All legal and regulatory compliance requirements apply regardless of whether you are using a university owned or managed device or a personally owned device to work with sensitive university data. Different laws, regulations, and compliance requirements apply to different types of sensitive university data. Familiarize yourself with those that apply to the data you work with.
The first step to understanding which regulations to comply with is understanding the category of data you are processing.
Restricted
- Disclosure could cause severe harm to individuals and/or the university, including exposure to criminal and civil liability.
- Has the most stringent legal or regulatory requirements and requires the most prescriptive security controls.
- Legal and/or compliance regime may require assessment or certification by an external, third party.
High
- Disclosure could cause significant harm to individuals and/or the university, including exposure to criminal and civil liability.
- Usually subject to legal and regulatory requirements due to data that are individually identifiable, highly sensitive, and/or confidential.
Moderate
- Disclosure could cause limited harm to individuals and/or the university with some risk of civil liability.
- May be subject to contractual agreements or regulatory compliance, or is individually identifiable, confidential, and/or proprietary.
Low
- Encompasses public information and data for which disclosure poses little to no risk to individuals and/or the university.
- Anyone regardless of institutional affiliation can access without limitation.