Guideline for Data Handling

I. Purpose

The purpose of this document is to provide guidance for protecting university information resources from unauthorized access or disclosure. The goal is to assure that every member of the UNC Charlotte community can identify non-public data and follow appropriate security precautions to protect the data so as to avoid compromising the privacy rights of others or UNC Charlotte’s institutional rights or obligations.

II. Scope

This guideline applies to UNC Charlotte staff, faculty, students, associates, affiliates, contractors, volunteers, or visitors accessing university owned or managed data, in physical or electronic format.

III. Contacts

Direct any general questions about this guideline to your unit’s Information Security Liaison. If you have specific questions, please contact OneIT Information Security Compliance at ISCompliance-group@uncc.edu.

IV. Data Classification Levels

Per the UNC Charlotte Standard for Information Classification, every member of the UNC Charlotte community should be able to identify the appropriate classification level of any data they are accessing or maintaining in electronic or physical form.

Data classification levels range from Level 0 (public) to Level 3 (highly restricted). Any data other than Level 0 data is considered to be non-public data. The four classification levels are:

Level 0—Public

  • University data that is purposefully made available to the public.
  • Disclosure of Level 0 data requires no authorization and may be freely disseminated without potential harm to the university.

Public data includes, but is not limited to: Advertising, product and service information, directory listings, published research, presentations or papers, job postings, press releases.

Level 1 – Internal

  • University owned or managed data that includes information that is not openly shared with the general public but is not specifically required to be protected by statute or regulation.
  • Unauthorized disclosure would not result in direct financial loss or any legal, contractual, or regulatory violations, but might otherwise adversely impact the university, individuals, or affiliates.
  • Level 1 data is intended for use by a designated workgroup, department, or group of individuals within the university.

Note: While some forms of internal data can be made available to the public, the data is not freely disseminated without appropriate authorization.

Internal data includes, but is not limited to: Budget and salary information, personal cell phone numbers, departmental policies and procedures, internal memos, incomplete or unpublished research.

Level 2 – Confidential/Sensitive

  • University owned or managed data that is confidential business or personal information for which unauthorized disclosure could have a serious adverse impact on the university, individuals or affiliates.
  • Level 2 data is intended for a very specific use and should not be disclosed except to those who have explicit authorization to review such data.
  • There are often general statutory, regulatory or contractual requirements that require protection of the data.
  • Regulations and laws that affect data in Level 2 include, but are not limited to, the Family Educational Rights & Privacy Act (FERPA), the State Human Resources Act (SHRA), and the Gramm-Leach-Bliley Act (GLBA).

Confidential/sensitive data includes, but is not limited to: Student data that is not designated as directory information, passport data, personal financial information, certain research data (e.g., proprietary or otherwise protected), personally identifiable information (PII) such as name, birthdate, address, employee or student ID, etc. where the information is held in combination and could lead to identity theft or other misuse.

Level 3 – Highly Restricted

  • University owned or managed data that is highly restricted business or personal information, for which unauthorized disclosure would result in significant financial loss to the university, impair its ability to conduct business, or result in a violation of contractual agreements or federal or state laws or regulations.
  • Level 3 data is intended for very limited use and must not be disclosed except to those who have explicit authorization to view or use the data.
  • There are often governing statutes, regulations, standards, or agreements with specific provisions that dictate how this type of data must be protected.
  • Regulations and laws that affect Level 3 data include, but are not limited to, the Health Insurance Portability and Accountability Act (HIPAA) and the Payment Card Industry Data Security Standard (PCI DSS).

Highly restricted data includes, but is not limited to: Social Security Numbers, payment card numbers, medical records, restricted information protected by nondisclosure agreements, restricted research data.

V. Guidelines for Appropriate Data Handling

Whether data is downloaded from a system or application within UNC Charlotte’s protected infrastructure or acquired by some other means, individuals must ensure that the security of the data is protected appropriate to the level of its classification.

