Data Classification and
Responsible Administrative Unit:
Roles Definitions
Computing, Communications & Information

Technologies


Issued: January, 2014
Policy Contact: Chief Information Officer



Revised:

1.0 BACKGROUND AND PURPOSE
Colorado School of Mines’ (“Mines”, “the School”, or “the Institution”) institutional data must be
managed and protected because it is a critical and valuable asset to the school and its mission.
The purpose of this document is to define data types and roles and responsibilities of individuals
who have positions that require access to administrative data.
2.0 SCOPE
Data covered by this document include all of the following regardless of the format of the data or
where or how it is housed:
2.1 All data created, collected, maintained, recorded or managed by the institution, its staff,
and agents working on its behalf.
2.2 All data used for planning, managing, operating, controlling, or auditing institutional
functions; especially data used by multiple units of the school; and data used for
institutional reporting.
2.3 All operational data regardless of its source (e.g. extracts or feeds from or to the
institution’s enterprise systems; shadow systems whether independently created by
institutional units or assembled from enterprise systems extracts or both.)
2.4 All data which contains personally identifiable information (PII).
2.5 All data that contains proprietary information and/or trade secrets.
This document applies to all members of the Mines community whether students, faculty, staff, or
their agents, and all divisions, departments and other units, their agents, and their contractors. To
the extent possible, this document applies to any person or entity in possession of Mines’
institutional data whether affiliated with Mines or not.
3.0 DATA TYPE
Institutional data can be categorized based on content or usage as Administrative, Academic, or
Research data. Some data can be categorized into more than one type based on the current
usage of the data or can overlap in multiple categories. Typically, data are collected and stored to
support a specific activity so will have a “primary” type but may be useful for other purposes. For
example, administrative data may be useful in certain research studies and academic data may be
aggregated and studied for institutional reporting. Data of any type can be classified as public,
restricted, or confidential as described in Section 4.0, below.
Administrative
Administrative data are collected and used principally to manage and conduct the business
operations of the School. Examples of administrative data include:
• Budget, purchasing and accounting data
• Student Financial Aid data
• Library transaction data
• Employee information and payroll data
• Campus police reports
P a g e | 1 of 4




Data Classification and
Responsible Administrative Unit:
Roles Definitions
Computing, Communications & Information

Technologies


Issued: January, 2014
Policy Contact: Chief Information Officer



Revised:


Academic
Academic data consist principally of elements related to a student’s academic program and
progress. Examples of academic data include:
• Student grades, transcripts, and assessment data
• Course materials and syllabi
• Degree and major descriptions and requirements
• Enrollment data and class rosters
Research
Research Data are used to conduct research investigations and validate research findings
in the scientific community. Research data may be public, restricted or confidential.
Examples of research data include:
Field data
• Processed data
• Modeling and simulation data
• Data visualizations
• Instrument data
• Human subject data

4.0 DATA PROTECTION CLASSIFICATION
Colorado School of Mines’ institutional data are classified according to their criticality,
confidentiality, and the risk of harm that would be caused by unauthorized, inadvertent, or
deliberate disclosure, alteration, or destruction. Factors considered in data classification include
legal compliance requirements, professional standards, contractual or licensing agreements,
ethical considerations, strategic or proprietary value, and “prudent stewardship” of this asset.
Institutional data will be consistently protected throughout its lifecycle in a manner commensurate
with its classification regardless of where it resides, the form it takes, the technology or methods
used to manage it, or the purpose it serves. The classification system for institutional data is listed
below, representing the increasing risk of impact if the data are mishandled:

Public
Public data have no access restrictions and are available to the general public. Examples
of public data include:
• High level enrollment statistics
• The Undergraduate and Graduate Bulletins
• The Current Funds Budget
• Financial statements
• Press releases
• Posted advertisements
• Newsletters
• Some research data

P a g e | 2 of 4




Data Classification and
Responsible Administrative Unit:
Roles Definitions
Computing, Communications & Information

Technologies


Issued: January, 2014
Policy Contact: Chief Information Officer



Revised:

Restricted
Restricted data are typically not protected by law or regulation, but must be guarded due to
proprietary, ethical, or privacy considerations, and for which unauthorized disclosure,
alteration, or destruction would cause perceivable damage to the school. Unless formally
classified otherwise, all institutional data are classified as restricted. Examples of restricted
data include:
• Some purchasing data
• Information covered by non-disclosure agreements
• Library transactions
• Usernames and password combinations
• Operational procedures which are either proprietary to Mines or which could
jeopardize personal or public safety if disclosed
• Some research data
Confidential
While all data which is protected by state or federal laws, regulations, or rules or covered
under a contractual or licensing agreement with the school are considered confidential
data, any data which would cause significant damage to the school or to one of its
constituents if breached, disclosed, modified, or destroyed without specific authorization, is
also confidential data. The highest level of security and controls must be applied to protect
confidential data. Examples of confidential data include:
• Student grades
• Individuals’ financial aid data and tax data
• Individuals’ health information
• Social security numbers
• Credit card and financial institution account numbers and other personally
identifiable information
• Emergency and routine internal procedures to protect the public health and welfare
• Some research data
Collections of institutional data will be protected at the highest level required by any
individual element in the collection.
Classified and Export Controlled
Data for some research projects may be classified or be export controlled by the
government due to the nature of the research or data. These data must, at a minimum, be
treated as confidential. In addition, access to and use of any such data must comply with
all appropriate requirements specified by the U.S. government.

5.0
ROLES & RESPONSIBILITIES
Certain positions on campus have specific roles with regard to institutional data. It is expected that
the individuals in these positions must understand and fulfill the responsibilities associated with
these roles. The table below defines these positions. Data classifications are assigned by the data
steward and reviewed by the data sponsor. These classifications and review are NOT intended to
address data items, but rather capture campus practice by broad data categories. These
categories will be reviewed bi-annually with updates appearing in the bulleted lists shown above.

P a g e | 3 of 4




Data Classification and
Responsible Administrative Unit:
Roles Definitions
Computing, Communications & Information

Technologies


Issued: January, 2014
Policy Contact: Chief Information Officer



Revised:

Position
Responsibility
Examples
Data Sponsor
School officer with management and Provost; VPFA; VPRTT; VPSL;
policy responsibility for a broad
VPIA
segment of institutional data.
Data Steward
School official with direct operational Registrar; Controller; Financial
responsibility for a broad segment of Aid Director; AVP for Human
institutional data.
Resources; Dir. Health Center;
Library Director; Museum
Director.
Data Custodian
Housing, keeping the data, and
Various CCIT Staff (Application
managing the resources which
Administrators; DBAs; Banner
enable its collection, management
Specialists; System & Server
and controlled access. (e.g.,
Admins; Operations Staff);
institutional data archives vault,
Data Management Specialists;
institutional data paper or other
Non CCIT Application
media collections, data computer
Administrators; Department
system(s), server(s), and supporting
Heads & Admin Staff; Library
infrastructure that stores processes
Staff; Museum Staff; Faculty.
institutional data)
Data User
Any individual or unit in possession
Most staff and faculty
of institutional data in support of the
throughout institution; students
Institution’s mission.
as appropriate;
Certifying Authority
Official authorized to certify the
Dir. Institutional Research;
appropriateness and accuracy of
Data Sponsors and Stewards.
institutional data and to release
institutional data for publication or
other purpose that furthers the
school’s mission.


P a g e | 4 of 4