UIS.401.3 Data Handling Guidelines

In support of UIS 401 Data Protection and Security Policy (in revision)

Data Handling Requirements

University data is classified in three categories of risk levels: Low, Medium, and High. All data must be handled according to its risk classification and compliant with the minimum security standards for internal or external hosting, storage and transmission.

Risk Classification

LOW

MEDIUM

HIGH

Data Type

Public

Information intended to be shared with the public.

Information Georgetown has made available to the public.

Internal

Information intended for Georgetown faculty, students, staff.

Information Georgetown has designated as private.

Confidential

Sensitive information intended for authorized individuals with explicit permission. 

Information Georgetown is obligated to make available only on a ‘need to know’ basis.

Restricted

Sensitive information protected by strict security controls.

Information Georgetown is obligated to make available only on a ‘need to know’ basis.

Regulated

Information protected by specific controls dictated by law or external governance.

Information Georgetown is obligated to keep protected from all unauthorized internal or external access.

Examples

Ask UIS if you’re not sure. These are examples, not exhaustive lists.

Information in the public domain

Publicly available campus data

Faculty and staff appointments

University marketing materials

University directory information designated for public view

Non-public meeting notes

Processes, procedures, systems instructions

Non-public contracts

University GUID numbers

Georgetown University internal memos and email, non-public reports, budgets, plans, financial info, board documents

Financial account numbers

Donor agreements and agreements in progress

Unpublished research data

Social Security Numbers

Personally Identifiable Information; birth date, personal contact information; IDs/Passports/Driver Licenses

Audit logs or records; infrastructure data

Cyber Security Investigations

Protected Health Information (PHI)

Controlled Unclassified Information (CUI)

Student records; Student admission data

Payment Card Information (PCI) **No PCI data is to be transmitted through, processed or stored on GU networks**

Printing/Storing

(Paper documents, files)

No data handling restriction
  • Locked drawers or cabinets
  • Do not leave unattended on copiers/printers
  • Locked drawers or cabinets
  • Do not leave unattended on copiers/printers
  • Locked drawers or cabinets
  • Do not leave unattended on copiers/printers
  • Locked drawers or cabinets
  • Send to printer using stored/locked job. Enter authorization code at printer

Network Storage

No data handling restriction
  • GU Google Drive
  • GU Box
  • GU GCP
  • GU AWS
  • GU EFS (Share Drives)
  • GU Google Drive
  • GU Box
  • GU GCP
  • GU AWS
  • GU EFS (Share Drives)
  • GU Box
  • GU GCP
  • GU AWS
  • GU Box
  • GU GCP
  • GU AWS
  • Authorized external storage

**CUI and PHI require UIS authorization**

Computer Storage

(Security Requirements for Workstations)

(Security Requirements for Servers)

No data handling restriction

Device must meet UIS cyber security requirements for processing moderate-risk data.

Data cannot be stored long-term on GU work or personal computer.

GU external hard drives, managed by UIS are permitted with authorization

Device must meet UIS cyber security requirements for processing moderate-risk data.

Data cannot be stored long-term on GU work or personal computer.

GU external hard drives, managed by UIS are permitted with authorization

Device must meet UIS cyber security requirements for processing high-risk data. Data cannot be stored on GU work or personal computer.

Data is to remain in managed and authorized storage system of record

GU external hard drives, managed by UIS are permitted with authorization

Device must meet UIS cyber security requirements for processing high-risk data. Data cannot be stored on GU work or personal computer.

Data is to remain in managed and authorized storage system of record

GU external hard drives, managed by UIS are permitted with authorization

Sharing/Collaboration

No data handling restriction
  • GU Email
  • GU Box
  • GU Google Workspace Apps
  • GU Slack
  • GU Email
  • GU Box
  • GU Google Workspace Apps
  • GU Slack
GU Box GU Box

Transmitting

No data handling restriction
  • GU Email
  • GU Box
  • GU Google Workspace Apps
  • GU Email
  • GU Box
  • GU Google Workspace Apps
GU Box restricted link
  • GU Box restricted link
  • Method authorized by UIS/data controller/owner

Hosting Online Meetings

No data handling restriction
  • GU Zoom
  • GU Google Meet
  • GU Teams
  • GU Zoom
  • GU Google Meet
  • GU Teams
GU Zoom (with authorization) Method authorized by UIS/data controller/owner

Survey/Polling

No data handling restriction
  • GU Qualtrics
  • Survey Monkey (approved, not GU licensed)
  • Doodle (approved, not GU licensed)
  • GU Qualtrics
  • Survey Monkey (approved, not GU licensed)
  • Doodle (approved, not GU licensed)
GU Qualtrics Method authorized by UIS/data controller/owner

E-Signing

No data handling restriction GU Docusign GU Docusign GU Docusign
  • GU Docusign
  • Method authorized by UIS/data controller/owner

Deleting and Destroying

No data handling restriction

When data is no longer in use for University business and can be disposed of in accordance with the University Data Retention Rules, medium-risk data must be cleared:

Cleared: A method of sanitization that applies programmatic, software-based techniques to sanitize data in all user-addressable storage locations for protection against simple non-invasive data recovery techniques; typically applied through the standard read and write commands to the storage device, such as by rewriting with a new value or using a menu option to reset the device to the factory state.

  • GU devices cannot be donated or disposed of without evidence of UIS data sanitization activities prior to disposal.
  • 3rd-party access to moderate-risk data must include provisions to dispose of data upon service termination.

When data is no longer in use for University business and can be disposed of in accordance with the University Data Retention Rules, medium-risk data must be cleared:

Cleared: A method of sanitization that applies programmatic, software-based techniques to sanitize data in all user-addressable storage locations for protection against simple non-invasive data recovery techniques; typically applied through the standard read and write commands to the storage device, such as by rewriting with a new value or using a menu option to reset the device to the factory state.

  • GU devices cannot be donated or disposed of without evidence of UIS data sanitization activities prior to disposal.
  • 3rd-party access to moderate-risk data must include provisions to dispose of data upon service termination.

When data is no longer in use for University business and can be disposed of in accordance with the University Data Retention Rules, high-risk data must be purged or destroyed:

Purge: A method of sanitization that applies physical or logical techniques that render high risk data recovery infeasible using state-of-the-art techniques.

Destruction: A method of sanitization that renders high risk data recovery infeasible using state-of-the-art techniques and results in the subsequent inability to use the media or drive for storage of data.

  • GU devices cannot be donated or disposed of without evidence of UIS data sanitization activities prior to disposal.
  • 3rd-party access to high-risk data must include provisions to dispose of data upon service termination

When data is no longer in use for University business and can be disposed of in accordance with the University Data Retention Rules, high-risk data must be purged or destroyed:

Purge: A method of sanitization that applies physical or logical techniques that render high risk data recovery infeasible using state-of-the-art techniques.

Destruction: A method of sanitization that renders high risk data recovery infeasible using state-of-the-art techniques and results in the subsequent inability to use the media or drive for storage of data.

  • GU devices cannot be donated or disposed of without evidence of UIS data sanitization activities prior to disposal.
  • 3rd-party access to high-risk data must include provisions to dispose of data upon service termination

All handling of University data must align with University policies, standards, and requirements for data protection, security and privacy. Including but not limited to:

Updated March 2024