This Standard applies to students, faculty, staff, contractors, and any persons or entities who generate, collect, use, store, or process personal information on behalf of the University.
Data management begins with the creation or collection of data and continues through the entire data lifecycle. As such, data management consists of the following main phases:
- Data Inventory
- Data Classification
- Data Protection
- Report Regulated data
A data inventory is a detailed record of the data maintained by the university (“university data”).
The data inventory process consists of identifying and recording basic information about data in your custody, such as: data owner, data format, record category and retention requirement (per the University Records Schedule), storage, access, transfer, purpose of processing, etc.
The Data Inventory Template (xlsx) should be used to capture all relevant information about your data.
A data inventory is valuable because it provides information on what data you have, where it’s located and who has access to it. Data Inventory also helps identify information that must be safeguarded under requirements of laws (e.g. FERPA, HIPAA, GLBA), regulations (GDPR), industry standards and university requirements and policies.
A data inventory is a precursor to the records survey which enables records managers to maintain university records in accordance with the Records Management Policy.
Lastly, data inventory facilitates data incident investigation and disclosure / breach containment.
For assistance with completing or reviewing your data inventory, contact the GW Privacy Office.
Data Classification is the means of identifying the level of privacy and security protection to be applied to University Data and the scope in which the data can be shared.
Schools and divisions (“data custodians”) are responsible for reviewing and determining the types of non-public information (regulated, restricted) in their custody, by classifying it in accordance with the classification levels (PDF), based on its sensitivity and confidentiality.
The Guide for Classifying University Data (PDF) is available to help Schools and Divisions (“data custodians”) classify data in their custody.
Data Custodians should contact the Privacy Office ([email protected]) with questions on how specific data (information) should be classified.
On a periodic basis, it is important to reevaluate the classification of university data to ensure an assigned classification remains appropriate based on changes to legal and contractual obligations, as well as changes in the use of the data or its value to the university.
- Government-issued identification numbers, including social security numbers, driver license numbers, and passport numbers.
- Financial account numbers, including credit card numbers and bank account numbers.
- Personal health or medical information.
- Data, information, or technical specifications not in the public domain that are regulated by export control laws, excluding technology or software that arises during, or results from, fundamental research under Section 734.8 of the Export Administration Regulations (EAR).
Upon completion of data inventory, follow guidance in the Data Classification section, to determine if you have Regulated information in your custody.
Data Custodians are responsible for implementing appropriate managerial, operational, physical, and role-based controls, in consultation with the Privacy Office and GW Information Technology, for access to, use of, transmission of, and disposal of Regulated Information.
Data Custodians are required to review their data inventory on a periodic basis to determine if there have been any material changes, such as changes to a record category, storage location or access to data that is in the custody of that unit.
Data Custodians should promptly inform the Privacy Office ([email protected]) if there are changes to their Regulated data inventory.
2013 H Street, NW
Washington, DC 20006