Skip to main content

Sensitive Data Policy

 
 

Policy Number: IT.3.3
Category: Information Technology
Effective: May 15, 2019
Revision History: Replaces Sensitive Data Protection Policy originally effective August 13, 2016
Review Date: May 14, 2022

  1. PURPOSE AND SCOPE

    1. The purpose of this Policy is to establish the framework for the classification and security of data collected, generated, used, or stored by or on behalf of West Virginia University, West Virginia University Institute of Technology, and Potomac State College of West Virginia University (“University Data”).
    2. This Policy applies to all individuals authorized to access or use University Data (“Data Users”) or University Information Systems in which University Data is stored.
  2. SENSITIVE DATA AT THE UNIVERSITY

    1. The University may classify data as “Sensitive Data” if it is:
      1. Required to be protected by federal, state, or international laws and statutes;
      2. Protected by University rules, policies, or ordinary business practice; or,
      3. Part of a contractual agreement that requires “Security” considerations.
    2. Under Exhibit A, the University has identified the data types it classifies as Sensitive Data.
  3. RESPONSIBILITIES OF DATA STEWARDS

    1. “Data Stewards” are the University executive officers or their designees who have planning and policy-level responsibilities for data in their functional areas and have management responsibilities for recognized University Information Systems.
    2. Data Stewards will work with Information Technology Services (“ITS”) to conduct the following activities regarding the University Data for which they are responsible:
      1. Determine if University Data should be classified as Sensitive Data;
      2. Secure Sensitive Data according to the Sensitive Data Protection Standard;
      3. Identify approved storage location(s) for Sensitive Data;
      4. Perform reviews to re-classify Sensitive Data, as needed;
      5. Ensure that Sensitive Data is only collected, generated, used, or stored for legitimate University business needs or as required by law;
      6. Ensure that individuals granted access to Sensitive Data or University Information Systems in which Sensitive Data is stored are aware of applicable laws, policies, standards, and regulations to which the Sensitive Data is subject; and,
      7. Review the individuals who have access to Sensitive Data or University Information Systems in which Sensitive Data is stored and remove those individuals who no longer require access.
  4. RESPONSIBILITIES OF DATA USERS

    1. Data Users will work with Data Stewards and ITS to ensure:
      1. That Sensitive Data is only collected, generated, used, or stored for legitimate business needs or as required by law;
      2. That the Data User is aware of laws, policies, standards, and regulations to which the Sensitive Data is subject;
      3. That Sensitive Data is stored in an approved University Information System or file location;
      4. That the Data Steward and ITS are notified when Sensitive Data is improperly shared, accessed, or stored, pursuant to the Computer Security Incident Response Policy.
  5. DEFINITIONS

    1. “Security” means the strategies for managing University Sensitive Data to ensure the confidentiality, integrity, and availability of it, including the requirements to collect, store, transmit, and access Sensitive Data.
    2. “University Information Systems” means technology systems used for academic, administrative, outreach, and research operations at the University, whether operated and managed by the University or a third-party vendor.
  6. ENFORCEMENT AND INTERPRETATION

    1. Any employee who violates this Policy shall be subject to appropriate disciplinary action.
    2. Any student who violates this Policy shall be subject to appropriate disciplinary action in accordance with the Student Code of Conduct.
    3. Any individual affiliated with the University who violates this Policy shall be subject to appropriate corrective action, including, but not limited to, termination of their relationship with the University
    4. The University’s Chief Information Officer, supported by the Chief Information Security Officer, will coordinate with appropriate University entities on the implementation and enforcement of this Policy.
    5. Responsibility for interpretation of this Policy rests with the Chief Information Officer.
  7. AUTHORITY

    1. BOG Governance Policy 1.11 – Information Technology Resources and Governance
  8. CROSS REFERENCES

    1. All other University policies are also applicable to the electronic environment. Relevant institutional policies include, but are not limited to:
      1. Sensitive Data Protection Standard
      2. Faculty Handbook
      3. Code of Student Rights and Responsibilities (Code of Conduct)
      4. Payment Card Industry Data Security Standards (PCI-DSS)
      5. Faculty Handbook
      6. Computer Security Incident Response Policy

Contact Service Desk

Phone: (304) 293-4444 | 1 (877) 327-9260
Email: ITShelp@mail.wvu.edu

Get Help