Skip to content

Regulated Data Review

Federal regulations require that users of regulated data environments review data classification guidelines and handling best practices.

Definitions

Data users are classified according to their levels of access and use.

  • Data owner: Senior leadership, typically at the dean, director or department chair level, with the ultimate responsibility for the use and protection of university data.
  • Data custodian: The staff member, typically one primarily responsible for IT, who is responsible for implementing security controls for university data.
  • Data user: Any member of the university community who has access to university data and, thus, is entrusted with the protection of that data.

Responsibilities

  • Data owners are responsible for appropriately classifying data.
  • Data custodians are responsible for labeling data with the appropriate classification and applying required and suggested safeguards.
  • Data users are responsible for complying with data use requirements.
  • Data users are responsible for immediately referring requests for public records to the University Relations Division – Office of Public Affairs or to the Office of the Vice President and General Counsel.

Data Classifications

At the University of Florida, data is classified into three categories: Open, Sensitive and Restricted. See the UF Data Classification Policy and UF Data Guide for details.

Click on each tab below to learn about each data type.

Open data is data that does not fall into any of the other information classifications. This data may be made generally available without specific information owner’s designee or delegate approval.

Examples include, but are not limited to:

  • Advertisements
  • Job opening announcements
  • University catalogs, regulations and policies
  • Faculty publication titles and press releases

Sensitive data is data whose loss or unauthorized disclosure would impair the functions of the university, cause significant financial or reputational loss or lead to likely legal liability.

Examples include, but are not limited to:

  • Research work in progress
  • Animal research protocols
  • Financial information
  • Strategy documents and information used to secure the university’s physical or information environment

Restricted data is any data in any format collected, developed, maintained or managed by or on behalf of the university, or within the scope of university activities, that are subject to specific protections under federal or state law or regulations or under applicable contracts.

Examples include, but are not limited to:

  • Medical records
  • Social security numbers
  • Credit card numbers
  • Florida driver licenses
  • Non-directory student records
  • Export controlled technical data.

Protecting Restricted Data is the law

While the laws vary depending on the type of restricted data, you, as a researcher and data user, are responsible for understanding the applicable laws and data security guidelines for your data. Listed below are data legislation pieces that most commonly inform research in the state of Florida.

  • HIPAA: health information
  • FERPA: student records
  • Graham-Leach-Bliley: financial data
  • Florida Law: health data
  • ITAR & EAR: export control data
  • PCI DSS: credit card data
  • FISMA: Federal data

The costs of mismanaging data and improper disclosure are enormous. In addition to state and federal penalties, data mismanagement can lead to loss of funding, grant ineligibility, tarnish to the University's reputation and even civil liabilities.

Best Practices and Guidelines

According to UF's mobile data security guidelines, any device that records, manages or transmits restricted data must be encrypted. This includes mobile devices like laptops, phones, and portable storage devices such as flash drives.

Remember, nobody from UF will ever ask you for your password. Do not share your password with anyone for any reason or recycle your UF password for any other log in credentials.

If you work off campus, make use of the UF VPN to securely transfer data.

When you need to dispose of data or storage devices, make use of UF's electronic media secure disposal service. It is free and there are multiple locations on campus.

For more information about data management guidelines visit UFIT Information Security and UF Privacy Compliance Office.

Reporting an incident

If you know or suspect that data has been disclosed inappropriately, or a device used to record, transmit or process data has been lost or stolen, it is your responsibility to notify your supervisor and the UF Privacy Office immediately. Failure to report an incident will result in disciplinary action.

Please check the UF Privacy Compliance Office for current reporting options.