Data Management and Protection Standard

The Data Management and Protection Standard is a framework for classifying university data, based on its level of sensitivity, value and criticality to the university, and protecting it, as required by the Personal Information and Privacy Policy and the Records Management Policy.

This Standard applies to students, faculty, staff, contractors, and any persons or entities who generate, collect, use, store, or process personal information on behalf of the University.

Data management begins with the creation or collection of data and continues through the entire data lifecycle.

Data management process steps: 

  1. Data Inventory
  2. Data Classification
  3. Data Protection
  4. Report Regulated data

A data inventory is a detailed record of the data maintained by the university ("university data").

The data inventory process consists of identifying and recording basic information about data in your custody, such as: data owner, data format, record category and retention requirement (per the University Records Schedule), storage, access, transfer, purpose of processing, etc.

The Data Inventory Template (xlsx) should be used to capture all relevant information about your data.

A data inventory is valuable because it provides information on what data you have, where it’s located and who has access to it. Data Inventory also helps identify information that must be safeguarded under requirements of laws (e.g. FERPA, HIPAA, GLBA), regulations (GDPR), industry standards and university requirements and policies.

A data inventory is a precursor to the records survey which enables records managers to maintain university records in accordance with the Records Management Policy.

Lastly, data inventory facilitates data incident investigation and disclosure / breach containment.

For assistance with completing or reviewing your data inventory, contact the GW Privacy  Office.

Data Classification is the means of identifying the level of privacy and security protection to be applied to University Data and the scope in which the data can be shared.

Schools and divisions (“data custodians”) are responsible for reviewing and determining the types of non-public information in their custody, by classifying it,  based on its sensitivity and confidentiality, in accordance with these GW Data Classification Levels.

The Guide for Classifying University Data (PDF) is available to help Schools and Divisions (“data custodians”) classify data in their custody.

Data Custodians should contact the Privacy Office ([email protected]) with questions on how specific data (information) should be classified.


On a periodic basis, it is important to reevaluate the classification of university data to ensure an assigned classification remains appropriate based on changes to legal and contractual obligations, as well as changes in the use of the data or its value to the university.

Maintaining the confidentiality, integrity, availability and regulatory compliance of all data stored, processed, printed, and/or transmitted at the university is a requirement of all staff, faculty, students and contractors.

Throughout its lifecycle, all university data stored, processed and/or transmitted at the university must be protected in a manner that is consistent with contractual or legal restrictions and is reasonable and appropriate for its classification. Follow this Data Protection Guide to appropriately access, store, transmit or dispose of university data.

Records containing data elements with multiple classifications must be protected at the highest level of information represented. For example, a document that contains regulated and public information must be managed and protected in accordance with requirements for regulated information. 

The following physical controls should be applied by all staff, faculty, students and contractors with access to Non-Public (restricted or regulated) information: 

  • Restrict physical access to laptop computers when you are away from your office or workspace, by, for example, locking the door or using security cables or locking devices.
  • Secure computers and mobile devices by requiring passwords (except for public computers with no Non-Public Information, such as those in the library or in labs).  Passwords are integral to security. Follow GW IT guide for selecting secure NETID passwords and how to reset them. 
  • Log out when finished using a GW system.
  • Secure your computers using a screen saver or built-in lock feature when you are away from your office or work space.
  • Maintain possession or control of your mobile devices and apply appropriate safeguards to the extent possible to reduce the risk of theft and unauthorized access.
  • In the event that a GW owned computer or mobile device containing Non-Public Information is lost or stolen, contact GW IT ([email protected]) immediately.

All staff, faculty, students and contractors with access to Non-Public (restricted or regulated) university data must notify GW IT and / or the GW Privacy immediately if they suspect that regulated or restricted university data has been lost, stolen or disclosed.

To report an incident involving university data or a suspected data breach, email [email protected][email protected],  or use this reporting form.

To ensure the protection of university Regulated and Restricted data, in accordance with University policies and regulations governing personal information, the GW Privacy office established the following guidance:

Telework Data Protection Best Practices

Guidance for use of Virtual Meeting, Event or Collaboration Platforms

Per the Personal Information and Privacy Policy, data custodians must report to the Privacy Office ([email protected]) if they have any regulated data in their custody.


  • Government-issued identification numbers, including social security numbers, driver license numbers, and passport numbers.
  • Financial account numbers, including credit card numbers and bank account numbers.
  • Personal health or medical information.
  • Data, information, or technical specifications not in the public domain that are regulated by export control laws, excluding technology or software that arises during, or results from, fundamental research under Section 734.8 of the Export Administration Regulations (EAR).

Upon completion of data inventory, follow guidance in the Data Classification section, to determine if you have Regulated information in your custody.   

Data Custodians are responsible for implementing appropriate managerial, operational, physical, and role-based controls, in consultation with the Privacy Office and GW Information Technology, for access to, use of, transmission of, and disposal of Regulated Information.

Data Custodians are required to review their data inventory on a periodic basis to determine if there have been any material changes, such as changes to a record category, storage location or access to data that is in the custody of that unit.

Data Custodians should promptly inform the Privacy Office ([email protected]) if there are changes to their Regulated data inventory.

Research Data are anything on which you perform research analysis: Results from wet lab experiments, surveys, coded interviews, census records, instrument readouts, literary corpus, etc. 

Research data management involves the organization, storage, preservation, and sharing of data collected and used in a research project, from its entry to the research cycle to the publication and long term preservation of the research results.

Access the GW Research Data Management WebPage for information and tools to help with managing your Research Data.

Privacy and data protection principles are applied throughout the research lifecycle.

Research Life Cycle