The Institutional Data policy specifies requirements for the protection of The Ohio State University’s institutional data while preserving the open, information-sharing mission of its academic culture. The university classifies institutional data in accordance with legal, regulatory, administrative, and contractual requirements; intellectual property and ethical considerations; strategic or proprietary value; and/or operational use.
All institutional data must be assigned one of four data classification levels based on compliance, privacy, sensitivity, operational usage, and risk. Institutional data must be protected with security controls and access authorization mechanisms identified within The Ohio State University’s Information Security Standard. The level of protection required for institutional data is based on the data classification level assigned to such data.
What is Institutional Data?
Institutional data includes, but is not limited to, information in paper, electronic, audio, and visual formats.
Institutional data is information created, collected, maintained, transmitted, or recorded by or for the university to conduct university business. It includes (a) data used for planning, managing, operating, controlling, or auditing university functions, operations, and mission; and (b) pursuant to the requirements as set forth in the Research Data policy, information created, collected, and maintained in the conduct or reporting of research at or under the authority of Ohio State, as applicable.
It does not include personal data, which is information created, collected, maintained, transmitted, or recorded by university owned devices, media, or systems in accordance with the Responsible Use of University Computing and Network Resources policy that is personal in nature and not related to university business.
Three reference documents have been developed as “job aids”, to help Ohio State departments better understand and implement this important policy:
- Institutional Data Element Classification Assignments. Maps institutional data elements to the appropriate data classification levels.
- Permitted Data Usage By Activity. Identifies which classifications of institutional data are permitted for specific data user activities.
- Permitted Data Usage By Service. Identifies which classifications of institutional data are permitted for specific core or hosted services.
For More Information
Submit comments, questions, and suggestions to ITPolicy@osu.edu.