The world we live in has become heavily driven by technology and with this shift, data is being constantly created, transferred, and consumed. Processes that may have once been done in person or through paper are now done virtually with the click of a button. Things like taxes, onboarding for a job, applications, etc. are primarily done virtually now. With these processes becoming predominantly virtual, you more than likely are storing these files on your computer. It is pertinent that you track where you store your information and what information you are storing.
At UMD, our policies emphasize the importance of keeping track of where and what information is being stored. Some information is more sensitive than other information, and you need to know how to adequately protect it. The data classification standard provides a guide on sensitivity ranking of data, and our software catalog provides information on what level of data is permitted to be stored within the software. This article merges that information to provide a combined overview of these two coordinating pieces of information.
Understanding Data Sensitivity
There are four levels of data sensitivity at UMD; Low (Level 1), Moderate (Level 2), High (Level 3), and Restricted (Level 4).
- Low Risk (Level 1) - Low level data is that of which the release or unauthorized disclosure of would not cause harm to individuals, groups, or the university. To think about how this would apply, if there was a breach of your information and your name, birthday, and email are released on an unauthorized basis, then there would be little harm done to you. The release of low risk data would cause no harm to individuals, groups, and/or the university.
- Moderate Risk (Level 2) - Moderate level data is that of which the release or unauthorized disclosure of would likely cause adverse effects to individuals, but will not harm the university. Some things may cause harm or adverse effects to you such as the release of your employee performance review, UID, internal budget planning, etc. The release of moderate risk data may impact individuals in social, psychological, reputational, financial, or legal ways, but will not harm the university itself.
- High Risk (Level 3) - High risk data is that of which the release or unauthorized disclosure would cause significant harm or adverse effect to individuals, groups, or the university. Some things that may cause significant harm to you if released would be your mental health records, conduct or disciplinary records, your Social Security Number, your driver's license information, student loan information, etc. The release of high risk data would cause significant harm to individuals, groups, and/or the university.
- Restricted Data (Level 4) - Restricted data is that of which access and use are strictly controlled and restricted by laws, regulations, or contracts. Unauthorized access, use, disclosure, or loss will have significant legal consequences, including civil and criminal penalties, loss of funding, inability to continue current research, and inability to obtain future funding or partnerships. HIPAA data, FERPA data, CUI data, export-controlled data, etc. is all subject to laws, regulations, and/or contracts, and the unauthorized release of this data would result in significant harm to individuals, groups, and the university.
Understanding Appropriate Data Storage
Common university systems are Box, Google, ELMS, Panopto, and Qualtrics. Each of these systems has levels of data that are permitted to be stored there. Here is a quick rundown of the appropriate data sensitivity permitted to be stored in each:
- Box - High Risk Data and below
- Google - Moderate Risk Data and below (and this applies to email!*)
- ELMS - Moderate Risk Data and below
- Panopto - High Risk Data and below
- Qualtrics - High Risk Data and below
If there are any systems where you are unsure of the permitted data sensitivity level for storage, please reference the UMD Software Catalog. For any specific data storage-related questions, please reach out to sparcs@umd.edu.
Suggested and referenced reading material:
UMD Data Classification Standards
IT-2 Data Classification Standard