Data Security and Stewardship
Administering Office: Office of CIO
Approved by: Executive Council 3/5/2007
Posted: March 22, 2007
Revised: March 21,2011
Revised: October 21, 2014
Revised: April 25, 2016
Institutional data is both a valuable asset and a potential liability to the University.
As such, the stewardship and security of university data are important responsibilities
for every member of the university that has access to it. As an academic institution
we must encourage the free flow of most information, while protecting critical operational
a. To protect the university’s data and to protect the University from misuse of its
b. To establish categories of data and their definitions.
c. To provide a framework defining the appropriate protection required for each category
d. To define who is responsible for ensuring that data is handled in an appropriate
a. The Policy applies to all university enterprise-level data, whether or not it is
centrally managed. Enterprise-level data is defined as data that the University has
regulatory responsibility for, or is critical for the operation of the University;
or owns, possesses, or manages.
b. The Policy applies to data housed on the campus itself or hosted on an outsourced
c. The Policy applies to data in physical form, including but not limited to paper,
as well as data in a digital format.
d. The policy addresses both access to and disclosure of data.
a. The terms “enterprise level data” or “data” shall mean any and all information
generated by, owned by, created by, or otherwise managed by Western Carolina University,
including that created by students, faculty, and/or staff pursuant to the university
related duties or obligations. Data may exist in physical form, including but not
limited to paper, as well as in a digital form. Data shall include both public records
as well as records exempt from the North Carolina Public Records Act.
b. The term “campus” shall mean all colleges, schools, departments, units, or other
subdivision(s) of Western Carolina University.
a. The Chancellor, Provost, Vice Chancellors, General Counsel, and the Director of
Athletics, or their designees, are the institutional Data Stewards (Data Stewards).
The Data Stewards are responsible for ensuring the appropriate handling of the enterprise-level
data produced and managed by their division/unit, including the classification of
data and the authorization of access.
b. The Information Technology Division is responsible for ensuring that the appropriate
technologies and system policies and permissions are in place to ensure appropriate
access to electronic data.
c. The Office of Institutional Planning and Effectiveness (OIPE) has primary responsibility
for meeting the University's reporting obligations and overseeing the movement of
unit record data between the campus and the University of North Carolina. It is the
responsibility of all other divisions/units charged with the reporting of institutional
data to ensure that OIPE has a record of the parameters of such reporting and timelines
that OIPE will maintain as part of an inventory updated annually.
d. The Chancellor will establish a Data Security and Stewardship Committee, that shall
report to the Chancellor. The charge of this Committee is to oversee the implementation
of this policy, ensure campus data security procedures are up to date, coordinate
the review of campus data security, advise the campus with regard to data security
and data security policies and procedures, and assist the campus with risk assessments,
etc. The members of the Committee are: the FERPA Officer, HIPAA Officers, GLBA Officers,
Internal Auditor representative, a General Counsel representative, the CIO, Information
Security Officer, a representative of OIPE, a representative from Administration and
Finance, a representative from Communications and Public Relations, and a representative
from the faculty (Appointed by the Chancellor in consultation with the Faculty Senate
Chair. Term is 3 years). The CIO shall chair the Committee.
a. All enterprise-level data will be assigned to one of the following categories by
the appropriate Data Steward. The categories are not mutually exclusive. Data is to
be handled according to the most sensitive category that it falls within.
- GREEN - Low Sensitivity
- BLUE - Guarded Sensitivity
- YELLOW - Elevated Sensitivity
- ORANGE - High Sensitivity
- RED - Severe Sensitivity
b. Definitions of each category and requirements for how data is to be stored and
transmitted are specified in the document Data Handling Procedures Related to the Data Security and Stewardship Policy.
c. Review of the classification of all GREEN and BLUE data will occur at least annually.
Classification requirements may change due to changes in laws or contractual obligations.
d. Staff authorized to access or disclose, YELLOW, ORANGE, OR RED data are required
to sign a confidentiality statement upon hire or as directed.
a. Willful inappropriate access to or disclosure of data may result in appropriate
disciplinary action, up to and including dismissal, or legal action being taken.
b. Liability for the willful inappropriate access to or disclosure of data may, in
certain circumstances, rest with the individual and not the institution.
International Standards Organization (ISO/IEC 27002, 6.1, 7.2, 8.2)