• Home
  • KUMC Data Classification Policy

KUMC Data Classification Policy

Policy
Purpose: 

Information is a valuable University of Kansas Medical Center (“KUMC”) asset and is critical to the mission of teaching, research, and service to Kansans.  This policy establishes a framework for classifying institutional data based on its level of sensitivity, value and criticality to KUMC.

Applies to: 

KUMC employees (faculty, staff, student employees) and other covered individuals (e.g., affiliates, vendors, independent contractors, etc.) in their handling of KUMC data, information, and records in any form (paper, digital text, image, audio, video, microfilm, etc.) during the course of conducting KUMC business (administrative, financial, teaching, research, or service).

Campus: 
Medical Center, Kansas City
Wichita
Salina
Policy Statement: 

All KUMC employees and other covered individuals are responsible for:

  1. Understanding what constitutes Low Risk Data, Moderate Risk Data and High Risk Data; and
  2. Managing  such data in a manner consistent with the criticality of and the requirements for confidentiality associated with the data in any form (electronic, documentary, audio, video, etc.) throughout the entire information lifecycle (from creation through preservation or disposal).

Data Classification

Data Classification is the classification of data based on its level of sensitivity and the impact to KUMC should that data be disclosed, altered or destroyed without authorization.  The classification of data helps determine what baseline security controls are appropriate for safeguarding data. 

Data Trustee

A Data Trustee is a member of the Executive Vice Chancellor’s Leadership Team, such as a Dean or Vice Chancellor, with ultimate responsibility for the use and protection of KUMC data. The responsibilities of a Data Trustee include authorizing policies, standards and guidelines regarding data classification and handling, appointing Data Custodians within their subject area domains and appointing System Owners for the information systems for which they are responsible.    

Data Custodian

A Data Custodian is charged with responsibility for assuring that the institutional or unit/department-level data for which he or she is responsible, has been assigned an appropriate data classification.  Data Custodians must identify systems of records containing KUMC information, categorize institutional information within the systems as Low Risk, Moderate Risk or High Risk, and communicate the data classifications to affected groups and individuals.

System Manager

A System Manager, generally an IT staff member, is charged with managing the confidentiality, integrity and availability of the information system for which he or she is responsible.

Workforce Member

Workforce Members are employees, trainees, students, volunteers and other entities or persons who perform work for KUMC.    All Workforce Members are required to comply with applicable laws and regulations, and University policies and guidelines, when accessing and handling KUMC data.   Workforce Members shall only access and use KUMC information systems and information to fulfill authorized job duties or activities for KUMC. 

If you have any questions about how to classify data for these purposes, please contact the KUMC Privacy Officer at (913) 588-0940 or Information Security at kumc-security@kumc.edu for assistance.   For questions regarding applicable Export Control requirements please contact KUMC’s Export Control Officer at (913) 588-6835.

All KUMC information whether at rest (i.e., stored in databases, tables, email systems, file cabinets, desk drawers, etc.) or in use (i.e., being: processed by application systems, electronically transmitted, used in spreadsheets, or manually manipulated, etc.) must be classified into one of the three classification levels described in this policy by each Data Custodian for that information.

