Institutional Data Policy
Everyone at Ohio State handles data. Whether it's their personal information, someone else's or valued research, we're often balancing our need for security with our desire to preserve the open, information-sharing mission of our academic culture.
The Institutional Data Policy (IDP) outlines requirements for protecting institutional data in accordance with legal, regulatory, administrative, and contractual requirements; intellectual property and ethical considerations; strategic or proprietary value; and/or operational use. All institutional data is assigned one of four data classifications, and the university’s Information Security Standard and Information Security Control Requirements define the security and privacy controls required to protect it. To help understand institutional data, its use, and how to protect it, everyone must take training or awareness based on the type of data they can access.
What is Institutional Data?
Ohio State institutional data is information created, collected, maintained, transmitted, or recorded by or for the university to conduct university operations. It includes research data and data used for planning, managing, operating, controlling, or auditing university functions, operations, and mission, but does not include personally created data. Institutional data includes, but is not limited to, information in paper, electronic, audio, and visual formats.
The university’s institutional data are significant assets that must be properly managed and protected by all members of the university community. The Institutional Data Policy establishes the need to protect institutional data. It goes further to require that all institutional data are assigned one of four data classification levels based on legal, regulatory, university, and contractual requirements; intellectual property and ethical considerations; strategic or proprietary value; operational use; and/or privacy.
Three reference documents have been developed as “job aids” to help better understand and implement this important policy:
- Institutional Data Element Classification Assignments - Maps institutional data elements to the appropriate data classification levels.
- Permitted Data Usage By Activity - Identifies which classifications of institutional data are permitted for specific data user activities.
- Permitted Data Usage By Service - Identifies which classifications of institutional data are permitted for specific core or hosted services.
The IDP Calculator is now available to provide a better understanding of how singular or combined data elements directly relate to security classification levels. For more information on how to use the IDP Calculator, please refer to the IDP Calculator Job Aid.
S-Level Data Classificatins
S-level: a security level which links an institutional data classification with a level of effort to protect the institutional data. Four S-levels are defined: S1, S2, S3, and S4.
- S1: Public Institutional Data
- S2: Internal Institutional Data
- S3: Private Institutional Data
- S4: Restricted Institutional Data
Protecting Institutional Data
Everyone at Ohio State interacts with institutional data and has a responsibility to be a caretaker of institutional data. Whether it's personal information, someone else's data, or valued research, we're often balancing our need for security with the need to preserve the open, information-sharing mission of our academic culture. To protect the reputation of the university as a leader in higher education, research, business, and as a medical provider, everyone must understand how institutional data is classified and what is the authorized and appropriate use based on the classification.
Training and Awareness
The university assigns one of four data classifications that define the level of protection based on compliance, privacy, sensitivity, operational use, and risk. The university’s Information Security Standard and Information Security Control Requirements provide guidance to protect institutional data based on the classification level.
To help everyone understand these classifications and how to properly secure institutional data, three educational methods have been developed. The IDP requires everyone take only one of these based on the type of data they access. The educational options and respective timelines follow:
If you have access to PHI data:
- You must take training labelled “HIPAA and Institutional Data Compliance”
- You can find this in BuckeyeLearn
- After completion you will take an assessment and will need to agree to the “OSU Acceptance of Compliance” and the "OSU Institutional Data Acceptance”
Note: Medical Center employees must take the HIPAA and Institutional Data Compliance training by June 30 of each year. All other others taking this training must complete it between February 1 and April 28. If you take this course and sign the agreements, you do not need to take “Institutional Data Policy” training or the “IDP awareness activity” in C4U.
If you access to other Restricted (S4)/non-PHI data:
- You must take the training labelled “Institutional Data Policy”
- You will take IDP Training through BuckeyeLearn.
- After completion you will sign the Institutional Data Usage and Confidentiality Agreement
Note: This Training is open from February 1 through April 28. If you complete this course and sign the agreement you do not need to take the IDP awareness activity in C4U.
If you do not have access to Restricted (S4) data:
In the educational method which you are required to complete, you will learn about useful resources to help you to understand your responsibilities, how to securely handle institutional data, and how to use Institutional Data Policy (IDP) Calculator.
Frequently Asked Questions
What is Institutional Data?
- Institutional data includes, but is not limited to, information in paper, electronic, audio, and visual formats.
- Institutional data is information created, collected, maintained, transmitted or recorded by or for the university to conduct university business.
- It includes: (a) data used for planning, managing, operating, controlling, or auditing university functions, operations, and mission; and (b) data outlined by requirements in the Research Data policy, information created, collected, and maintained in the conduct or reporting of research at or under the authority of Ohio State, as applicable.
- It does NOT include personal data, which is information that is personal in nature and not related to university business.
- All data created, collected, maintained, transmitted, or recorded by university owned devices, media, or systems must be used in accordance with the Responsible Use of University Computing and Network Resources policy.
What is Restricted (S4) data?
Institutional data that requires the highest level of protection due to legal, regulatory, administrative, contractual, rule, or policy requirements.
Who is required to take this?
The Institutional Policy states, based on data access, training or awareness is required for all faculty, staff, students, student employees, contractors, volunteers, visitors, sponsored guests of units, and affiliated entities who are acting on behalf of the university.
My job doesn’t require I access institutional data. Do I need to take this?
Yes. The Institutional Data Policy states that everyone the policy applies to is a caretaker of institutional data.
Do I need to take all three?
No. If you have access to HIPAA data, you only need to take the HIPAA training. If you do not have access to HIPAA data but you do have access to other Restricted (S4) data, you only need to take IDP Training. If you do not have access to any Restricted (S4) data you need to take Institutional Data Policy awareness activity in C4U.
How much time should I plan to complete?
Both the IDP training and HIPAA training take approximately 45 – 60 minutes.
IDP awareness activity takes approximately 10 minutes.
What happens if I do not take this by the April 28 deadline?
IDP Training and the IDP awareness activity are due by the end of April. Reminders will be sent to you and your manager in May and will be reported to your senior management at the beginning of June. Access to systems may also be impacted.
Do I need to complete the “HIPAA and Institutional Data Compliance" training by April?
Medical Center employees are required to complete "HIPAA and Institutional Data Compliance" training by June. If you are not a Medical Center employee but you take this training, you must complete it during the February 1 - April 28 window.
What if I cannot access IDP Awareness on C4U?
The IDP awareness activity is also available on BuckeyeLearn.
Can my department require that I take higher level training even though I do not access it?
Yes. If you have questions regarding training assigned to you, please contact your manager.
Who can I contact with comments, questions, and suggestions?
Start with your manager. If you still have questions, please submit to IDP-Support@osu.edu.
I started recently and took this before the window opened. Do I need to take it again?
Yes. However, the IDP offers a test-out option. If you feel you know the topic go ahead and take the test-out. If you do not pass, you will need to complete the course.