The University of Iowa defines “institutional data” as any information that “constitutes an official record” or “has institutional value.”
That’s right. Every test grade, every medical chart entry, every research finding, every employment record, etc., is an asset demanding some degree of protection. Improperly sharing any bit of this data—intentionally or not—can breach trust, privacy, policy, or law.
Iowa’s Institutional Data Policy and data classification guidelines can help you understand the data you can access and your responsibilities for safeguarding it.
What do I really need to know about institutional data?
Most people who work at the university have access to some form of institutional data. You’re responsible for knowing what sort of data you work with the kind of protection it needs.
Generally, you should only access data you need for your work. Especially sensitive data, including student and patient records, needs special care.
How is institutional data classified?
The university classifies data at four levels:
- Critical: Classification level for the most sensitive data, where inappropriate handling could cause severe harm to an individual or the university. Examples include patient records, Social Security or credit card numbers, investigative reports, and regulated information.
- Restricted: Data that could result in significant harm if mishandled. Examples include student transcripts, student financial aid records, and research data from identifiable human subjects.
- University-internal: Data that could result in limited harm if mishandled. Examples include financial reports, departmental memos or committee minutes, and research data from de-identified human subjects.
- Public: Data that poses little or no risk of harm if disclosed. Examples include info posted on public websites or in newsletters, as well as information subject to public records requests.
Access to critical and restricted data should be granted only on a need-to-know basis. Access to university-internal data can be granted to employees or others doing university business. Access to public data is open to anyone.
What factors affect how data is classified?
Three factors determine classification levels:
- Confidentiality: Privacy, which determines which people under what conditions can access the data
- Integrity: Trustworthiness, which affects how data is modified, maintained, or restored
- Availability: Importance to university business, which determines whether the data must be readily accessible
Data trustees assess institutional risk for the data for which they’re responsible. They consider all three factors, rating each as low, medium, high, or very high.
Any one of these factors can influence how they ultimately classify a type of data. Critical data, for example, can be especially private, especially vulnerable to error, especially important to university business, or all the above.
What are some working examples of university data and their classification?
Faculty grade books: Project or exam grades are moderately private—generally between students and instructors, but not rising to the privacy level of official transcripts. Likewise, they merit medium/moderate scores for integrity and availability. Thus overall classification for gradebooks is university-internal.
Student records: Complete student records, on the other hand, earn restricted classification. They may include disciplinary findings, Social Security numbers, or other sensitive info, and they’re protected by federal law. While student records merit medium scores for integrity and availability, the privacy factor earns them a higher classification.
Protected health information: Patient-care records are very private. They’re also very vulnerable to error, as mistakes could affect treatment. Finally, they always must be available to health care providers. These factors earn patient data a classification of critical.
Find more info about these and other examples in the university’s data classification guidelines.
Why does all this matter?
In part, it’s a matter of law—much university data is subject to federal laws like FERPA and HIPAA. In other cases, the university is contractually obligated to secure data, or has a competitive interest in protecting intellectual property.
Fundamentally, however, the university has a responsibility to individual students, employees, patients, and others whose lives it touches.
Each of us generates an ever-expanding digital footprint made up of data that reveals who we are. In the wrong hands, this data can be used against us.
That’s why university policy and processes take data privacy seriously—and why you should, too.