Executive Policy 2.214 Executive Policy 2.214

Institutional Data Classification Categories and Information Security Guidelines

Executive Policy Chapter 2, Administration
Executive Policy EP 2.214, Institutional Data Classification Categories and Information Security Guidelines
Effective Date:  December 2025
Dates Amended: August 2019, January 2018, October 2014, April 2012, April 2009
Responsible Offices: Office of the Vice President for Information Technology
Governing Board of Regents Policy: RP 2.202, Duties of the President
Review Date: December 2027

The objective of this executive policy is to organize UH Institutional Data into data classification categories based on different levels of security risk and penalties that may result from the inadvertent exposure and inappropriate disclosure of those data.

1. “Institutional Data” – Data elements/data records which are created, received, maintained and/or transmitted by the University of Hawai‘i in the course of meeting its administrative and academic requirements.


2. "Personally Identifiable Information” (”PII”) – Data or information, or a combination of data or information that when considered together, would identify an individual. The level of security risk when managing PII varies from none to very high, depending on the data elements involved.


3. "Physically Secured” – The storage of electronic media or paper containing Institutional Data in a non-public, controlled area such as an area accessible only to a trusted, known group of individuals or in a locked room or file cabinet when there is no authorized individual present. Classrooms and lab areas are considered public locations.


4. "Protected Data” – Institutional Data that are subject to security and privacy considerations (i.e., all non-public data) and range from low to high risk. Within the UH Institutional Data Classification Categories, protected data encompasses those that fall under the “Restricted,” “Sensitive,” and “Regulated” categories. See section III-B for category descriptions.

Selected data elements/data records that fall under the sensitive or regulated categories may be subject to federal, state, and local regulations or industry standards. Data protections should follow ITS’ Minimum Security Standards which are based on these regulations and standards.

This policy is not intended to supersede those regulations, but to promote and reinforce them. Should a provision in this policy conflict with applicable state, federal, or local regulations, the applicable regulation takes precedence and will govern.

1. POLICY STATEMENT
   The University of Hawai‘i is committed to protecting the privacy and security of Institutional Data, one of its most valuable institutional assets.


2. DATA CLASSIFICATION CATEGORIES


1. “Public” – Institutional Data where access is not restricted and is subject to open records requests. There are no risk and privacy considerations. This category includes: 1) student directory information as defined in UH’s Administrative Procedure, AP7.022, Procedures Relating to Protection of the Educational Rights and Privacy of Students; and, 2) public employee information as defined in Hawai‘i Revised Statues (HRS) 92F-12 under the Uniform Information Practices Act.
   The loss of confidentiality, integrity, or availability of the data would have no adverse impact on the University’s mission, safety, finances, or reputation. See Attachment 1 for examples of Public Data.


2. “Restricted” – Institutional Data used internally within the UH community to meet academic and administrative requirements. Restricted data is considered low risk, however it should not be distributed to external parties except under the terms of a written memorandum of agreement or contract. Data is maintained in a physically secured location.
   The loss of confidentiality, integrity, or availability of the data could have a mildly adverse impact on the University’s mission, safety, finances, or reputation. See Attachment 1 for examples of Restricted Data.


3. “Sensitive” – Institutional Data subject to privacy or security considerations. Sensitive data is considered medium risk. Data is maintained in a physically secured location.
   The loss of confidentiality, integrity, or availability of the data could have a medium to large adverse impact on the University’s mission, safety, finances, or reputation. See Attachment 1 for examples of Sensitive Data.


4. “Regulated” – Institutional Data subject to federal and state regulations and standards. Inadvertent disclosure or inappropriate access requires formal breach notifications at the state or federal levels and/or the assessment of financial fines. Social Security Number (SSN), Payment Card Industry Data Security Standard (PCI DSS) credit card information, Health Insurance Portability and Accountability Act (HIPAA) data, and Free Application for Federal Student Aid (FAFSA) data fall within this category. Data is maintained in a physically secured location. See Attachment 1 for examples of Regulated Data.
   The loss of confidentiality, integrity, or availability of the data or system could have a significant adverse impact on University’s mission, safety, finances, or reputation. See Attachment 1 for examples.

Attachment 1 is not intended to be an exhaustive list but is an attempt to capture the more common data elements (and, in some cases, types of data) used by the University to conduct its daily business. Institutional Data that are not listed shall be considered Sensitive until otherwise determined. For guidance on Institutional Data not listed in Attachment 1, email datagov@hawaii.edu.


3. DATA MANAGEMENT GUIDELINES AND BEST PRACTICES


1. SSN will not be used as an identifier in any University information system and its use as an identifier shall be phased out in all existing systems. This includes use of the SSN as an optional identifier in legacy systems, which is similarly prohibited. The SSN may be included as a data element in an information system only where it is required for financial processing (e.g., payroll or student tax reporting) or other uses consistent with federal and state law. For example, the University may require the use of the SSN as part of the essential process of identifying when a person has contact with the university using different names, or to distinguish between individuals who have the same name. In situations such as these, the SSN may be used only as a data element and not as an identifier. The SSN must be purged from all other information systems.


2. Documents or records that contain Institutional Data from multiple classification categories will be managed according to the highest level of classification.


