Data Classification -Frequently Asked Questions
Who is a Data Owner?
Data Owners are University employees (AVP/Director level) who have direct operational-level responsibility for the management of one or more types of records, either in electronic or paper form.
What do Data Owners need to do?
1. Identify what records are in your custody and control. If more than one unit collects and maintains the same data, you will need to work together to implement a common set of classifications and guidelines.
2. As a unit, assign data classification labels (Open, Internal and Restricted Data). Definitions of these labels can be found in the policy.
3. If your data falls into a category that has access restrictions (Internal or Restricted), ensure that only those employees who need the information for their job can access the data. It may be that others in the office need access in cases when an employee is away or sick. This is acceptable as long as all those who can access the data are aware of their responsibilities. Descriptions of access restrictions can be found in the policy.
4. Ensure you have departmental procedures in place to assist staff in following the correct guidelines for access, storage, retention and disposal. Depending on the unit, retention periods may vary. If you need assistance, please contact the Privacy Office. If you need assistance in applying access restrictions for electronic information, ITS can help.
5. Once you have classified your data and determined procedures, ensure staff are aware of their responsibilities. Training in the protection of personal information is available through the Privacy Office if you need it. You can request training by e-mailing firstname.lastname@example.org.
6. Send copies of procedures to email@example.com (to be stored in a shared repository), or attach them to your Data Classification Request through VMware (https://itservicedesk.wlu.ca/, Log a Request, Log a Data Classification Request).
The link to Policy 3.4 is here: /documents/56545/3.4_Data_Classification_%26_Info_Mgt_Policy.pdf
The associated documents are linked to it. They can also be found here:
Appendix A: /documents/56543/3.4_Appendix_A_Schedule_of_Retention_Periods.pdf
Appendix B: /documents/56544/3.4_Appendix_B_Encryption_of_Confidential_Data.pdf
Steps for Data Owners: /documents/56542/3.4_Implementation_for_Data_Owners.pdf