In June 2013 the University established a new policy on Data Security Classification. In this policy, data is classified into three categories:
- Private-Highly Restricted
- Private- Restricted
As in the past, University employees are required to protect private data, but the split in private data between highly restricted and restricted clarifies how we should think about this data. It also enables us to focus our most stringent security measures on the highly restricted category.
Individuals or units that store private data locally or in the cloud become responsible data owners. Whenever possible, we should continue to store data in the original enterprise system of record. However, when business needs drive us to other applications, it is important to recognize that this places extra responsibility on data owner.