3. Individuals with access to Protected Data are required to complete UH’s  annual Information Security Awareness Training (ISAT). Refer to UH Administrative Procedure 2.215, Mandatory Training on Data Privacy and Security for more information on the ISAT.


4. Lists of student directory data (which are categorized as Public) shall not be released to third parties except under the terms of a contract or memorandum of agreement. Refer to UH Administrative Procedure AP7.022, Procedures Relating to Protection of the Educational Rights and Privacy of Students which is UH’s interpretation of the federal Family Educational Rights and Privacy Act.


5. When displaying Protected Data in aggregate (i.e., not on an individualized basis), appropriate care must be taken to protect the identities of the individuals such that a person cannot identify any of the individuals with reasonable certainty. Note that data elements may not be personally identifiable when considered alone. However, when considered in combination with other data elements, they may reveal the identity of an individual. For example, average GPA by major may be reported. But if ethnicity is added, and there is only one individual within an ethnicity category, the identity of the individual and his/her GPA may be revealed. Therefore, appropriate consideration and measures must be taken when considering the mix of data elements being shared and the highest level of data classification category involved.


6. Notwithstanding any records retention policies, paper and electronic transaction records containing Regulated data, such as SSN or personal financial information, will be redacted or removed/destroyed when considered nonessential.


4. DATA SECURITY MEASURES


1. Technical guidelines for each data classification category shall be followed to prevent the inadvertent exposure and inappropriate disclosure of Institutional Data that are considered Protected Data. Technical guidelines by type of storage device  are part of the UH Information Security Program which is administered by the Information Technology Services (ITS) Information Security Team (InfoSec).


2. Upon discovery of an inadvertent exposure or inappropriate disclosure of Protected Data, InfoSec should be notified immediately. An investigation by InfoSec may be required to identify the cause(s) of the incident. Additional information on incident handling procedures are available at http://www.hawaii.edu/infosec/notification.


3. As stated in Executive Policy 2.215, Institutional Data Governance, ITS has the full authority to enforce technical measures to ensure the security and confidentiality of protected data that are stored or transmitted, whether intentionally or unintentionally, on University systems and networks, including but not limited to immediate disconnection of compromised systems and devices from the University network.


4. ITS has the authority to conduct network and device scanning to identify security weaknesses in any University information system, device, or network that may compromise sensitive information or the operations and availability of institutional services.
   ITS also has the authority to require all servers operating on the University network be regularly scanned for sensitive information, vulnerabilities and be protected in accordance with appropriate data security guidelines based on data classification categories.


5. To better protect the University’s Institutional Data, ITS may require departments/units/programs to periodically report on the data element/records that they manage. Reporting requirements administered by ITS include Personal Information (PI) and Health Insurance Portability and Accountability Act (HIPAA) surveys and server registrations.
   The PI survey is part of an HRS §487N-7 requirement where UH must annually prepare a report describing the information systems that contain personal information. ITS is responsible for submitting this report and maintains a secure online system for units to report such systems. Chancellors and Vice Presidents are responsible to ensure that units under their purview report systems containing Protected Data and update the information at least annually.


6. The Information Security Governance Council (ISGC), comprised of Information Security Coordinators and Information Technology Leads, is responsible for ensuring compliance with data governance and information security mandates and policies for their units. This includes the completion of the annual personal information survey and server registrations.


7. The UH Board of Regents approved a Federal Trade Commission (FTC) Red Flags Rule Identity Theft Prevention Program for UH. The program falls under the FTC’s Red Flags Rule, 16 CFR Part 681, which implements Section 114 of the Fair and Accurate Credit Transactions Act of 2003. The purpose of the Identity Theft Prevention Program is to detect, prevent and mitigate identity theft in connection with a “covered account” which involves the University extending credit to an individual to obtain goods or services, or accepting a deposit from the individual, and involves multiple payments or transactions. See Attachment II for details.


8. Personnel related actions


1. Terminations
   When an employee with access to Protected Data voluntarily separates from the University, his/her access will be revoked at the time of separation. The appointing authority shall be responsible for initiating the revocation of access.
   In the case of an employer-initiated termination of employment of personnel with access to Protected Data, access may, as circumstances warrant, be revoked immediately at the time of notification, or as soon as may be consistent with an applicable collective bargaining agreement.


2. Violations
   In the event of an inadvertent exposure or inappropriate disclosure or deletion of Protected Data, the chancellor or vice president of the affected unit will be informed. Any resulting investigation into the incident will follow University policies and procedures and applicable collective bargaining agreements should any potential misconduct be identified.


3. Personnel Background Checks
   Prior to granting an employee access to Protected Data, an appropriate background check may be performed by the appointing authority in accord with applicable policies and procedures.

There is no policy-specific delegation of authority.

Data Governance Office
Sandra Furuto, 956-7487, yano@hawaii.edu

Executive Policy EP2.215, Institutional Data Governance, provides the overall structure for the University’s data governance program. It describes the fundamental principles and best practices governing the management and use of Institutional Data and stewardship roles and responsibilities. Executive Policy EP2.214 is a supporting policy on data governance and information security.
These and other University of Hawai‘i executive policies, State of Hawai‘i Revised Statutes, and external regulations that relate to data governance and Institutional Data classification categories are available at: www.hawaii.edu/infosec/policies.

No Exhibits and Appendices found

    President