Skip Navigation
Skip to Menu Toggle Button

UMGC Policy X-1.02 Data Classification

Policy CategoryPolicy OwnerVersion Effective DateReview CyclePolicy Contact
X. Info. Gov., Security & Technology SVP & General CounselMay 24, 2023Every 4 yearsData Privacy Officer
  1. Purpose
    The University of Maryland Global Campus ("University") maintains a vast amount of Information to support its administrative and educational activities. Data Classification plays a critical role in the University's comprehensive approach to maintaining the Confidentiality, Integrity, Availability and/or Privacy of its Data. This Policy describes the roles, responsibilities, and procedures for classifying Data and for implementing and complying with the prescribed Data security measures.
  2. Scope
    This Policy applies to all University business operations across all University divisions and departments. This Policy applies to all University Employees, as well as contractors, consultants, temporary employees, and other third parties performing duties on behalf of the University. This Policy applies to all Information and Data processed by the University and all Information Resources.
  3. Definitions
    Defined terms are capitalized throughout this Policy and can be found in the Information Governance Glossary.
  4. Data Management
    1. All Data Processed by the University's Information Resources is the property of the University, to the extent permitted by law or contract.
    2. The University shall designate Data Stewards. The Information Governance Team, established by UMGC Policy X-1.01 Information Governance, shall maintain a record of Data Steward designations.
    3. When an Information Resource(s) is purchased or renewed, the Information System Steward is responsible for ensuring that the relevant Data Steward(s) is(are) notified in order for the Data Steward to carry out their responsibilities as provided herein.
    4. Data should only be Processed by the University to satisfy a legitimate business purpose and in a legal manner.
    5. Adequate controls must be in place to protect the Confidentiality, Integrity, and Availability of Data commensurate to its Data Classification.
    6. UMGC's Information Governance Team is responsible for overseeing compliance with University System of Maryland (USM) IT Security Standards, and applicable federal, state, and local laws regarding Data Classification.
  5. Data Classification
    1. Data Stewards are responsible for ensuring Data Classifications are assigned appropriately to each type of Data they oversee and that a record of those classifications is maintained.
    2. Data Stewards are responsible for ensuring that the assigned Data Classifications are provided to applicable Information System Steward(s) and Technical System Lead(s) upon initial designation.
    3. After initial Data Classifications are assigned, Data Stewards may change the Data Classification for particular Data as needed. Data Stewards are responsible for ensuring that the updated classifications are provided to the applicable Information System Steward(s) and Technical System Lead(s) in a timely manner.
    4. The Information System Steward and Technical System Lead shall oversee the implementation of appropriate controls commensurate with the Data Classifications within the particular Information Resource.
    5. Data Stewards shall assign Data Classifications to Data based on the risk associated with improper disclosure for the particular type of Data as follows:
      1. High Risk Data
        1. University Data that (i) could be exploited for criminal or nefarious purposes; (ii) the University is obligated by state or federal statute or regulation to keep confidential; (iii) the University is contractually obligated to keep confidential, or (iv) are critical to the University's operational performance and cannot be easily replaced. The loss of Confidentiality, Integrity, or Availability of such Data would cause severe harm to individuals or the University operations, safety, finances and/or reputation if disclosed.
        2. Trade secrets, inventions, mask works, ideas, processes, research, formulas, source and object codes, Data, programs, other works of authorship, know-how, improvements, discoveries, developments, designs, techniques, and any other proprietary technology that is owned by the University by law, policy or contract;
        3. Business and financial information or trade secrets received from a third party, which is subject to a duty on the University's part to maintain the confidentiality of such information; and
        4. Records pertaining to the University's competitive position with respect to educational services, including but not limited to records addressing fees, tuition, charges, and supporting information held by the University (other than fees published in catalogs and ordinarily charged to students), proposals for the provision of educational services other than those generated, received or negotiated with its students, and research, analysis, or plans relating to the University's operations or proposed operations.
        5. Examples of such Data include, but are not limited to:
          1. PII
          2. Biometric Data
          3. Education records
          4. Medical records
          5. Financial information
          6. Controlled Unclassified Information (CUI)
          7. Confidential information about University donors
          8. Databases used for tax, health care, payroll
          9. University-associated Account username(s) in combination with password(s)
      2. Moderate Risk Data
        1. University Data that are not available to the public. The loss of the Confidentiality, Integrity, or Availability would cause limited harm to individuals or the University's operations, safety, finances, and/or reputation. Data that were created or received primarily for use by the University or its Employees, Contractors, vendors, consultants, volunteers, students, alumni, donors, agents, or representatives for the University's legitimate business purposes and can reasonably be expected to be secured from public view.
        2. By default, all University Data that are not explicitly classified as High Risk Data or Low Risk Data shall be classified as Moderate Risk Data.
        3. Examples of such Data include, but are not limited to:
          1. University research not considered High Risk
          2. Non-public reports, budgets, operation plans
      3. Low Risk Data
        1. University Data that contain any Information that is already available to the general public or is required by law, policies, procedures, contract or otherwise to be made available to the general public with no legal restrictions on its access or use. The loss of the confidentiality, integrity, or availability would cause little to no harm to individuals or the University's operations, safety, finances, or reputation.
        2. Examples of such Data include, but are not limited to:
          1. Information found on the University's publicly facing website
          2. University published marketing collateral
    6. Combination of Data
      1. If a set of Data contains multiple types of Data with different Data Classifications, Data Stewards are responsible for ensuring that at least the highest Data Classification that was applied to a particular Data element within that Data set is assigned to the entire Data set.
      2. If a set of Data contains multiple types of Data with the same Data Classifications, Data Stewards are responsible for ensuring that a determination is made whether the Data set requires a higher level of Data Classification and if so, shall ensure that the higher classification is assigned accordingly.
  6. Yearly Review
    1. Data Stewards shall validate all applicable Data Classifications with the relevant Information System Steward(s) and Technical System Lead(s), in conjunction with the Data Protection Officer, as needed, or at least yearly, and update as necessary.
  7. Enforcement
    1. Any Employee, Contractor, or third-party performing duties on behalf of the University with knowledge of an alleged violation of this Policy shall notify the Office of Human Resources as soon as practical.
    2. Data Stewards, in consultation with the Office of Human Resources, may instruct Information System Stewards and Technical System Leads to take down and remove content that violates this Policy as well as confiscate or temporarily suspend or terminate the use of Information Resource.
    3. Employees or Contractors who violate this Policy may be denied access to Information Resources and may be subject to disciplinary action, up to and including termination of employment or contract.
  8. Effective Date: This policy is effective as of the Version Effective Date set forth above.