Data Classification and Protection
Data classification and Data protection of GW’s institutional data is a responsibility that all members of the university community share. GW’s institutional data is central to the university’s academic, research, and administrative activities. Institutional data includes information that is regulated under applicable laws and regulations, restricted due to the confidential nature of its content. Information, regardless of medium, that is generated, collected, stored, maintained, transmitted, enhanced, or recorded by or for the university to conduct university business. Additionally, institutional data includes data used for planning, managing, operating, controlling, or auditing university functions, operations, and mission. Institutional data excludes data generated by research, or data owned or generated by a party outside the university when used in research, conducted at the university, under the auspices of the university, or with university resources.
When institutional data is not safeguarded properly, there is the risk of data loss. Data loss, whether intentional or unintentional, could have an adverse impact on GW’s operations and reputation. This Data Classification and Data Protection Standard provides guidance on the classifications applicable to GW institutional data and data protection measures to help safeguard against data loss.
- Institutional Data
At GW, institutional data (or information) is defined as data in any form, location or unit that meets one or more of the following criteria:
- It is subject to a legal obligation requiring the university to manage the data responsibly
- It is substantive and relevant to the planning, managing, operating, documenting, staffing, or auditing of one or more major administrative functions, or multiple organizational units, of the university.
- It is included in an official university report.
- It is used to derive any data element that meets the above criteria.
GW Institutional Data Categories
- Advancement and Alumni Affairs: Includes all aspects of alumni and development data.
- Facilities: Includes the facilities services data of the University including space-planning data, construction, maintenance and operational data, reservations and physical-descriptive data.
- Financial: Data related to the management of fiscal resources of the University.
- Human Resources: Supports the management of employee resources of the University.
- Information Technology: Supports the provisioning and management of the technology infrastructure provided by the Division of Information Technology.
- Library and Information Resource: Supports the management activities and information-resource-collection activities of the University libraries.
- Organizational: Reflects the internal organizational structure of the University and identifies hierarchical relationships among individual entities.
- Person Registry: Supports the management of identity and authentication for individuals associated with the University.
- Research: Includes records that represent grants & contracts (proposals and awards) the University has received and executed.
- Student: Supports all phases of a student’s relationship with the University from expression of interest through alumni status
- Data Classification
Data Classification is the means used to define and categorize files and critical business information based on the data’s level of sensitivity, value and criticality including the scope in which the data can be shared. GW institutional data classification levels are Regulated, Restricted and Public.
GW's Data Classification Guide describes each classification level and provides examples for each category.
On a periodic basis, university institutional data may require reevaluation by the business owner to determine whether the assigned classification remains appropriate based on changes to legal and contractual obligations, as well as changes in the use of the data or its value to the university.
- Data Protection
Protecting GW institutional data from unauthorized access or use is critical to maintaining the confidentiality, integrity, and availability of all data stored, processed, printed, and/or transmitted by faculty, staff and, where applicable, third parties. Throughout its lifecycle, institutional data must be protected in a manner that is consistent with contractual or legal requirements. Additionally, data protection measures must be reasonable and appropriate for the classification level. For example, a document that contains regulated and public information must be managed and protected in accordance with requirements for regulated information.
- Report a Data Incident or a Data Breach
All staff, faculty, students and contractors with access to Non-Public (restricted or regulated) institutional data must notify GW IT and /or the GW Privacy immediately if they suspect that regulated or restricted university data has been lost, stolen or disclosed without authorization.