Data Risk Classification Policy

The University at Buffalo (UB, university) is committed to protecting the confidentiality, integrity, and availability of university data. All university data must be classified into one of three data classification categories:

Protection of Category 1 – Restricted Data is required by law or regulation. The loss of confidentiality, integrity, or availability of the data or system could have a significant adverse impact on our mission, safety, finances, or reputation.

Restricted data includes the definition of private information in the New York State (NYS) Security Breach and Notification Act as a foundation: bank account, credit card, debit card numbers; social security numbers; state-issued driver license numbers; and state-issued non-driver identification numbers. To this list, university policy adds protected health information (PHI), computer passwords, other computer access protection data, passport numbers, as well as research data which requires the use of PHI and personally identifiable information (PII).

Individuals who access, process, store, or in any other way handle Category 1 – Restricted Data must implement controls and security measures as required by relevant laws, regulations, university policies, and supporting standards. In instances where laws and/or regulations conflict with university policy, the more restrictive policy, law, or regulation governs.

Category 2 – Private Data includes university data which is not identified as Category 1 – Restricted Data, but which is protected by state and federal regulations. This includes Family Educational Rights and Privacy Act (FERPA) – protected student records and electronic records that are specifically exempt from disclosure by the New York State (NYS) Freedom of Information Law (FOIL), as well as Research Foundation (RF) proprietary data, and all University at Buffalo research data.

Category 2 - Private Data must be protected to ensure that they are not disclosed in a FOIL request. Category 2 - Private Data must be protected to ensure that they are only disclosed as required by law. Decisions about disclosure must be made by the Records Management Officer.

Category 3 – Public Data includes all other university data which is not included in Category 1 – Restricted Data or Category 2 – Private Data. Category 3 – Public Data includes any data that is releasable in accordance with FOIL. This category also includes general access data, such as that available on unauthenticated portions of UB’s website. Public data has no requirements for confidentiality; however, systems housing the data should take reasonable measures to protect its accuracy.

UB complies with applicable regulatory requirements concerning data breaches including but not limited to the NYS Information Security Breach and Notification Act, Health Insurance Portability and Accountability Act (HIPAA), Gramm-Leach Bliley Act (GLBA), FERPA, and the Payment Card Industry Data Security Standard (PCI DSS). In instances of uncertainty regarding data classification the most restrictive data classification must be applied.

Violations of this policy and all related policies, standards, or guidance documents may result in financial or reputational losses and/or legal actions for the university, as well as any individuals responsible for handling and protecting university data.

Data Users who misuse data and/or illegally access data are subject to sanctions or penalties in accordance with employee relations policies. Sanctions or penalties are based on the standards outlined in university policy, state or federal regulations, and the appropriate collective bargaining agreements. Individuals found to be in violation of this policy and other university policies related to  restricted data may face corrective action commensurate with the violation, up to and including termination or expulsion.

Individuals who suspect a misuse of standards and policies related to Category 1 or Category 2 data must report their concerns to their applicable Data Trustee or the Information Security Officer (ISO). 

University academic and administrative data are valuable assets and often contain detailed information about the university, as well as personal information about faculty, staff, students, and other third parties affiliated with the university. Protecting this information is essential.

This policy applies to all data or information created, collected, stored, or processed by the university, whether in electronic or non-electronic formats. Data that is personal to the operator of a system and stored on a university information technology (IT) resource as a result of incidental personal use is not considered university data. 

Data Administration

The responsibility for the activities of data administration, including detailed data definition, is shared among the Data Stewards, Data Managers, and the Vice President and Chief Information Officer (VPCIO).

Senior Leader

Designated as the president, provost, vice provosts, executive vice presidents, vice presidents, associate vice presidents, and deans who are eligible for access to enterprise-wide aggregate and summary university data. Senior management is authorized to delegate access of enterprise-wide aggregate and summary university data, as deemed appropriate.

Third Party

Any entity which is legally separate from the University at Buffalo, but who the university may partner with when conducting business.

