Data Management and Protection Standard

The Data Management and Protection Standard is a framework for classifying university data, based on its level of sensitivity, value and criticality to the university, and protecting it, as required by the Personal Information and Privacy Policy and the Records Management Policy.

This Standard applies to students, faculty, staff, contractors, and any persons or entities who generate, collect, use, store, or process personal information on behalf of the University.

Data management begins with the creation or collection of data and continues through the entire data lifecycle.

Data management process steps: 

1. Data Inventory
2. Data Classification
3. Data Protection

Data Inventory

A data inventory is a detailed record of the data maintained by the university ("university data").

The data inventory process consists of identifying and recording basic information about data in your custody, such as: data owner, data format, record category and retention requirement (per the Records Retention Schedule, storage, access, transfer, purpose of processing, etc.

The Data Inventory Template (xlsx) should be used to capture all relevant information about your data. Upon completion of data inventory, follow guidance in the Data Classification section, to determine if you have Regulated information in your custody.

A data inventory is valuable because it provides information on what data you have, where it’s located and who has access to it. Data Inventory also helps identify information that must be safeguarded under requirements of laws (e.g. FERPA, HIPAA, GLBA), regulations (e.g. GDPR), industry standards and university requirements and policies. A thorough data inventory also helps facilitate data incident investigation and disclosure/breach containment.

Data Custodians are required to review their data inventory on a periodic basis to determine if there have been any material changes, such as changes to a record category, storage location or access to data that is in the custody of that unit.  

Data Custodians should submit their completed Data Inventory to the GW Privacy Office and promptly inform the Privacy Office if there are changes to their Regulated data inventory.

For assistance with completing or reviewing your data inventory, contact the GW Privacy Office.

Data Classification

Data Classification is the means of identifying the level of privacy and security protection to be applied to University Data and the scope in which the data can be shared.

Schools and divisions (“data custodians”) are responsible for reviewing and determining the types of non-public information in their custody, by classifying it,  based on its sensitivity and confidentiality, in accordance with GW's Data Classification Levels.  Schools and Divisions (“data custodians”) should use this guide to classify university data in their custody.

Data Custodians should contact the Privacy Office with questions on how specific data (information) should be classified.

Reclassification

On a periodic basis, it is important to reevaluate the classification of university data to ensure an assigned classification remains appropriate based on changes to legal and contractual obligations, as well as changes in the use of the data or its value to the university.

Data Protection

Maintaining the confidentiality, integrity, availability and regulatory compliance of all data stored, processed, printed, and/or transmitted at the university is a requirement of all staff, faculty, students and contractors. 

Throughout its lifecycle, all university data stored, processed and/or transmitted at the university must be protected in a manner that is consistent with contractual or legal restrictions and is reasonable and appropriate for its classification. Follow this Data Protection Guide to appropriately access, store, transmit or dispose of university data. Records containing data elements with multiple classifications must be protected at the highest level of information represented. For example, a document that contains regulated and public information must be managed and protected in accordance with requirements for regulated information. 

The following physical controls should be applied by all staff, faculty, students and contractors with access to Non-Public (restricted or regulated) information: 

• Restrict physical access to computers when you are away from your office or workspace, by, for example, locking the door or using security cables or locking devices.
• Secure access to computers and mobile devices by requiring passwords (except for public computers with no Non-Public Information, such as those in the library or in labs).  Passwords are integral to security. Follow the GW IT guide for selecting secure UserID passwords and how to reset them.  Log out when finished using a GW system. 
• Secure access to your computers using a screen saver or built-in lock feature when you are away from your office or work space.
• Maintain possession or control of your mobile devices and apply appropriate safeguards to the extent possible to reduce the risk of theft and unauthorized access.
• In the event that a GW-owned computer or mobile device containing Non-Public Information is lost or stolen, contact GW IT ([email protected]) immediately.

Report a Data Incident or a Data Breach

All staff, faculty, students and contractors with access to Non-Public (restricted or regulated) university data must notify GW IT and / or the GW Privacy immediately if they suspect that regulated or restricted university data has been lost, stolen or disclosed without authorization.

To report an incident involving university data or a suspected data breach, contact the GW Privacy Office, email [email protected], or use this reporting form

Research Data

Research Data are anything on which you perform research analysis: Results from wet lab experiments, surveys, coded interviews, census records, instrument readouts, literary corpus, etc. 

Research data management involves the organization, storage, preservation, and sharing of data collected and used in a research project, from its entry to the research cycle to the publication and long term preservation of the research results.

Visit the GW Research Data Management webpage for information and tools to help with managing your Research Data.

Privacy and data protection principles are applied throughout the research lifecycle.

Guidance and Training

Guidance

• Telework - Data Protection Best Practices

• Best Practices for Sharing Regulated Information
• Guidance for use of Virtual Meeting and Collaboration Platforms
• Protecting Information while using virtual meeting applications
• Security Best Practices for GW Box
• SharePoint Access Control (requirements and best practices)
• Which Document Management service is right for me?
• Security Considerations
• Data Security while working abroad
• Email Security Guide
• Encryption Guide
• Records Management at GW

---

Training

• Data Management and Protection Training (PDF)
• Research Data Management (PDF)

---

TAG related Training

• Securing your Home Office

References

Policies

• Personal Information and Privacy Policy
• Records Management Policy