Chapter 3337-93 | Policy on Data Classification and Record Management

The version of this rule that includes live links to associated resources is online at

https://www.ohio.edu/policy/93-001.html

(A) Overview

This policy establishes that all information assets will be classified according to their confidentiality, integrity and availability. This policy sets forth procedures based on those classifications so that the university can protect each asset in an appropriate manner.

This policy is based on federal information processing standards (FIPS) publication 199, "Standards for Security Categorization of Federal Information and Information Systems" and the corresponding NIST special publication, 800-53 revision 4, "Security and Privacy Controls for Federal Information Systems and Organizations."

Key elements of this policy are the appointment of data stewards and the classification of data elements or data assets.

(B) Security objectives

As part of the university's data classification scheme, data will be classified, in terms of security, as high, medium, or low in three areas:

(1) Confidentiality

"Confidentiality" refers to the requirement and need for preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information. Examples include student social security numbers, which require a high level of confidentiality; the contents of university work emails, which require a medium level of confidentiality; and the university's "front door" web pages, which require a low level of confidentiality.

(2) Integrity

"Integrity" refers to the necessity of guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity. Student grades and university financial data are examples of data that requires a high degree of integrity.

(3) Availability

"Availability" refers to the requirement to ensure timely and reliable access to and use of information. Medical information, such as an individual's potential allergic reactions to certain drugs, is an example of data that has a requirement for a high degree of availability.

(C) Potential impact

(1) High

Failure to meet this particular security objective could pose a significant threat to: reputation, university mission, intellectual properties, legal compliance, financial health, or life or liberty. Information exempted from the "sunshine" laws usually has a high degree of confidentiality. Information regarding grades, confidential or proprietary research, health care, or personal financial information typically requires a high degree of integrity.

(2) Medium

Failure to meet this particular security objective could pose a moderate threat to: reputation, university mission, intellectual properties, legal compliance, financial health, or life or liberty. Typically, items in this classification are subject to release under the "sunshine" laws.

(3) Low

Failure to meet this particular security objective could pose little or no threat to: reputation, university mission, intellectual properties, legal compliance, financial health, or life or liberty. A low degree of confidentiality is typically used for information that is intended for public consumption.

(D) Data stewards

The data steward is the individual whom the university has identified as being responsible for the quality and utility of data elements. A primary duty of the data steward is to ensure that all data for which the steward has responsibility is properly rated and classified. The data steward is responsible for ensuring that a particular data element remains useful for the university, and that data is made available to appropriate parties as defined by role.

A data steward must be identified for all data elements that have a medium or high potential impact. The data steward works with Ohio university to ensure that the right policies, procedures, and operating practices are in place to protect the data element.

(E) University information security officer

The director of information security, fulfilling the role of university information security officer, is tasked to coordinate, develop, implement, and maintain an organization-wide information security program. This includes responsibility for the overall information risk posture of the university, and ensuring that the security objectives listed in this policy are adequately addressed.

(F) Procedures for levels of data

All institutional data shall be rated according its criticality in the dimensions of confidentiality, integrity, and availability. These ratings will occur over time, starting with those data elements that pose the greatest risk to the university, or that have the greatest compliance requirements.

A list of data elements with their corresponding data classification ranking will be generated by the information security office through collaboration with university parties, including at a minimum the listed reviewers of this policy, and approved by the Ohio university president and executive staff. Those officially classified data sets and guidance for the different levels of data, including notation and suggested methods of protection will be included at https://www.ohio.edu/oit/security/Data-Classification.cfm.

The following policies apply to data elements at these particular levels. If a particular data element has a combination of ratings, the highest rating will take precedence. Failure to adhere to the following shall also be considered to be a violation of policy 91.003 and may result in disciplinary action.

(1) High

User roles or systems handling data with a high classification shall be reviewed and approved by the appropriate data steward, information security office, and chief information officer on an annual basis with appropriate input from interested parties throughout the university. Those systems and business processes surrounding the data elements shall be reviewed prior to being put into production, or containing sensitive information, and thereafter on an annual basis, by the information security office, to ensure that security controls are adequate.