University Data

Items of information which are collected, maintained, and utilized by the university for the purpose of carrying out institutional business. Includes centrally stored data, as well as data generated and stored in university departments and decanal units All university data is required to have an identified Data Trustee.

• University officials and their staff with operational-level responsibility for information management activities related to the capture, maintenance, and dissemination of data. Data Stewards may delegate data administration activities to Data Managers.

The University at Buffalo owns all university data, while individual units or departments may have stewardship responsibility for portions of such data.

• Administer activities delegated by data stewards.
• Maintain physical and system security and safeguards appropriate to the classification level of the data in their custody.

University official who has planning and policy-level responsibilities for data in their functional areas. Data Stewards are assigned by the Data Trustee.

• Adhere to the principles of least privilege and minimum-necessary.
• Create and maintain data documentation, including data dictionaries, data flow diagrams, and data lineage.
• Develop and maintain clear and consistent procedures for data access and use in keeping with university policies.
• Educate faculty, staff, and students on data-related matters.
• Ensure that training and awareness of the terms of this policy are provided.
• Ensure data in their functional area is accurate, consistent, and reliable.
• Oversee defined elements of institutional data.
• Implement and enforce data policies, standards, and practices, including definition of data ownership, access controls, data classification, and data lifecycle management.
• Maintain metadata – information about data elements, their definitions, and relationships.
• Manage data security in privacy, in conjunction with the ISO.
• Grant, renew, and revoke access to Data Managers and/or Data Users (as delegated by Data Trustees), as appropriate.
• Monitor compliance with this policy.
• Prevent unauthorized access to Category 1 Restricted Data and Category 2 Private Data.
• Report concerns and possible incidents to management for evaluation and response.
• Manage planning and policy-level matters for data in their functional areas.

Senior leader of the university (i.e., vice president, vice provost, dean) who has responsibility for areas that have systems of record.

• Assign and oversee data stewards.
• Adhere to the principles of least privilege and minimum-necessary.
• Control university data by granting access, renewing access, and revoking access to Data Stewards, Data Managers, and/or Data Users. Data Trustees may delegate this responsibility to Data Stewards or Data Managers.
• Ensure that Data Stewards in their area are compliant with data governance principles.
• Establish data policies within their functional areas.
• Comply with legal and regulatory requirements specific to their domain.
• Promote data quality and use.
• Report concerns and possible incidents to management for evaluation and response.

An individual who needs and uses university data as part of their assigned duties or to fulfill their role in the university community, with access as granted by a Data Trustee or Data Steward.

• Access, retrieve, update, process, analyze, store, distribute, or in other manners use university data for the legitimate and documented conduct of university business.
• Adhere to the principles of least privilege and minimum-necessary.
• Follow appropriate safeguards to protect data based on its classification.
• Follow all university policies, procedures, and standards related to data security classification and security level, including applicable federal and state laws.
• Implement appropriate safeguards to protect data.
• Maintain the confidentiality, integrity, and availability of university data.
• Report concerns and possible incidents to management for evaluation and response.
• Complete the Handling Data Safely training successfully, prior to receiving data access.
• Use data for the purposes in which access is granted.

• Conduct periodic security reviews of systems approved for storing and handling protected data.
• Develop and deliver enterprise information security strategy, governance, and policy in support of institutional goals. Information security incidents must be reported to the ISO.
• Review and approve departmental collection, storage, and transmission of data when necessary, according to its classification.
• Serve on the Cloud Services Review Committee.

• Evaluate, develop, and recommend information security and privacy policies, procedures, and operations vital to protecting and sustaining the university’s mission.

• Determine appropriate record disclosures pertaining to FOIL requests.

• Provide leadership for development and delivery of information technology (IT) services to the university. 
• Oversee an enterprise IT services organization, Computing, and Information Technology (CIT), and work in partnership with UB’s schools, colleges, and administrative IT units to enable a unified and productive IT experience for students, faculty, and staff.