Level 3 Data

Due to its restricted nature, level 3 data requires special handling. Some units may handle level 3 data as part of their business processes; however, that data should not be exported or stored outside of its secured location without express permission of the data or system owner.

NOTE: While a limited number of enterprise applications such as Perceptive Content hold highly restricted level 3 data, access to this data is tightly controlled via specific permissions and management authorization. If unsure whether your business data may be stored in one of these systems, discuss it with management and your area’s Information Security Liaison.

Sharing Data Externally

Individuals intending to disclose Level 2 or 3 data externally (including aggregated data) are expected to know the relevant standards, policies, laws, contract terms or other obligations that apply to the disclosure. Level 3 data may not be disclosed externally without the permission of the data or system owner. Where Level 2 or 3 data includes student education records or personal health information protected by FERPA, HIPAA or other privacy laws, the data owner’s authorization may be required, unless the reason for the disclosure meets an exception to an authorization requirement. Access to disclosed Level 3 data should be restricted to authorized recipients. Processes should be developed to manage account provisioning/deprovisioning. Regular access reviews should be conducted per the University’s Guideline for User Access Management.

Research Data

Research data is typically highly sensitive in nature or subject to special contractual requirements and its handling should be coordinated through the appropriate Data Security Officer. For guidance on the protection of university research data, see the Guideline for Research Data Security.

The following table is provided to help members of the UNC Charlotte community make decisions about appropriate data handling for classification levels 0 through 2. Data belonging to multiple classification levels must be treated according to the highest level of sensitivity.

Service012Comments
UNC Charlotte Owned Workstations, Laptops, Tablets, other devices No level 2 or 3 data can be stored here.Mobile devices must have additional security configurations in place if storing level 1 data.
Publicly Accessible Kiosks and Workstations  No level 1, 2, or 3 data can be stored here.
Personally Owned Workstations, Laptops, Tablets, other devices  No level 1, 2, or 3 data can be stored here.See the Guideline for Mobile Devices for additional guidance.
OneIT-Provided Network Drives (H:, J:, S:, etc.)No level 3 data can be stored here. Level 2 data can be stored here only if additional security controls are in place such as limited access and/or encryption.
UNC Charlotte EmailNo level 3 data can be sent via email. Level 2 data is permissible if designated email recipients are authorized to view the data and no recipients’ addresses are outside the university email system.
UNC Charlotte Google Workspace for EducationNo level 3 data can be stored here.  Level 2 data can be stored here if additional security controls are in place such as limited access. Level 2 data should not be synced to your desktop, laptop, or mobile device. See this FAQ for more information.
UNC Charlotte DropboxNo level 3 data can be stored here.  Level 2 data can be stored here if additional security controls are in place such as limited access.  Level 2 data should not be synced to your desktop, laptop, or mobile device. See this FAQ for more information.
Public Cloud Storage Sites (i.e., non-University provided cloud storage)  No level 1, 2 or 3 data can be stored here.
UNC Charlotte websites (including Drupal offering, departmental websites, WIKIs, etc.)  No level 1, 2 or 3 data can be stored here.
UNC Charlotte QualtricsNo level 3 data can be stored here.
UNC Charlotte Survey Share No level 2 or 3 data can be stored in SurveyShare.
UNC Charlotte CanvasNo level 3 data can be stored in Canvas.  Level 2 data is permissible if designated viewers/recipients are authorized to view the data and no recipients are from outside the university system.
UNC Charlotte owned portable electronic storage media, such as USB devices, CD/DVD, or external hard drives. No level 2 or 3 data can be stored here. Portable storage media must have additional security configurations in place if storing level 1 data.

Related Resources

ISO/IEC 27002 was adopted by The University of North Carolina at Charlotte in 2012. All standards and guidelines are based on this code of practice for Information Security Management.

Revision History

Initially approved by Information Assurance Committee 4/10/14
Updated 12/02/21