University data is an essential and key asset that must be managed, accessed, and secured appropriately. The University has an obligation to protect and govern the use of that data.
The purpose of this policy is to govern the confidentiality, integrity, availability, and quality of University data, to assign responsibilities for the control and appropriate stewardship of University data, and to support and maintain related policy principles and procedures.
“University Data” items of information that are collected, maintained, and/or utilized by the University for the purpose of carrying out institutional business, even if subject to any contractual or statutory limitations. University Data may be stored either electronically or on paper and may take many forms (including but not limited to: text, graphics, images, sound, or video). Research data, scholarly work of faculty or students, and intellectual property that do not contain personally identifiable information or other data protected by law or University policy are not covered by this policy. University Data include all data required to conduct the operations of the University. This includes any data elements that are created, received, maintained or transmitted by entities and individuals within the scope of this Policy.
“Data Governance” is the exercise of authority, planning, monitoring, and enforcement over the management of data assets, defining who can take what actions, with what information, under what circumstances, using what methods.
“University Classification" in the context of information security, this is the classification of data based on its level of sensitivity and the impact to the University should that data be disclosed, altered or destroyed without authorization. This classification of data helps determine what baseline security controls are appropriate for safeguarding that data.
Responsible Executive:
Vice President of Administration & Finance and Chief Fiscal Officer
Responsible Office:
Office of Technology Services
All divisions, colleges, departments and operating units, and University faculty, staff, students, volunteers, visitors, contractors and any other persons using University information resources.
Policy Principles
The purpose of Data Governance is to protect University Data and the information resources of the University from unauthorized access or damage. The underlying principles followed to achieve this objective are:
University Data are the property of the University and shall be managed as a key asset within Federal, State and University System of Maryland (“USM”) regulations.
Data shall be collected in a lawful and appropriate manner in accordance with the requirements of applicable laws and regulations (e.g., FERPA, HIPAA, GDPR, PCI, etc.).
All University data shall be categorized according to a data classification scheme that defines security requirements based on impact and sensitivity. Towson University categorizes data into three classifications (Public, Protected and Confidential).
University Data must be created, processed, stored, shared, and or destroyed according to approved Data Use Standards.
Data Governance roles and responsibilities are defined in the Roles and Responsibilities Guidelines, and all entities and individuals within the scope of this policy will be held accountable according to the policies stated within.
Resolution of issues related to University Data shall be approved and documented by the OTS designated committee responsible for data governance.
Quality standards for University Data shall be defined and monitored by OTS.
Necessary maintenance of University Data shall be defined by OTS.
University Data shall not be unnecessarily duplicated.
Enforcement
All individuals within the scope of this policy are responsible for understanding and complying with all applicable University policies, procedures, standards, and guidelines for dealing with University Data and its confidentiality, integrity, availability and quality.
Violations of this policy may result in disciplinary action in accordance with applicable University policies and procedures. Revocation or restriction of computer privileges is also possible.
Exceptions to this policy must be escalated according to the Data Governance Roles and Responsibilities Guidelines.
The Director of Information Security reserves the right to audit the use and handling of all University Data on a periodic basis to ensure compliance with this policy.
Any individual within the scope of this document that has any knowledge or suspicion of a violation or inappropriate use and/or disclosure of University Data must report it to the Director of Information Security at datagovernance AT_TOWSON or by contacting SPeakTU, a 24-hour / 7 day a week hotline. University faculty and staff should also report it to their supervisor.
Related Policies:
TU Policy 10-01.01, Information Technology Security Policy
TU Policy 10-01.02, Acceptable Use Policy
USM Policy X-1.00 - Policy on USM Institutional Information Technology Policies
USM Policy X-2.00 Policy on Compliance with USM Policies through Technology
TU Policy 07-01.00 et seq. - Human Resources Policies
See also:
Towson University Code of Student Conduct
Guidelines for Responsible Computing
Data Governance Roles and Responsibilities Guidelines
Standards for Data Classification
Approval Date: August 31, 2016
Effective Date: August 31, 2016
Amended Date: February 24, 2021
Approved By: President’s Council February 24, 2021
Signed By: President’s Council
This online version of the policy may include updated links and names of departments. To request a PDF of the original, signed version of this policy, email the Office of the General Counsel, generalcounsel AT_TOWSON.