Guideline for Data Handling

I.  Purpose

The purpose of this document is to provide guidance for protecting university information resources from unauthorized access or disclosure.  The goal is to assure that every member of the UNC Charlotte community can identify non-public data and follow appropriate security precautions to protect the data so as to avoid compromising the privacy rights of others or UNC Charlotte’s institutional rights or obligations.

II.  Background

Information & Technology Services (ITS) protects UNC Charlotte data from unauthorized access or inappropriate use by enforcing technical and procedural security controls for core systems and applications that store and/or process non-public data.  However, the availability of local workstations, shared drives, UNC Charlotte hosted applications and services, and cloud-based services provide the opportunity for otherwise secure data to be extracted and used outside the established security controls.  Before data may be extracted, stored, or used outside of UNC Charlotte’s protected infrastructure systems, users must ensure that the security of the data is protected appropriate to the level of its classification.

III.  Scope

This guideline applies to UNC Charlotte staff, faculty, students, associates, affiliates, contractors, volunteers, or visitors accessing university owned or managed data, in physical or electronic format.

IV.  Contacts

Direct any general questions about this guideline to your unit’s Information Security Liaison. If you have specific questions, please contact ITS Information Security Compliance at ISCompliance-group@uncc.edu.

V.  Data Classification Levels

Per the UNC Charlotte Standard for Information Classification, every member of the UNC Charlotte community should be able to identify the appropriate classification level of any data they are accessing or maintaining in electronic or physical form. 

Data classification levels range from Level 0 (public) to Level 3 (highly restricted).  Any data other than Level 0 data is considered to be non-public data.  The four classification levels are:

Level 0—Public

  • University data that is purposefully made available to the public.
  • Disclosure of Level 0 data requires no authorization and may be freely disseminated without potential harm to the university.

Public data includes, but is not limited to:  Advertising, product and service information, directory listings, published research, presentations or papers, job postings, press releases.

Level 1 - Internal

  • University owned or managed data that includes information that is not openly shared with the general public but is not specifically required to be protected by statute or regulation.
  • Unauthorized disclosure would not result in direct financial loss or any legal, contractual, or regulatory violations, but might otherwise adversely impact the university, individuals, or affiliates.
  • Level 1 data is intended for use by a designated workgroup, department, or group of individuals within the university. 

Note:  While some forms of internal data can be made available to the public, the data is not freely disseminated without appropriate authorization.

Internal data includes, but is not limited to:  Budget and salary information, personal cell phone numbers, departmental policies and procedures, internal memos, incomplete or unpublished research.

Level 2 - Confidential/Sensitive

  • University owned or managed data that is confidential business or personal information for which unauthorized disclosure could have a serious adverse impact on the university, individuals or affiliates. 
  • Level 2 data is intended for a very specific use and should not be disclosed except to those who have explicit authorization to review such data.
  • There are often general statutory, regulatory or contractual requirements that require protection of the data.
  • Regulations and laws that affect data in Level 2 include, but are not limited to, the Family Educational Rights & Privacy Act (FERPA), the State Human Resources Act (SHRA), and the Graham-Leach-Bliley Act (GLBA).

Confidential/sensitive data includes, but is not limited to:  Student data that is not designated as directory information, passport data, personal financial information, certain research data (e.g., proprietary or otherwise protected), personally identifiable information (PII) such as name, birthdate, address, employee or student ID, etc. where the information is held in combination and could lead to identity theft or other misuse.

Level 3 - Highly Restricted

  • University owned or managed data that is highly restricted business or personal information, for which unauthorized disclosure would result in significant financial loss to the university, impair its ability to conduct business, or result in a violation of contractual agreements or federal or state laws or regulations.
  • Level 3 data is intended for very limited use and must not be disclosed except to those who have explicit authorization to view or use the data.
  • There are often governing statutes, regulations, standards, or agreements with specific provisions that dictate how this type of data must be protected.
  • Regulations and laws that affect Level 3 data include, but are not limited to, the Health Insurance Portability and Accountability Act (HIPAA) and the Payment Card Industry Data Security Standard (PCI DSS).

