University Information Security and Privacy Office

D. Data Management

  1. The University of Utah shall take measures to protect confidential information that is stored, processed or transmitted using IT resources. These measures shall be implemented commensurate with the assessed level of risk and reviewed at regular intervals.
  2. The storage of data classified as restricted is not permitted, unless:
    1. The User must require such restricted information to perform duties that are necessary to conduct the business of the University;
    2. The cognizant Data Steward grants, in writing, permission to the user; AND
    3. The User and all IT resources storing the restricted data must fully comply with this policy and associated rules and may be subject to an assessment prior to approval.
  3. Data Classification - All electronic data shall be classified in accordance with the following requirements:
    1. PUBLIC DATA is information that may or must be open to the general public. It is defined as information with no existing local, national or international legal restrictions on access or usage. Public data, while subject to University disclosure rules, is available to all members of the University community and to all individuals and entities external to the University community. By way of illustration only, some examples of Public Data include:
      1. Campus maps
      2. Campus events
      3. Course descriptions
    2. SENSITIVE DATA is information that must be guarded due to proprietary, ethical, or privacy considerations, and must be protected from unauthorized access, modification, transmission, storage or other use. This classification applies even though there may not be a civil statute requiring this protection. Sensitive Data is information that is restricted to members of the University community who have a legitimate purpose for accessing such data. By way of illustration only, some examples of Sensitive Data include:
      1. Internal memos and email, and non-public reports, budgets, plans, and financial information.
      2. Library transactions.
      3. Information covered by non-disclosure agreements
      4. Donor contact information and non-public gift amounts.
    3. RESTRICTED DATA is information protected by statutes, regulations, University policies or contractual language. Restricted Data may be disclosed to individuals on a need-to-know basis only. By way of illustration only, some examples of Restricted Data include:
      1. Credit Card Information
      2. Protected Health Information (PHI)
      3. SSN
      4. Student and prospective student information
      5. Export controlled information under U.S. laws
  4. Departments should carefully evaluate the appropriate data classification category for their information.
  5. Data Handling - All electronic data shall have appropriate handling procedures in accordance with its classification and commensurate with the assessed level of risk.

Guidelines and Operating Procedures