Purpose
The Data Regulation Categorization indicates which, if any, local, USG, state, federal, and international laws or regulations may apply to Organizational Data and Information Systems. This categorization also may indicate if additional specifications are required due to grants, contracts, or other agreements entered into by, or for the benefit of, Georgia Tech.
Go to Procedures
Go to Resources
Related Policies
Data Governance and Management Policy
Related Guidelines, Procedures and Resources
- Data Management Categorization
- Data Protection Categorization
- Data Protection Safeguards
- Protected Data Practices
- Data Domains
- Systems Inventory
- Data Element Dictionary
- Regulatory Compliance
Definitions
Capitalized terms not otherwise defined herein shall have the same meaning as set forth in the Data Governance and Management Policy
Audience
| Responsible | Associate Data Trustee Data Steward System Owner |
|---|---|
| Accountable | Data Governance Committee |
| Support | Associate Data Steward Technical Manager |
| Consulted | Data Governance team |
| Informed | Data Domain & Technology Sub-Committees Data Administrator Data User |
Procedures
- Assigning a “Data Regulation Categorization”
-
- A Data Steward must assign each “Data Regulation Categorization” to a Data Element.
- A Data Steward must assign each “Data Regulation Categorization” to a Data Sub-Domain, which may be derived by choosing the highest requirements categorization from Data Elements within the Data Sub-Domain.
- An Associate Data Trustee must assign each “Data Regulation Categorization” to a Data Domain, which may be derived by choosing the highest requirements categorization from its Data Sub-Domains.
- A System Owner must assign each “Data Regulation Categorization” to an Information System, which may be derived by choosing the highest requirements categorization from the Organizational Data within the Information System.
- A report or a data set that contains Organizational Data may indicate the “Data Regulation Categorization(s)” in order to communicate to its intended audience the type of requirements the report or data set contains.
The “Data Regulation Categorization” indicates which, if any, local, USG, state, federal, and international laws or regulations may apply to Organizational Data and Information Systems. This categorization also may indicate if additional specifications are required due to grants, contracts, or other agreements entered into by, or for the benefit of, Georgia Tech. The following categorizations are available:
Data Regulation Categorizations Categorization Statement Categorization Choices FERPA
(Family Educational Rights and Privacy Act)The Information System or Organizational Data contains data protected by FERPA. True or False HIPAA
(Health Insurance Portability and Accountability Act)The Information System or Organizational Data contains data protected by HIPAA. True or False GLBA
(Gramm-Leach-Bliley Act)The Information System or Organizational Data contains data protected by GLBA. True or False EU GDPR
(European Union General Data Protection Regulation)The Information System or Organizational Data contains data protected by EU GDPR. True or False Research Requirements The Information System or Organizational Data contains data protected by research requirements. Examples include FAR, DFAR, CUI, etc. True or False Export Control The Information System or Organizational Data contains data protected by export control. Examples include ITAR, EAR, OFAC, etc. True or False Non-Regulated The Information System or Organizational Data does not contain data that is regulated by any of these regulation categorizations. True or False - Modifications to the approved “Data Regulation Categorization” choices
-
- An individual must submit a request to add a new categorization, change the name and/or definition of an existing categorization, or deprecate the use of an existing categorization to the Data Governance Committee. The request must include:
- Name of the categorization (proposed name if new or changing)
- Definition of the categorization (proposed definition if new or changing)
- Reason the modification is requested
- The Data Governance Committee will review the request and determine if further discussion is required with the requestor or others involved with the request.
- If approved, the Data Governance Committee will notify the requestor and publish the change to the official list of approved “Data Regulation Categorization” choices on the website. Inventories that rely upon “Data Regulation Categorization” (e.g., Data Element Dictionary) will be updated.
- If not approved, the Data Governance Committee will articulate the rejection and send it back to the requestor.
- An individual must submit a request to add a new categorization, change the name and/or definition of an existing categorization, or deprecate the use of an existing categorization to the Data Governance Committee. The request must include:
Resources
- What changes to protections of Organizational Data and/or Information Systems are required if the data is regulated?
- Regulated Organizational Data may include requirements that surpass the minimum protections required for Protected Data as outlined in Cyber Security’s Data Protection Safeguards and Protected Data Practices. The Regulated Organizational Data must adhere to the highest requirements when combining protections from Cyber Security’s requirements and the regulation’s requirements. Please see Cyber Security’s Data Protection Safeguards and Protected Data Practices for more information.
- Is Organizational Data also subject to the Georgia Open Records Act?
- Yes. Organizational Data may be disclosed under the Georgia Open Records Act subject to requirements and exceptions noted in the law. Please contact Institute Communications for more information.
- Is Organizational Data ever exempt from disclosure?
- Yes. Organizational Data may be exempt from disclosure under the provisions of the Georgia Open Records Act or other applicable state or federal laws. Specifications contained in Georgia Tech grants, contracts, and other agreements entered into by, or for the benefit of, Georgia Tech may also provide exemptions from disclosure.
- Key Contacts for Regulated Data
-
Regulation Business Contact(s) Legal Contact(s) FERPA Reta Pikowsky
Office of the RegistrarKate Wasch
Susann EstroffHIPAA John Scuderi
Stamps Health Services
GLBA Paul Kohn (interim)
Office of Scholarships and Financial AidEU GDPR Tarryn Brennon
Office of the General CounselTarryn Brennon Research Requirements Export Control Lacee Harris
Office of the General CounselGeorgia Open Records Act Jamila Hudson-Allen
Institute CommunicationsKate Wasch
| Revision Date | Author | Description |
|---|---|---|
| 2021-07-27 | Zachary Hayes, Data Governance | New |
