Executive Policy Manual

EP08 – WSU System Data Policies

Revision Approved February 28, 2022

Background

Data are valuable assets of Washington State University. Data policies are needed to ensure that these resources are carefully managed, maintained, protected, and used appropriately.

Five areas have been identified which require data policy statements:

Scope

These policies apply to all WSU business units, workforce members, and WSU information systems that collect, store, share, process, or transmit institutional data.

Definitions

See supporting section BPPM 87.01 for definitions applicable to this policy.

Enforcement

The Office of the Chief Information Officer (CIO) is responsible and has the authority for enforcing compliance with this policy.

Violations

Persons determined to have violated this policy are subject to sanctions imposed using the procedures set forth in applicable WSU system policies and handbooks (e.g., the WSU Faculty Manual, the Administrative Professional Handbook, WAC 357-40 (civil service employees), applicable collective bargaining agreements, and the WSU Standards of Conduct for Students, WAC 504-26).

Maintenance

The Office of the CIO is to review this policy every three years or on an as-needed basis due to changes to technology environments, business operations, legal, or regulatory requirements.

Exceptions

Exceptions to this policy must be approved by the Office of the CIO, under the guidance of the appropriate information owner(s) and the Chief Information Security Officer (CISO).

The Office of the CIO must document and maintain all policy exceptions in writing for the life of the exceptions. Approvals for policy exceptions are effective for a specified period of time and must be reviewed by the Office of the CIO on a periodic basis.

Data Administration Policy

Purpose

Data are valuable institutional resources and must be carefully managed and maintained to ensure the availability, integrity, confidentiality, and privacy of institutional data. This data administration policy is intended to ensure that all institutional data are managed as institutional assets for fulfilling the WSU system mission of instruction, research, outreach, and engagement. This policy also defines WSU roles and responsibilities that are essential to the appropriate oversight and execution of these data policies.

Data Administration Policy Statement

Institutional data must be properly administered, managed, and maintained throughout its entire life-cycle. Information owners are accountable for the security and privacy of institutional data under their care.

Roles and Responsibilities

Information Owner

Responsibilities of the information owner include the following:

  • Assigning appropriate classifications to institutional information (i.e., public, internal, confidential, or regulated);
  • Ensuring that the appropriate technical, administrative, and physical controls and processes are implemented for safeguarding the confidentiality, privacy, integrity, and availability of institutional data based on the classification of the information;
  • Establishing appropriate use and data handling processes and procedures for operational and administrative management of institutional data;
  • Establishing and approving appropriate authorization processes for granting access to institutional data based on the appropriate level of access, need-to-know, and applicable legal or regulatory requirements; and
  • Accepting the information security and privacy risk to the WSU system and individuals from business unit operations.
Data Custodian

Responsibilities of the data custodian include the following:

  • Identifying and documenting systems containing institutional data within their specific area of responsibility;
  • Categorizing institutional information within their specific area of responsibility according to WSU system information security and privacy policies, standards, procedures, and guidelines;
  • Understanding and documenting how institutional data is generated, collected, stored, processed, transmitted, accessed, released, maintained, and disposed of in the systems of record for which they are responsible;
  • Implementing the appropriate administrative, physical, and technical safeguards to ensure the confidentiality, privacy, integrity, and availability of institutional data;
  • Reviewing and approving requests for access to institutional data within their area of responsibility; and
  • Ensuring that business unit policies and procedures are consistent with WSU system policies, standards, and procedures.
Data User

Responsibilities of data users include the following:

  • Following the appropriate policies, standards, procedures, and guidelines governing the usage, security, and privacy of institutional data; and
  • Reporting suspected or actual vulnerabilities pertaining to the confidentiality, integrity, or availability of institutional data.

Data Authorization and Access Policy

Purpose

Access to institutional data in its many forms is vital to the successful operation of the University. Faculty, staff, students, and authorized affiliates and third parties need appropriate access to WSU system data in support of WSU system business functions. In turn, all users authorized to access institutional data are obligated to appropriately use and effectively protect institutional data. This policy defines classifications for WSU data and provides some guidance for classifying WSU information. These classifications provide guidance for determining WSU system data protection standards, and the information security and privacy risks associated with collecting, accessing, sharing, storing, processing, and transmitting institutional data.

The policy is intended to supplement, not override, the definition of access to data under Washington Public Records Act, RCW 42.56, and the Preservation of Public Records law, RCW 40.14.

