126  Data Security Policies LOUISIANA STATE UNIVERSITY Security of Data https://sites01.lsu.edu/wp/policiesprocedures/files/2014/09/6.20-NEW.pdf Private data - Private data is any data that derives its value from not being publicly disclosed. It includes information that the University is under legal or contractual obligation to protect. The value of private data to the University and/or the custodian of such data would be destroyed or diminished if such data were improperly disclosed to others. Private data may be copied and distributed within the University only to authorized users. Private data disclosed to authorized, external users must be done in accord with a Non-Disclosure Agreement (examples of private data include employment data). Confidential data - Confidential data is data that by law is not to be publicly disclosed. This designation is used for highly sensitive information whose access is restricted to authorized employees. The recipients of confidential data have an obligation not to reveal the contents to any individual unless that person has a valid need and authorized permission from the appropriate authority to access the data, and the person revealing such confidential data must have specific authority to do so. Confidential data must not be copied without authorization from the identified custodian (examples of confidential data include personally identifiable information in student education records, and personally identifiable non-public information about University employees). Please see Classification of Data for a general guide to determine which data classification is appropriate for a particular information or infrastructure system. Although some protected information, private data, and confidential data the University maintains may ultimately be determined to be “public records” subject to public disclosure, such status as public records shall not determine how the University classifies and protects data until such a determination is made. Often public records are intermingled with confidential data and protected information, so all the information and data should be protected as confidential until it is necessary to segregate any public records. It shall be the responsibility of the data steward(s) to classify the data, with input from appropriate university administrative units and legal counsel. However, all individuals accessing data are responsible for the protection of the data at the level determined by the data steward(s), or as mandated by law. Therefore, the data steward(s) are responsible for communicating the level of classification to individuals granted access. Any data not yet classified by the data steward(s) shall be deemed confidential. Access to data items may be further restricted by law, beyond the classification systems of Louisiana State University. All data access must be authorized under the principle of least privilege, and based on minimal need. The application of this principle limits the damage that can result from accident, error, or unauthorized use. All permissions to access confidential data must be approved by an authorized individual, and written or electronic record of all permissions must be maintained. Protected information shall not be provided to external parties or users without approval from the data steward. In cases where the data steward is not available, approval may
Previous Page Next Page