Highly restricted data includes, but is not limited to:  Social Security Numbers, payment card numbers, medical records, restricted information protected by nondisclosure agreements, restricted research data.

VI.  Guidelines for Appropriate Data Handling

Whether data is downloaded from a system or application within UNC Charlotte’s protected infrastructure or acquired by some other means, individuals must ensure that the security of the data is protected appropriate to the level of its classification.

Level 3 Data

Due to its restricted nature, level 3 data requires special handling. Some units may handle level 3 data as part of their business processes; however, that data should not be exported or stored outside of its secured location without express permission of the data or system owner.

NOTE:  While a limited number of enterprise applications such as Perceptive Content hold highly restricted level 3 data, access to this data is tightly controlled via specific permissions and management authorization.  If unsure whether your business data may be stored in one of these systems, discuss it with management and your area’s Information Security Liaison.

Research Data

Research data is typically highly sensitive in nature or subject to special contractual requirements and its handling should be coordinated through the appropriate Data Security Officer. For guidance on the protection of university research data, see the Guideline for Research Data Security.

The following table is provided to help members of the UNC Charlotte community make decisions about appropriate data handling for classification levels 0 through 2. Data belonging to multiple classification levels must be treated according to the highest level of sensitivity.

      Service

0

1

2

Comments

UNC Charlotte Owned Workstations, Laptops, Tablets, other devices

 

No level 2 or 3 data can be stored here.

Mobile devices must have additional security configurations in place if storing level 1 data.

Publicly Accessible Kiosks and Workstations

 

 

No level 1, 2, or 3 data can be stored here.

Personally Owned Workstations, Laptops, Tablets, other devices

 

 

No level 1, 2, or 3 data can be stored here.

See the Guideline for Mobile Devices for additional guidance.

ITS-Provided Network Drives (H:, J:, S:, etc.)

No level 3 data can be stored here. Level 2 data can be stored here only if additional security is in place such as limited access and/or encryption.

UNC Charlotte Email

No level 3 data can be sent via email. Level 2 data is permissible if designated email recipients are authorized to view the data and no recipients’ addresses are outside the university email system.

UNC Charlotte Google Drive

No level 3 data can be stored here.  Level 2 data can be stored here only if additional security is in place such as limited access.

UNC Charlotte Dropbox

No level 3 data can be stored here.  Level 2 data can be stored here only if additional security is in place such as limited access.  Level 2 data should not be synced to your desktop, laptop, or mobile device.

Public Cloud Storage Sites (i.e., non-University provided cloud storage)

 

 

No level 1, 2 or 3 data can be stored here.

UNC Charlotte websites (including Drupal offering, departmental websites, WIKIs, etc.)

 

 

No level 1, 2 or 3 data can be stored here.

UNC Charlotte Survey Share Service

 No level 2 or 3 data can be stored in SurveyShare.

UNC Charlotte Moodle

No level 3 data can be stored in Moodle.  Level 2 data is permissible if designated viewers/recipients are authorized to view the data and no recipients are from outside the university system.

UNC Charlotte CanvasNo level 3 data can be stored in Canvas.  Level 2 data is permissible if designated viewers/recipients are authorized to view the data and no recipients are from outside the university system.

UNC Charlotte owned portable electronic storage media, such as USB devices, CD/DVD, or external hard drives.

 

No level 2 or 3 data can be stored here. 

Portable storage media must have additional security configurations in place if storing level 1 data.

Related Resources

ISO/IEC 27002 was adopted by The University of North Carolina at Charlotte in 2012. All standards and guidelines are based on this code of practice for Information Security Management.

Revision History

Initially approved by Information Assurance Committee 4/10/14
Updated 3/8/17