There are many variations of data that you encounter during your work day. It’s important to know how to categorize the data so the information can be secured, stored in a safe location and preserved for the correct amount of time. While information technology (IT) staff play an important role in keeping our data safe, it is also up to the individual to make sure they are aware of the risks involved when storing, sharing or transferring data. Preserve your reputation, as well as the institution by following these key concepts.
Key Concepts for Data Categorization
(Resources to all four concepts can be found at: http://datacat.psu.edu/data-profile-search)
- Categorize. Know how to categorize data.
- Secure. Do your part and secure the data (everyone is responsible, not just IT staff).
- Store. Store data according to the category in permissible locations only.
- Preserve. Keep data for the proper amount of time and destroy according to the retention schedule.
Categorize your Data
The University has defined three levels of data categories and there are types of data examples within each category. To categorize your data appropriately, consider the following.
- Is the data type already defined within a particular category? (list can be found at: http://datacat.psu.edu/data-profile-search)?
- There may be several data types included in one data set. The highest category (restricted) should be used when categorizing a document that may include public, internal/controlled and restricted data.
- What is the level of harm that would be endured if the data were to be inadvertently disclosed?
- Does the data have legislative obligations? Legislatively controlled data may include Protected Health Information (PHI), credit card information being used, stored or processed as a merchant, Personally Identifiable Information (PII) such as a first name or first initial and last name combined with a Social Security Number (SSN), Driver’s License Number, credit card number or bank account number. If the data falls within one of these categories, it falls within the restricted data category and has additional security requirements.
Categories of Data and Level of Harm
Public: Public data are intended for distribution to the general public, both internal and external to the University. The release of the data would have no or minimal damage to the institution.
Internal/Controlled: Internal/controlled data is intended for distribution within the University only, generally to defined subsets of the user population. The release of the data has the potential to create moderate damage to the institution. (Such damage may be legal, academic [loss or alteration of intellectual property] financial, or intangible [loss of reputation]).
Restricted: Restricted data are those which the University has legal, regulatory, policy or contractual obligations to protect. Access to restricted data must be strictly and individually controlled and logged. The release of such data has the potential to create major damage to the institution. (Such damage may be legal, academic [loss or alteration of intellectual property], financial, or intangible [loss of reputation]).
Categorize your data accordingly by using the criteria above.
- Store data only where permissible. There may be free or for fee cloud resources available that allow ease of use, large amounts of space and quick access to the data. However, if the proper channels are not followed before storing non-public data on cloud resources, your research or other data could be at risk.
- Before selecting a storage solution, consider the following.
- Does the University have a site license available with the vendor?
- If not, get Risk Management and/or Purchasing involved so the proper contractual language can be negotiated with the vendor to ensure the data safeguards, liability, confidentiality, etc.
- Click through agreements also require special vetting through Risk Management if the data is categorized as Restricted.