(2) Medium

User roles or systems handling data with a medium classification shall be reviewed and maintained by the information security office, appropriate data steward, and supervisor or department head as appropriate. Those systems and business processes surrounding the data elements shall be reviewed on a periodic, sequential basis by the information security office, to ensure that security controls are adequate.

(3) Low

User roles or systems handling data with a low classification shall be reviewed and maintained by the appropriate supervisor or department head as appropriate. Guidelines for best practices in handling this classification of data will be provided by the information security office upon request. A security review of systems with a low security rating will be done by the information security office at the request of the department as time and resources allow.

The version of this rule that includes live links to associated resources is online at

https://www.ohio.edu/policy/93-001.html

The version of this rule that includes live links to associated resources is online at

https://www.ohio.edu/policy/93-002.html

(A) Overview

This policy establishes general guidelines and procedures by which to assure economy and efficiency in the identification, retention, retrieval, preservation, and destruction of university records in compliance with state and federal regulations.

(B) Authority and history

According to division (B) of section 149.33 of the Revised Code, the boards of trustees of state-supported institutions of higher education shall have full responsibility for establishing and administering records programs for their respective institutions. The boards shall apply efficient and economical management methods to the creation, utilization, maintenance, retention, preservation, and disposition of the records of their respective institutions.

Resolution 1992-1218 of the Ohio university board of trustees empowers the president of the university to appoint a standing university records committee "which shall be responsible for actions regarding the university's records management policies and procedures." The same resolution authorized a "university-wide records management policy which shall oversee the creation, maintenance, and disposition of all records in units and sub-units of the university."

In keeping with that resolution, the university records committee has directed "provision for the equipping and professional staffing of the records management office," which, it charged, "shall monitor the creation, maintenance, and disposition of university records throughout the system."

Each planning unit head, or his or her designee, who oversees custody of university records is, therefore, responsible for consulting the university archivist and records manager to establish and maintain compliance with current records retention guidelines specific to records that are created or received by their office.

The university records committee also recognized the Ohio university archives "as the official repository for Ohio university records of enduring and permanent value," and the committee established a records storage facility "to hold records during their inactive phase, prior to disposal or transfer to the archives."

(C) Definitions and legal requirements

University records and public access to them are defined and explained under policy 40.007.

All questions about laws related to public requests for access to university records should be directed to the university's office of legal affairs.

(D) Records retention manual

The manual titled "Records Retention for Public Colleges and Universities in Ohio," represents the work of a special committee of the inter-university council of Ohio in consultation with an international records specialist. This manual shall be used by the university records manager as the basic guideline for determining the legal retention periods for university records. If, in the future, the inter-university council of Ohio updates the most recent records retention manual or creates or adopts a different manual, such new manual shall be used by the university records manager for determining legal retention periods for university records.

(E) Process

The establishment of a centralized records management office is necessary to ensure the university's consistent compliance with state and federal records retention requirements and to facilitate removal, storage, and destruction or preservation of university records. Therefore, the person designated as the university records manager, guided by the recommendations of the records retention manual, is authorized by the Ohio university board of trustees to determine the disposition of university records. Issues of the disposition of university records and subsequent removal, storage, and destruction or preservation of those records shall be determined in the manner established by parts (F) to (L) of this policy.

(F) University records committee

The university records committee serves two roles: it provides specific oversight for this policy and it is the policy area committee ("PAC") for data handling, including university data classification according to sensitivity. Other policies (in preparation) will address the general role of information technology PACs and the other specific roles of this committee.

