose of this document is to define data types and roles and responsibilities of individuals who have positions that require access to administrative data.
All members of the Mines’ community, including all faculty, staff, and third-party agents of the institution who work with or use data in a manner must comply with all applicable federal, state, and privacy laws, and other applicable University policies, procedures, standards, contracts, and licenses. Mines’ employees and their supervisors are responsible for ascertaining, understanding, and complying with all laws, rules, policies, procedures, standards, contracts, and licenses which apply to their own and their subordinates’ specific use of data. Data covered by this document include all of the following regardless of the format of the data or where or how it is housed:
- All data created, collected, maintained, recorded or managed by the institution, its staff, and agents working on its behalf.
- All data used for planning, managing, operating,controlling, or auditing institutional functions; especially data used by multiple units of the school; and data used for institutional reporting.
- All operational data regardless of its source (e.g. extracts or feeds from or to the institution’s enterprise systems; shadow systems whether independently created by institutional units or assembled from enterprise systems extracts or both.)
- All data which contains Personal Data.
- All data that contains proprietary information and/or trade secrets.
Institutional data can be categorized based on content or usage as Administrative, Academic, or Research data. Some data can be categorized into more than one type based on the current usage of the data or can overlap in multiple categories. Typically, data are collected and stored to support a specific activity so will have a “primary” type but may be useful for other purposes. For example, administrative data may be useful in certain research studies and academic data may be aggregated and studied for institutional reporting. Data of any type can be classified as public, restricted, or confidential as described in the “Data Protection Classification” section of this document.
Administrative data are collected and used principally to manage and conduct the business operations of the School. Examples of administrative data include:
- Budget, purchasing and accounting data
- Student Financial Aid data
- Library transaction data
- Employee information and payroll data
- Campus police reports
Academic data consist principally of elements related to a student’s academic program and progress. Examples of academic data include:
- Student grades, transcripts, and assessment data
- Course materials and syllabi
- Degree and major descriptions and requirements
- Enrollment data and class rosters
Research Data are used to conduct research investigations and validate research findings in the scientific community. Research data may be public, restricted or confidential.Examples of research data include:
- Field data
- Processed data
- Modeling and simulation data
- Data visualizations
- Instrument data
- Human subject data
DATA PROTECTION CLASSIFICATION
2020欧洲杯正规平台Colorado School of Mines’ institutional data are classified according to their criticality, confidentiality, and the risk of harm that would be caused by unauthorized, inadvertent, or deliberate disclosure, alteration, or destruction. Factors considered in data classification include legal compliance requirements, professional standards, contractual or licensing agreements, ethical considerations, strategic or proprietary value, and “prudent stewardship” of this asset.
Institutional data will be consistently protected throughout its lifecycle in a manner commensurate with its classification regardless of where it resides, the form it takes, the technology or methods used to manage it, or the purpose it serves.
The classification system for institutional data is listed below, representing the increasing risk of impact if the data are mishandled:
Public data have no access restrictions and are available to the general public. Examples of public data include:
- High level enrollment statistics
- The Undergraduate and Graduate Bulletins
- The Current Funds Budget
- Financial statements
- Press releases
- Posted advertisements
- Some research data
Restricted data are typically not protected by law or regulation, but must be guarded due to proprietary, ethical, or general privacy considerations, and for which unauthorized disclosure, alteration, or destruction would cause perceivable damage to the school. Unless formally classified otherwise, all institutional data are classified as restricted. Examples of restricted data include:
- Some purchasing data
- Information covered by non-disclosure agreements
- Operational procedures which are either proprietary to Mines or which could jeopardize personal or public safety if disclosed
- Some research data
2020欧洲杯正规平台While all data which is protected by federal, state, or privacy laws, regulations, or rules or covered under a contractual or licensing agreement with the school are considered Confidential Data, any data which would cause significant damage to the school or to one of its constituents if breached, disclosed, modified, or destroyed without specific authorization, is also Confidential Data. Personal Data is considered confidential. The highest level of security and controls must be applied to protect Confidential Data. Examples of Confidential Data include but are not limited to:
- Education records as governed by the Mines’ FERPA policy
- Individuals’ financial aid data and tax data
- Library user records; any record or other information that identifies a person as having requested or obtained specific materials or service or as otherwise having used the library
- Usernames and password combinations
- Social security numbers
- Credit card and financial institution account numbers and other personally identifiable information
- Sensitive information; information about a person including religious or philosophical beliefs, race, ethnicity, political opinions or trade union membership, sexual life & orientation, genetic or biometric information, health information, and criminal convictions.
- Emergency and routine internal procedures to protect the public health and welfare
- Some research data
Collections of institutional data will be protected at the highest level required by any individual element in the collection.
Personal Data is information that can identify a person, directly or indirectly, by an identifier. Directly identifiable data includes but is not limited to: name, address, personal identifier such as social security number, campus-wide ID, biometric record, official state or government issued license or ID card, passport number, photo or video, phone number, and credit card information. Indirectly identifiable data includes but is not limited to: date of birth, birth place, mother’s maiden name, location data, online identifiers, as well as combinations of data:
- One or more physical, physiological, genetic, mental, economic, cultural, or social identifier
- Username or email plus password or security questions/answers
- Gender, zip code, and date of birth
Classified and Export Controlled
2020欧洲杯正规平台Data for some research projects may be classified or be export controlled by the government due to the nature of the research or data. These data must, at a minimum, be treated as confidential. In addition, access to and use of any such data must comply with all appropriate requirements specified by the U.S. government.
ROLES & RESPONSIBILITIES
Certain positions on campus have specific roles with regard to institutional data. It is expected that the individuals in these positions must understand and fulfill the responsibilities associated with these roles. The table below defines these positions. Data classifications are assigned by the data steward and reviewed by the data sponsor. These classifications and review are NOT intended to address data items, but rather capture campus practice by broad data categories. These categories will be reviewed bi-annually with updates appearing in the bulleted lists shown in the chart below.
|Data Sponsor||School officer with management and policy responsibility for a broad segment of institutional data.||Provost; VPFA; VPRTT; VPSL; VPIA|
|Data Steward||School official with direct operational responsibility for a broad segment of institutional data.||Registrar; Controller; Financial Aid Director; AVP for Human Resources; Dir. Health Center;Library Director; Museum Director.|
|Data Custodian||Housing, keeping the data, and managing the resources which enable its collection, management and controlled access. (e.g., institutional data archives vault, institutional data paper or other media collections, data computer system(s), server(s), and supporting infrastructure that stores processes institutional data).||Various CCIT Staff (Application Administrators; DBAs; Banner Specialists; System & Server Admins; Operations Staff); Data Management Specialists; Non CCIT Application Administrators; Department Heads & Admin Staff; Library Staff; Museum Staff; Faculty.|
|Data User||Any individual or unit in possession of institutional data in support of the Institution’s mission.||Most staff and faculty throughout institution; students as appropriate;|
|Certifying Authority||Official authorized to certify the appropriateness and accuracy of institutional data and to release institutional data for publication or other purpose that furthers the school’s mission.||Dir. Institutional Research; Data Sponsors and Stewards.|
REVIEW AND CYCLE HISTORY
Issued: January, 2014