12.3 Data Classification
By default, all institutional data will be designated as internal data for use within an institution or to satisfy institution external reporting requirements to the USG Board of Regents (BOR), and to State, Federal, or other external agencies. Institution employees will have access to these data for use in the conduct of institution business. These data, while available within the institution, are not designated as open to the general public unless otherwise required by law. The permission to view or query institutional data should be granted to all data users for all legitimate institution purposes.
As part of the data definition process, data stewards will assign each data element and each data view in institutional data to one of three categories: unrestricted, sensitive, and confidential.
Note: In some circumstances, as long as specific identifying data elements are removed, a data view may include elements of institutional data that would otherwise be sensitive or confidential.
12.3.1 Unrestricted Data
Where appropriate, data stewards may identify institutional data elements that have no access restrictions as available to the general public. These data will be designated as unrestricted or public data.
12.3.2 Sensitive Data
Where necessary, data stewards may specify institutional data elements as sensitive data for which users must obtain specific authorization to access since the data’s unauthorized disclosure, alteration, or destruction will cause perceivable damage to the institution.
The specification of data as sensitive should include reference to the legal or externally imposed constraint that requires this restriction, the categories of users typically given access to the data, and under what conditions or limitations access is typically given.
Note: It is assumed that all administrative output from the central administrative systems is classified as sensitive unless otherwise indicated.
12.3.3 Confidential Data
Where required, data stewards may identify institutional data elements as confidential, for which the highest levels of restriction should apply due to the risk or harm that may result from disclosure or inappropriate use.
This includes information whose improper use or disclosure could adversely affect the ability of the Institution to accomplish its mission, records about individuals requesting protection under the Family Educational Rights and Privacy Act of 1974 (FERPA), or data not releasable under the Georgia Open Records Act or the Georgia Open Meetings Act.