Data Protection Categorization

DG Data Protection Categorization

Purpose

The Data Protection Categorization indicates the minimum level of protections required for Organizational Data and Information Systems based on Cyber Security’s Data Protection Safeguards and Protected Data Practices. Additional protection requirements above this minimum may be required if the Organizational Data or Information System is also regulated (see Data Regulation Categorization)

 

Go to Procedures
Go to Resources

 

Related Policies

Data Governance and Management Policy

Related Guidelines, Procedures, and Resources

Definitions

Capitalized terms not otherwise defined herein shall have the same meaning as set forth in the Data Governance and Management Policy

Audience

Responsible Associate Data Trustee
Data Steward
System Owner
Accountable Data Governance Committee
Support Associate Data Steward
Technical Manager
Consulted Data Governance team
Informed Data Domain & Technology Sub-Committees
Data Administrator
Data User

Procedures

Assigning a “Data Protection Categorization”
  • A Data Steward must assign a “Data Protection Categorization” to a Data Element.
  • A Data Steward must assign a “Data Protection Categorization” to a Data Sub-Domain, which may be derived by choosing the highest risk categorization from Data Elements within the Data Sub-Domain.
  • An Associate Data Trustee must assign a “Data Protection Categorization” to a Data Domain, which may be derived by choosing the highest risk categorization from its Data Sub-Domains.
  • A System Owner must assign a “Data Protection Categorization” to an Information System, which may be derived by choosing the highest risk categorization from the Organizational Data within the Information System.
  • A report or a data set that contains Organizational Data may indicate the “Data Protection Categorization” in order to communicate to its intended audience the type of risk the report or data set contains.

The “Data Protection Categorization” indicates the minimum level of protections required for Organizational Data and Information Systems based on Cyber Security’s Data Protection Safeguards and Protected Data Practices. When Organizational Data may fall into more than one categorization, it should be categorized in the highest applicable risk categorization. The following categorizations are available:

Protected Information is not generally available to parties outside of the Georgia Tech community. This is the default “Data Protection Categorization” for Organizational Data. A categorization of Protected does not always mean that the data contained therein is confidential or non-disclosable and such data may be subject to disclosure under the Georgia Open Records Act or other applicable laws and regulations.
Public Information is targeted for public use. Examples include website content for general viewing and published press releases.
Modifications to the approved “Data Protection Categorization” choices
  1. An individual must submit a request to add a new categorization, change the name and/or definition of an existing categorization, or deprecate the use of an existing categorization to the Data Governance Committee. The request must include:
    1. Name of the categorization (proposed name if new or changing)
    2. Definition of the categorization (proposed definition if new or changing)
    3. Reason the modification is requested
  2. The Data Governance Committee will review the request and determine if further discussion is required with the requestor or others involved with the request.
  3. If approved, the Data Governance Committee will notify the requestor and publish the change to the official list of approved “Data Protection Categorization” choices on the website. Inventories that rely upon “Data Protection Categorization” (e.g., Data Element Dictionary) will be updated.
  4. If not approved, the Data Governance Committee will articulate the rejection and send it back to the requestor.

 

Resources

Does this “Data Protection Categorization” replace the existing data categorizations in the Georgia Tech Data Access Policy?
Yes. Existing data categories I through IV are replaced with Data Protection Categorizations of “Protected” or “Public”.
What data protections are required for “Protected” Organizational Data?
Please see Cyber Security’s Data Protection Safeguards and Protected Data Practices
What data protections are required for “Public” Organizational Data?
Please see Cyber Security’s Data Protection Safeguards and Protected Data Practices
What if I am unsure of the appropriate Data Protection Categorization for Organizational Data?
You should categorize the Organizational Data as “Protected,” as this is the default “Data Protection Categorization.”
What if Organizational Data is also regulated?
All Organizational Data will have a Data Regulation Categorization which informs which regulations (if any) apply to the data. Please see Cyber Security’s Data Protection Safeguards and Protected Data Practices for more information.
Is FERPA directory information categorized as “Protected?”
Yes. Student information is not targeted for public use. Protected data, including FERPA directory information, may be subject to disclosure under FERPA, the Georgia Open Records Act, or other applicable laws and regulations.
Examples of various types of Organizational Data and their “Data Protection Categorization”
Faculty/Staff Information  
Georgia Tech Email Address Public
Georgia Tech Phone Number Public
Georgia Tech Work Address Public
Personal and Emergency Contact Information
(without permission to publish)		 Protected
Social Security Number Protected
Employee ID Number (GT ID and PeopleSoft ID) Protected
BuzzCard Number Protected
Compensation Information Protected
Performance Evaluations Protected
Benefits Elections Protected
Health Information Protected
Georgia Tech Account Password Protected
Student Information  
FERPA Directory Information Protected
Social Security Number Protected
Student ID Number (GT ID) Protected
BuzzCard Number Protected
Admission Information Protected
Student Information Protected
Financial Aid and Scholarship Information Protected
Housing Information Protected
Health Information Protected
Georgia Tech Account Password Protected
Research Information  
Published Research Data Protected
Sponsored Project Contracts, Grants, and Associate Protocols Protected
Non-Sponsored Research Information Protected
Technology Licensing and Invention Disclosure Information Protected
Unpublished Research Data Protected
Proprietary Information Obtained by Georgia Tech under Nondisclosure Agreement Protected
Intellectual Property Owned by Georgia Tech Protected
General Business Information  
Public Websites (e.g., http://www.gatech.edu) Public
Organizational Charts Public
Public Relations Brochures (containing General Georgia Tech Information) Public
Annual Reports Public
Email Protected
Chat Logs Protected
Internal Websites Protected
Customer Personal Checks Protected
Purchasing Receipts Protected
Network Diagrams Protected
Georgia Tech Financial Account Number Protected
Purchasing and Receiving Reports Protected
Travel Reimbursement Forms Protected
Purchasing Card (P-Card) Numbers Protected
Credit Card Numbers Protected
Library Records Information  
Library Catalogue Information Public
Active Interlibrary Loan Records Protected
Library Databases Protected
Active Circulation Records Protected
Security Camera Recordings Protected
Environmental and Physical Information  
Georgia Tech Building Blueprints Protected
Chematix Chemical Tracking System Protected
Building HVAC Monitoring/Control Data Protected
BuzzCard System Protected
Continuum System Protected
Building Safety Plans Protected

 

Revision Date Author Description
2021-10-07 Zachary Hayes, Data Governance Expanded examples of public and protected data
2021-07-27 Zachary Hayes, Data Governance New