The university records committee is a standing committee, and so will be staffed through the committee on committees process. The committee will be chaired by the chief information officer. It will include the university records manager and the following people (or someone designated by each of them):

(1) Vice president for advancement

(2) Vice president for research and creative activities

(3) General counsel (advisory)

(4) Chief human resource officer

(5) Information security manager

(6) Dean of the heritage college of osteopathic medicine

(7) University registrar

(8) Controller

(9) Chief audit executive (advisory)

(10) Chief marketing officer

(11) Director of government relations

(12) Executive dean of regional campuses

(13) Assistant vice president for safety and risk management

(14) Associate provost for institutional research and effectiveness

The committee shall seek advice from and provide advice to the university records manager; provide interpretation of this policy, as needed; recommend changes to this policy, as needed; review and provide feedback on the electronic records guidelines published by the office of information technology (see part (L) of this policy); and identify other opportunities to improve the handling of university records.

(G) Records retention

All staff of the university whose regular or occasional performance of functions involves creating, receiving, or maintaining files, records, or documents pertaining to the duties and functions of their offices are required to observe the following:

(1) Records that document the organization, functions, policies, decisions, procedures, operations, or other official activities of university offices and personnel are the property of Ohio university and the state of Ohio.

(2) Such property is not to be permanently removed or destroyed except in accordance with the schedule for that unit as approved by:

(a) The administrator in charge of the area in which the records are generated or received; and

(b) The university records manager.

(3) The head of each planning unit or his or her designee will determine in conjunction with the university records manager the appropriate retention periods for the records series that are created, received, or maintained by their respective units.

(H) Inventories and schedules for university records

It shall be the responsibility of each planning unit head or his or her designee, with guidance and approval of the university records manager, to conduct records inventories and analyses and to establish the official records retention schedules for their respective units. This shall be done in the following manner:

(1) Each planning unit that generates, receives, or maintains university records shall complete and maintain up to date an inventory of their various series of records including such information as the names of the records series, descriptions of the purposes for each series, and the date(s) of each series.

(2) Each planning unit, using the records retention manual as a guide, shall then submit to the university records manager for approval a draft schedule for the retention and disposition of each records series thusly inventoried.

(3) Once the draft schedule is approved and signed by the university records manager and by the head of the planning unit that has provided the draft proposal, a final records retention schedule shall be produced for that unit by the university records manager.

(I) Removal and storage of university records

(1) Records for which retention dates have been officially scheduled shall be retained until such time as their retention dates have been reached. The university records manager may provide space on a limited basis at a safe, secure records storage facility where units may store records that have not yet reached their scheduled expiration dates. Records maintenance personnel from each unit that is granted permission to transfer records from their unit to the records storage facility must generate and maintain a complete inventory of the records that they are transferring to the storage facility, and they must provide a copy of the inventory to the university records manager. The records manager will provide records storage boxes to the units transferring records, and the records generating unit will be responsible for packing the boxes and labeling those boxes so that the contents of each box may be easily identified for retrieval or destruction.

(2) Some records, which have longer or permanent retention periods, also may be stored on a limited basis at the records storage facility with the approval of the university records manager, who may first require the unit to make arrangements to have those records more appropriately preserved; see part (J) ("Preservation of University Records") of this policy.

(3) Records that have been transferred to the records storage facility are still considered to be the property of the offices from which they have been transferred, and requests to the university records manager for retrievals of copies of those records or for retrievals of the original records in full or in part may be made by the offices from which the records were sent for storage. No record(s) shall be retrieved or reproduced from the storage facility at the request of anyone other than the records maintaining personnel or administrators of the offices from which those records were originally transferred unless permission is otherwise granted by the office from which the record(s) were transferred, except in cases of official university investigation, responding to requests from the office of legal affairs, or for audit purposes.

(J) Preservation of university records

(1) Records that have been identified in the schedule as "archival" for their enduring historical value may be transferred to the university archives upon the approval of the university archivist. The university archivist may supply standard size records boxes for units that are preparing to send records to the archives. University records and the boxes in which they are transferred to the archives shall be clearly identified and labeled before transfer, and units transferring records to the archives shall supply the archives with a complete inventory of the records being transferred.

(2) Records that are transferred to university archives (located in Alden library) become the administrative responsibility of the archives, and, unless otherwise stipulated by agreement, such records shall reside permanently in the archives. Most university records housed in the archives are subject to unrestricted public access. The relatively few series of archived university records to which access is legally restricted may be examined by staff from the office of origin of those records upon the request of the administrator of that office and in agreement with the university archivist.

