The objective of this document is to facilitate and formalize the roles and responsibility requirements related to the stewardship of university data. This standard specifically supports the Data Classification Policy but exists to support all university policies and federal and state regulations governing the protection of the university’s data.

Data Owner

The individual assigned by management to oversee the proper handling of administrative, academic or research data.  The owner is responsible for ensuring that appropriate steps are taken to protect data and for the implementation of policies, guidelines and memorandums of understanding that define the appropriate use of the data. The owner of a collection of information is the person responsible for the business results of that system or the business use of the information. Where appropriate, ownership may be shared by managers of different departments. The owner or his designated representatives are responsible for and authorized to:

• Approve access and formally assign custody of an information resources asset.
• Specify appropriate controls, based on data classification, to protect the information resources from unauthorized modification, deletion, or disclosure. The owner will convey those requirements to administrators for implementation and educate users.   Controls shall extend to information resources outsourced by the university
• Confirm that applicable controls are in place to ensure appropriate level of confidentiality, integrity and availability
• Confirm compliance with applicable controls
• Assign custody of information resources assets and provide appropriate authority to implement security controls and procedures
• Ensure access rights are re-evaluated when a user’s access requirements to the data change (e.g., job assignment change)

Data Administrator

The University or outsourced service provider charged with implementing the controls specified by the owner.  The administrator is responsible for the processing and storage and recovery of information. The administrator of information resources must:

• Implement the controls specified by the owner(s)
• Provide physical and procedural safeguards for the information resources
• Assist owners in evaluating the overall effectiveness of controls and monitoring
• Implement the monitoring techniques and procedures for detecting, reporting, and investigating incidents

Data User

The user is any person who has been authorized by the owner of the information to read, enter, or update that information.  The user has the responsibility to (1) use the resource only for the purpose specified by the owner, (2) comply with controls established by the owner, and (3) prevent disclosure of confidential or sensitive information.  The user is the single most effective control for providing adequate security.

Data Classifications

The following data classifications exist to aide in understanding what data types can be released and what security controls should exist to protect each data type.

If you have questions regarding the classification of specific data, and the following definitions cannot answer them, always consult the data owner.

Confidential Data

University data that cannot be released and is protected by either:

• Federal or state law or regulations (e.g., HIPAA).
• Contractual agreements requiring confidentiality (e.g., Non Disclosure Agreements).

See the extended list of confidential data for common types of confidential data.

Protect your confidential data by applying the appropriate security guidelines.  Please contact the data owner(s) if you have any questions regarding how to secure confidential data.

Protected Data

University data that is not otherwise identified as Confidential data or Public data which must be appropriately protected to ensure a lawful or controlled release (e.g. Connecticut Freedom of Information Act requests).

Unless your data is known to be confidential or public, consider it Protected. Please contact the data owner(s) if you have any questions regarding how to secure or release protected data.

Public Data

Data that is open to all users, with no security measures necessary. Data is public if:

• There is an obligation to make the data public (e.g. Fact Sheets)
• The information is intended to promote or market the University, research or institutional initiatives

Data Owners should restrict access to data that:

• Are not intended for a specific use by a specific person or audience
• Could be used to exploit an individual, system or institution