Data Authorization and Access Policy Statement

Access to institutional data must be provided to authorized individuals in support of University business functions. Authorization to access institutional data is to be granted by the appropriate information owner or their designee to only those with a legitimate need. Information owners or their designees are to define, for their areas of responsibility, the workforce members who are authorized to access institutional data and to ensure that only authorized workforce members have access to such data. Authorization to access institutional systems and data must support the principles of least privilege and separation of duties. (See BPPM 87.01 for definitions of these principles.)

An individual’s access to their own student or employment information, however, is governed by law and is not constrained by these categories.

Institutional information must be categorized according to the classifications listed below.

Note: The above requirement does not modify the responsibilities for WSU system public records in accordance with retention periods approved by the Washington State Records Committee (RCW 40.14). See BPPM 90.01.

Information Classifications

Public—Information in this classification does not need protection from unauthorized access or disclosure; however, there may be requirements to protect the integrity and availability of data in this classification. The appropriate information owner or the appropriate WSU administrator must approve the release of public information. See also BPPM 87.01 for a definition and examples of public information.

WSU Internal—Information in this classification may be made available to authorized personnel in support of the performance of their assigned roles/duties. WSU internal information is generally not released to the public unless specifically requested and must be approved for release by the appropriate information owner, by the appropriate WSU administrator, or as required by law. Unauthorized access, disclosure, or loss of integrity or availability of this classification of information could result in some harm to the WSU system and to individuals. See also BPPM 87.01 for a definition and examples of WSU internal information.

Confidential—Access may be granted to this classification of information by the appropriate information owner to only authorized personnel with a strict need-to-know. Confidential information may be released to authorized affiliates or third parties only with explicit approval from the appropriate information owner, the appropriate WSU administrator, or as required by contract or law. Unauthorized access, disclosure, or loss of integrity or availability of this information could cause significant harm to the WSU system and its operations, assets, or to individuals, and may include significant reputational, legal, and financial consequences. See also BPPM 87.01 for a definition and examples of confidential information.

Regulated—Access may be granted to this classification of information by the appropriate information owner to only authorized personnel with a strict need-to-know. Regulated information may be released to authorized affiliates or third parties only with explicit approval from the appropriate information owner or the appropriate WSU administrator, and in accordance with applicable statutes, regulations, and agreements. Unauthorized access, disclosure, or loss of integrity or availability of this information could cause serious harm to the WSU system and its operations, assets, or to individuals, and may include serious reputational, legal, financial, and health and safety consequences, including civil and criminal penalties. See also BPPM 87.01 for a definition and examples of regulated information.

Data Usage Policy

Purpose

Authorization to access institutional data carries with it the responsibility to use the data for its intended purposes and not for personal gain or other inappropriate purposes. This data usage policy is intended to ensure that institutional data are used appropriately and in support of fulfilling WSU system mission and business objectives.

Data Usage Policy Statement

WSU internal, confidential, and regulated information must be used only in the performance of assigned roles/duties within the University unless an approved agreement allows release to a third party as provided for under Release of Institutional Data below, or as permitted by law.

Data Usage Responsibility

Individuals are responsible for using institutional data and any information derived from them appropriately. Institutional data must not be used to promote or condone discrimination on the basis of race/ethnicity, color, creed, religion, national origin, gender, gender identity or expression, sexual orientation, age, marital status, the presence of any sensory, mental, or physical disability, or whether a disabled or Vietnam veteran. Institutional data must not be used to promote or condone any type of harassment, copyright infringement, political activity, personal business interests, or any activity that is unlawful and/or precluded by WSU system policies.

Willful misuse of institutional data, violation of state ethics laws and rules with regard to institutional data, or other breaches of this policy, can result in termination of access privileges, disciplinary action which may include termination of employment, student discipline in accordance with WSU policy, and/or civil and criminal penalties. (See Ethics in Public Service, RCW 42.52, or ethics.wa.gov/. For information on appropriate use, see EP4: Electronic Communication Policy.)

Release of Institutional Data

The release of institutional data must be in compliance with WSU system policies, and federal and state laws and regulations, and must be approved by the appropriate information owner or their designee.

The release of WSU data to any third party or the use of any cloud service provider to collect, store, process, share, or transmit institutional data, must be authorized by the appropriate information owner or their designee, prior to use in accordance with WSU system policies, standards, and procedures. Such a use must be documented by a written contract or agreement between WSU and the third party or cloud service, unless required by law. If there are financial considerations, the appropriate Finance and Administration personnel must review and approve the contract. (See BPPM 10.11 for contract procedures.)

(Note: The above requirement does not apply to release of data under the Public Records Act, RCW 42.56. See BPPM 90.05.)