  1. Determining a classification level should be done according to an assessment of the need for confidentiality of the information. 
  1. To assist each unit or department KUMC has defined three classification levels: Low Risk Data, Moderate Risk Data and High Risk Data. 
  • Low Risk Data:  Data should be classified as Low Risk Data if the data is intended for public dissemination or if the loss of confidentiality, integrity, or availability of the data would have little or no adverse impact on our mission, safety, finances or reputation.
  • Moderate Risk Data:  Data should be classified as Moderate Risk Data if the data is not High Risk Data, is not generally available to the public, and the loss of confidentiality, integrity, or availability of the data or system could have a moderately adverse impact on our mission, safety, finances or reputation. .
  • High Risk Data:  Data should be classified as High Risk Data if the protection of the data is required by law/regulation; if the University is required to self-report to the government and/or provide notice to the individual if the data is inappropriately accessed; or if the loss of confidentiality, integrity, or availability of the data or system could have a significant adverse impact on our mission, safety, finances or reputation. The High Risk Data category encompasses the most sensitive data.  However, some types of high risk data may have stricter requirements in addition to the minimum standard requirements.  
  • The appropriate classification of each data set is based on the classification of highest risk data stored in the data set (e.g., the database, table, file, etc.), or accessed by systems or people. This is true even if the data set contains other information that would qualify for a lower level of protection if it were stored separately. For example, if a data collection consists of a student’s name, address and social security number, the data collection should be classified as High Risk Data even though the student’s name and address may be considered Public information.  Examples of the classes of information are provided in the Data Classification and Data Types guidance. Failure to classify data as required by this policy will result in a default classification of High Risk.
  1. Access to certain information must be strictly limited to protect the University and individuals from loss.  Limiting access to authorized individuals/entities/devices ensures legal obligations are fulfilled and/or protects KUMC and its stakeholders from the disclosure of data which is sensitive in nature.
  1. All individuals covered under this policy are required to handle University information per the procedural controls found in the Data Classification and Handling Procedures Guide.

Reclassification

It is important to reevaluate the classification of institutional data to ensure the assigned classification is still appropriate based on changes to legal and contractual obligations as well as changes in the use of the data or its value to the University. The Data Custodian, in consultation with the KUMC Privacy Official and/or KUMC Security Official should determine what frequency is most appropriate based upon applicable KUMC requirements and available resources.  If a Data Custodian determines that the classification of a certain data set has changed, an analysis of security controls should be performed to determine whether existing controls are consistent with the new classification. If gaps are found in existing security controls, they should be corrected in a timely manner, commensurate with the level of risk presented by the gaps.

Contact: 

KUMC Information Security kumc-security@kumc.edu

KUMC Privacy Official 913-588-0940

Approved by: 
Vice Chancellor for Administration
Approved on: 
Thursday, June 30, 2016
Effective on: 
Thursday, June 30, 2016
Review Cycle: 
Annual (As Needed)
Definitions: 

Data Classification

Data Classification is the classification of data based on its level of sensitivity and the impact to KUMC should that data be disclosed, altered or destroyed without authorization.  The classification of data helps determine what baseline security controls are appropriate for safeguarding data. 

Data Trustee

A Data Trustee is a member of the Executive Vice Chancellor’s Leadership Team, such as a Dean or Vice Chancellor, with ultimate responsibility for the use and protection of KUMC data. The responsibilities of a Data Trustee include authorizing policies, standards and guidelines regarding data classification and handling, appointing Data Custodians within their subject area domains and appointing System Owners for the information systems for which they are responsible.    

Data Custodian

A Data Custodian is charged with responsibility for assuring that the institutional or unit/department-level data for which he or she is responsible, has been assigned an appropriate data classification.  Data Custodians must identify systems of records containing KUMC information, categorize institutional information within the systems as Low Risk, Moderate Risk or High Risk, and communicate the data classifications to affected groups and individuals.

System Manager

A System Manager, generally an IT staff member, is charged with managing the confidentiality, integrity and availability of the information system for which he or she is responsible.

Workforce Member

Workforce Members are employees, trainees, students, volunteers and other entities or persons who perform work for KUMC.    All Workforce Members are required to comply with applicable laws and regulations, and University policies and guidelines, when accessing and handling KUMC data.   Workforce Members shall only access and use KUMC information systems and information to fulfill authorized job duties or activities for KUMC.  

Keywords: 
governance, data, information
Review, Approval & Change History: 

2016 04 28: Added link to guidance

2016 09 12: Updated contacts

2016 06 30: New

Information Access & Technology Categories: 
Information Access
Information Technology
Privacy & Security
Research and Sponsored Projects Category: 
Research and Sponsored Projects

Can't Find What You're Looking For?
Policy Library Search
KU Today
One of 34 U.S. public institutions in the prestigious Association of American Universities
44 nationally ranked graduate programs.
—U.S. News & World Report
Top 50 nationwide for size of library collection.
—ALA
23rd nationwide for service to veterans —"Best for Vets," Military Times