(3) In order to help guarantee the preservation, integrity, and security of records that have been turned over to the archives, access to records housed in the archives -- whether by the general public or by university staff -- shall be on-premise only. Archive staff may agree to photocopy or scan records for a fee if the condition and integrity of the original records will not be in any way damaged or otherwise altered during the process of placing them on scanners or photocopiers.

(4) Section 9.01 of the Revised Code authorizes microfilming the records of public offices for the purpose of preserving them or for the purpose of conserving space. The office of the university archivist and records manager therefore urges units that generate large amounts of paper records that have been determined to be of enduring administrative, legal, or historical value to make arrangements to have such records microfilmed. Although digitizing (scanning) has become a convenient way by which to maintain and access records that are retained over shorter periods, microfilming is still the safest, most secure, and most durable means of preserving records that must be retained more permanently. The university records manager shall, upon request, supply units with information concerning microfilming.

(K) Disposal of university records

(1) When a unit head or his or her designee has determined by the retention schedule that records within their unit have reached or have exceeded the legal retention period, and that the records have no further administrative, legal, or historical value, the administrative head of the unit shall arrange for the disposal of those records.

(2) Upon the disposal of records, the head of the unit shall sign and maintain appropriate records documenting such information as title, contents, and purpose of the disposed records, legal retention period, as well as date and method of disposal.

(3) When the university records manager is to oversee the removal and destruction of records that have reached their retention period from the off-site storage facility, as identified in part (I) of this policy, the university records manager shall first inform the responsible unit, in writing, of his or her intent to destroy those records, preserving a copy of that notice and of the subsequent reply from the unit acknowledging and consenting to the destruction of the records.

(4) Records that contain materials that are of a confidential nature -- especially but not exclusively those records that are included under FERPA or HIPAA stipulations -- shall be destroyed in a manner consistent with best practices to reasonably ensure that the data is not recoverable.

(5) Some less-formal records that have shorter-lived administrative or legal value are categorized as "transitory." Retention periods for transitory records are usually event-driven, rather than being a fixed period of time. Examples of transitory records include preliminary drafts and notes, used in the production of university records, which are proper to dispose of when those drafts or notes have been superseded or updated by other records; policies and procedures documents that have been superseded or withdrawn (university archives shall, and other offices may, retain copies of superseded and withdrawn policies); voice mail; and records relating to scheduling meetings and other non-public events. Such records should be retained until they are no longer of administrative or legal value and may then be destroyed, deleted, or purged at any time without acknowledgement or approval of the university records manager. For further advice as to whether a record should be classified as transitory or not, please contact the university records manager.

(L) Retention and disposal guidelines for electronic records

(1) Electronic records, including electronic mail (e-mail) messages and personal computer disk files, that document the organization, functions, policies, decisions, procedures, operations, or other activities of a university office shall be considered records in accordance with the Revised Code definition of records. (For examples of electronic records that are not considered to be university records see the next paragraph of this part (L)(1) of this policy.) Therefore, all such electronic records that are generated or received by university offices shall fall under all of the regulations established by the federal and state law, and shall be subject to the university policies and procedures for records retention and disposal as outlined previously in this document. For example, the retention period for requisitions that are created or received electronically by a university office shall be the same as the retention period for those requisitions that are generated or received on paper or in any other fixed medium.

Examples of electronic records that would not fit the criteria for public records as defined by the Revised Code would be e-mail messages of a personal nature that do not pertain in any way to the conducting of university business, even though they were received on university e-mail systems, and messages received from interest-group listservs. These types of records, generally categorized as transitory, may be deleted or purged at any time.

(2) The office of information technology will maintain guidelines for the appropriate management of electronic mail online at https://www.ohio.edu/oit/security/electronicrecords.cfm.

The version of this rule that includes live links to associated resources is online at

https://www.ohio.edu/policy/93-002.html