Skip to main content

Policies about Data

The University has a number of official policies, standards, and procedures addressing appropriate use, protection, access, etc. This is a good collection to become familiar with if you have specific questions.

The Information Classification Standard divides all University data, that is data for which the University has some sort of responsibility, into four tiers – Tier 0 through Tier 3. Tiers 2 and 3 are classified as Sensitive information. The Standard doesn’t tell you what to do with the data, only how to tell what tier it falls into. Other policies and standards describe how to use and protect data based on its tier.
The Information Security Office publishes the Information Security Controls Standard to provide a comprehensive minimum set of security controls to apply to information in each classification tier. Tier 3 has a broad set of controls, and Tier 0 has a much smaller set of required controls.
The Enterprise Data Governance Policy and Standard defines the organizational responsibilities to make rules and processes for the use and protection of University data.

There are a number of Information Security policies and standards that speak to specific ways to protect information.

Vendor Management addresses our responsibilities when we contract with third parties that will have access to our data.

Access Control Policy and Standard speak to how to make sure that people using systems with our data are properly authorized (and de-authorized) and that people who aren’t authorized don’t have access.

The Transmission of Sensitive Information Standard describes how to protect Tier 2 and 3 information when it’s sent from place to place.

Some categories of information like HIPAA-protected personal health information (PHI), FERPA-protected student information, or purchasing card information (PCI) have policies as well.

Individual schools and departments may have more specific policies and standards related to using information such as HIPAA Covered Units.

We have Information Security Liaisons in each department to help with all of this. If you still have questions about the sorts of data you have, or need, and how it may be covered by a policy, submit an University Data Assistance request at help.unc.edu.