Information that is considered to be public and is to be published on a publicly accessible information system, must be authorized by the appropriate information owner or their designee. The information owner must periodically review information that has been made publicly available on WSU information systems for non-public information. If institutional internal, confidential, or regulated information has been discovered to have been made available to the general public, it must be promptly reported to the WSU Pullman Information Technology Services (ITS) — Security Operations Center and removed by the appropriate business unit.

The sharing or release of WSU confidential or regulated information to a service provider or other third party requires that the responsible WSU business unit request a written statement of information security risk from the Office of the CIO. The responsible business unit is accountable and responsible for accepting the information security and privacy risk of institutional data that are released to third parties.

Information systems that store and process WSU confidential and regulated data must reside in the U.S., to include such data stored in backup systems and systems for disaster recovery and business continuity purposes.

Data Maintenance Policy

Purpose

Institutional data are managed as institutional assets for use by the WSU community. The usefulness and effectiveness of institutional data depend on these data being available, accurate, and complete. This data maintenance policy is intended to ensure the availability and integrity of institutional data.

Data Maintenance Policy Statement

Institutional data must be maintained by authorized individuals on behalf of WSU throughout its entire life-cycle.

Data Availability and Integrity

Every effort must be made to ensure the availability, accuracy, and completeness of institutional data. Access to data for management and maintenance purposes must be authorized by the appropriate information owner or their designee.

It is the responsibility of each business unit that creates, collects, stores, processes, shares, and transmits institutional data to ensure the application of uniformly high standards in data management and maintenance, to include the availability and integrity of the institutional data under their care throughout its entire life-cycle. See the Data Security Policy section of this document for policy on retention and disposition of institutional data.

Data Security Policy

Purpose

The purpose of this policy is to establish WSU system requirements to ensure the confidentiality and privacy of institutional data.

Data Security Policy Statement

WSU business units must maintain an up-to-date inventory of all institutional confidential and regulated information under their purview, to include information collected, stored, processed, shared, or transmitted by cloud service providers or other third parties.

WSU system information that is categorized as confidential or regulated, and is stored, processed, shared, or transmitted on WSU system or third-party information systems, must be encrypted. This is to include all production, development, test, and back-up information systems.

Mobile devices, portable storage media, and all electronic media containing WSU confidential and regulated data must be encrypted and stored in physically secure locations.

Electronic transmission of WSU confidential and regulated data must be encrypted during transmission to and from WSU information systems, to include affiliates and third parties.

Encryption methods must use industry-standard encryption technologies that have been validated by an established standards body such as the National Institute of Standards and Technology (NIST). Acceptable industry standard cryptographic key management practices must be appropriately managed and maintained to safeguard the cryptographic keys and to protect the integrity of the encryption processes.

All institutional data covered by federal or state standards, laws, regulations, or contractual agreements are to meet the information security and privacy requirements defined by those standards, laws, regulations, or contracts.

Data Retention and Disposition

A current copy of institutional data must be preserved to ensure the restorability of data lost to disaster or destruction. Procedures to recover lost data must be in place. See also EP25: Executive Policy on Emergency Management and Safety Plans, BPPM 50.39: Emergency Planning and Preparedness, and/or BPPM 90.15: Essential Records Protection.

Care must be taken to ensure that information is not recoverable using available forensic tools when a computer and/or its storage media are scheduled for surplus sales or other reuse either within or outside of the WSU system. Prior to disposal, of any storage media, any recorded internal, confidential, and regulated data must be disposed of in a manner that renders the data unrecoverable and/or destroyed. Refer to BPPM 90.01 for details.

Departments are responsible for the required retention, preservation, destruction, and disposition of WSU system public records in accordance with retention periods approved by the Washington State Records Committee. (RCW 40.14). See BPPM 90.01.

Information Security and Privacy Incidents

All security incidents involving WSU systems, services, devices, and data are to be reported to the WSU Pullman ITS–Security Operations Center.

Various international, federal, and state laws and regulations may contain specific incident and/or breach reporting requirements (e.g., FERPA, HIPAA, GDPR, GLBA, PCI, RCW 42.56.590, and RCW 19.255.010). Security incident and data breach reporting processes are to be compliant with all applicable policies, laws, regulations, and standards.

See BPPM 87.55: Information Security Incident Management and Breach Notification Policy for additional information on security incident management, reporting, response, and reporting requirements.

Workforce members that do not timely report a suspected or actual breach may be subject to discipline in accordance with applicable WSU or state policies and/or contracts.

_______________________
Revisions:  Mar. 2022 (Rev. 102); June 2020 (Rev. 91); May 2018 (Rev. 79); Feb. 2015 (Rev. 59); Dec. 2007 (Rev. 29); Apr. 2006 (Rev. 22); Nov. 2001 – new policy (Rev. 3)