Data Management and Protection Standard

The Data Management and Protection Standard is a framework for classifying university data, based on its level of sensitivity, value and criticality to the university, and protecting it, as required by the Personal Information and Privacy Policy, Records Management Policy, and the Information Security Policy.

This Standard applies to students, faculty, staff, contractors, and any persons or entities who generate, collect, use, store, or process personal information on behalf of the University.

Data management begins with the creation or collection of data and continues through the entire data lifecycle. As such, data management consists of the following main phases:

  1. Data Inventory
  2. Data Classification
  3. Data Protection
  4. Report Regulated data

A data inventory is a detailed record of the data maintained by the university ("university data").

The data inventory process consists of identifying and recording basic information about data in your custody, such as: data owner, data format, record category and retention requirement (per the University Records Schedule), storage, access, transfer, purpose of processing, etc.

The Data Inventory Template (xlsx) should be used to capture all relevant information about your data.

A data inventory is valuable because it provides information on what data you have, where it’s located and who has access to it. Data Inventory also helps identify information that must be safeguarded under requirements of laws (e.g. FERPA, HIPAA, GLBA), regulations (GDPR), industry standards and university requirements and policies.

A data inventory is a precursor to the records survey which enables records managers to maintain university records in accordance with the Records Management Policy.

Lastly, data inventory facilitates data incident investigation and disclosure / breach containment.

For assistance with completing or reviewing your data inventory, contact the GW Privacy  Office.

Data Classification is the means of identifying the level of privacy and security protection to be applied to University Data and the scope in which the data can be shared.

Schools and divisions (“data custodians”) are responsible for reviewing and determining the types of non-public information (regulated, restricted) in their custody, by classifying it in accordance with the classification levels (PDF), based on its sensitivity and confidentiality.

The Guide for Classifying University Data (PDF) is available to help Schools and Divisions (“data custodians”) classify data in their custody.

Data Custodians should contact the Privacy Office ([email protected]) with questions on how specific data (information) should be classified.


On a periodic basis, it is important to reevaluate the classification of university data to ensure an assigned classification remains appropriate based on changes to legal and contractual obligations, as well as changes in the use of the data or its value to the university.

To ensure the protection of university Regulated and Restricted data, in accordance with University policies and regulations governing personal information, the GW Privacy office established the following guidance:

Telework Data Protection Best Practices

Guidance for use of Virtual Meeting, Event or Collaboration Platforms

Per the Personal Information and Privacy Policy, data custodians must report to the Privacy Office ([email protected]) if they have any regulated data in their custody.


  • Government-issued identification numbers, including social security numbers, driver license numbers, and passport numbers.
  • Financial account numbers, including credit card numbers and bank account numbers.
  • Personal health or medical information.
  • Data, information, or technical specifications not in the public domain that are regulated by export control laws, excluding technology or software that arises during, or results from, fundamental research under Section 734.8 of the Export Administration Regulations (EAR).

Upon completion of data inventory, follow guidance in the Data Classification section, to determine if you have Regulated information in your custody.   

Data Custodians are responsible for implementing appropriate managerial, operational, physical, and role-based controls, in consultation with the Privacy Office and GW Information Technology, for access to, use of, transmission of, and disposal of Regulated Information.

Data Custodians are required to review their data inventory on a periodic basis to determine if there have been any material changes, such as changes to a record category, storage location or access to data that is in the custody of that unit.

Data Custodians should promptly inform the Privacy Office ([email protected]) if there are changes to their Regulated data inventory.

Research Data are anything on which you perform research analysis: Results from wet lab experiments, surveys, coded interviews, census records, instrument readouts, literary corpus, etc. 

Research data management involves the organization, storage, preservation, and sharing of data collected and used in a research project, from its entry to the research cycle to the publication and long term preservation of the research results.

Access the GW Research Data Management WebPage for information and tools to help with managing your Research Data.

Privacy and data protection principles are applied throughout the research lifecycle.

Research Life Cycle