Data Management and Protection Standard
This Standard applies to students, faculty, staff, contractors, and any persons or entities who generate, collect, use, store, or process personal information on behalf of the University.
Data management begins with the creation or collection of data and continues through the entire data lifecycle.
Data management process steps:
- Data Inventory
- Data Classification
- Data Protection
- Report Regulated data
- Data Inventory
A data inventory is a detailed record of the data maintained by the university ("university data").
The data inventory process consists of identifying and recording basic information about data in your custody, such as: data owner, data format, record category and retention requirement (per the University Records Schedule (PDF)), storage, access, transfer, purpose of processing, etc.
The Data Inventory Template (xlsx) should be used to capture all relevant information about your data.
A data inventory is valuable because it provides information on what data you have, where it’s located and who has access to it. Data Inventory also helps identify information that must be safeguarded under requirements of laws (e.g. FERPA, HIPAA, GLBA), regulations (GDPR), industry standards and university requirements and policies.
A data inventory is a precursor to the records survey which enables records managers to maintain university records in accordance with the Records Management Policy.
Lastly, data inventory facilitates data incident investigation and disclosure/breach containment.
For assistance with completing or reviewing your data inventory, contact the GW Privacy Office.
- Data Classification
Data Classification is the means of identifying the level of privacy and security protection to be applied to University Data and the scope in which the data can be shared.
Schools and divisions (“data custodians”) are responsible for reviewing and determining the types of non-public information in their custody, by classifying it, based on its sensitivity and confidentiality, in accordance with GW's Data Classification Levels.
The Guide for Classifying University Data (PDF) is available to help Schools and Divisions (“data custodians”) classify data in their custody.
Data Custodians should contact the Privacy Office with questions on how specific data (information) should be classified.
On a periodic basis, it is important to reevaluate the classification of university data to ensure an assigned classification remains appropriate based on changes to legal and contractual obligations, as well as changes in the use of the data or its value to the university.
- Data Protection
Maintaining the confidentiality, integrity, availability and regulatory compliance of all data stored, processed, printed, and/or transmitted at the university is a requirement of all staff, faculty, students and contractors.
Throughout its lifecycle, all university data stored, processed and/or transmitted at the university must be protected in a manner that is consistent with contractual or legal restrictions and is reasonable and appropriate for its classification. Follow this Data Protection Guide to appropriately access, store, transmit or dispose of university data.
Records containing data elements with multiple classifications must be protected at the highest level of information represented. For example, a document that contains regulated and public information must be managed and protected in accordance with requirements for regulated information.
The following physical controls should be applied by all staff, faculty, students and contractors with access to Non-Public (restricted or regulated) information:Restrict physical access to laptop computers when you are away from your office or workspace, by, for example, locking the door or using security cables or locking devices. Secure computers and mobile devices by requiring passwords (except for public computers with no Non-Public Information, such as those in the library or in labs). Passwords are integral to security. Follow the GW IT guide for selecting secure UserID passwords and how to reset them. Log out when finished using a GW system.
All staff, faculty, students and contractors with access to Non-Public (restricted or regulated) university data must notify GW IT and / or the GW Privacy immediately if they suspect that regulated or restricted university data has been lost, stolen or disclosed.
- Secure your computers using a screen saver or built-in lock feature when you are away from your office or work space.
- Maintain possession or control of your mobile devices and apply appropriate safeguards to the extent possible to reduce the risk of theft and unauthorized access.
- In the event that a GW-owned computer or mobile device containing Non-Public Information is lost or stolen, contact GW IT ([email protected]) immediately.
- Telework - Data Protection Guidance
To ensure the protection of university Regulated and Restricted data, in accordance with University policies and regulations governing personal information, the GW Privacy office established the following guidance:
- Report Regulated Data
Examples:Government-issued identification numbers, including social security numbers, driver license numbers, and passport numbers. Financial account numbers, including credit card numbers and bank account numbers. Personal health or medical information. Data, information, or technical specifications not in the public domain that are regulated by export control laws, excluding technology or software that arises during, or results from, fundamental research under Section 734.8 of the Export Administration Regulations (EAR).
Data Custodians are responsible for implementing appropriate managerial, operational, physical, and role-based controls, in consultation with the Privacy Office and GW Information Technology, for access to, use of, transmission of, and disposal of Regulated Information.
Data Custodians are required to review their data inventory on a periodic basis to determine if there have been any material changes, such as changes to a record category, storage location or access to data that is in the custody of that unit.
Data Custodians should promptly inform the Privacy Office if there are changes to their Regulated data inventory.
Upon completion of data inventory, follow guidance in the Data Classification section, to determine if you have Regulated information in your custody.
- Research Data
Research Data are anything on which you perform research analysis: Results from wet lab experiments, surveys, coded interviews, census records, instrument readouts, literary corpus, etc.
Research data management involves the organization, storage, preservation, and sharing of data collected and used in a research project, from its entry to the research cycle to the publication and long term preservation of the research results.
Visit the GW Research Data Management webpage for information and tools to help with managing your Research Data.
Privacy and data protection principles are applied throughout the research lifecycle.
- Tools and Training
- Data Inventory Template (xlsx)
- Guide to Data Classification (PDF)
- Data Classification and Protection Handout (PDF)
TAG related Training
- Best Practices for Sharing Regulated Information
- Protecting Information while using virtual meeting applications
- Records Management at GW
- Security Best Practices for GW Box
- Guide to GW's Information Management Policies (PDF)
- Which Document Management service is right for me?
- Security Considerations
- Data Security while working abroad
- Email Security Guide
- Encryption Guide