Purpose
The Data Protection Categorization indicates the minimum level of protections required for Organizational Data and Information Systems based on Cyber Security’s Data Protection Safeguards and Protected Data Practices. Additional protection requirements above this minimum may be required if the Organizational Data or Information System is also regulated (see Data Regulation Categorization)
Go to Procedures
Go to Resources
Definitions
Capitalized terms not otherwise defined herein shall have the same meaning as set forth in the Data Governance and Management Policy
Audience
| Responsible | Associate Data Trustee Data Steward System Owner |
|---|---|
| Accountable | Data Governance Committee |
| Support | Associate Data Steward Technical Manager |
| Consulted | Data Governance Team |
| Informed | Data Domain & Technology Subcommittees Data Administrator Data User |
Procedures
Assigning a "Data Protection Categorization"
- A Data Steward must assign a “Data Protection Categorization” to a Data Element.
- A Data Steward must assign a “Data Protection Categorization” to a Data Sub-Domain, which may be derived by choosing the highest risk categorization from Data Elements within the Data Sub-Domain.
- An Associate Data Trustee must assign a “Data Protection Categorization” to a Data Domain, which may be derived by choosing the highest risk categorization from its Data Sub-Domains.
- A System Owner must assign a “Data Protection Categorization” to an Information System, which may be derived by choosing the highest risk categorization from the Organizational Data within the Information System.
- A report or a data set that contains Organizational Data may indicate the “Data Protection Categorization” in order to communicate to its intended audience the type of risk the report or data set contains.
The “Data Protection Categorization” indicates the minimum level of protections required for Organizational Data and Information Systems based on Cyber Security’s Data Protection Safeguards and Protected Data Practices. When Organizational Data may fall into more than one categorization, it should be categorized in the highest applicable risk categorization. The following categorizations are available:
| Protected | Information is not generally available to parties outside of the Georgia Tech community. This is the default "Data Protection Categorization" for Organizational Data. A categorization of Protected does not always mean that the data contained therein is confidential or non-disclosable and such data may be subject to disclosure under the Georgia Open Records Act or other applicable laws and regulations. |
| Public | Information is targeted for public use. Examples include website content for general viewing and published press releases. |
Modifications to the approved “Data Protection Categorization” choices
- An individual must submit a request to add a new categorization, change the name and/or definition of an existing categorization, or deprecate the use of an existing categorization to the Data Governance Committee. The request must include:
- Name of the categorization (proposed name if new or changing)
- Definition of the categorization (proposed definition if new or changing)
- Reason the modification is requested
- The Data Governance Committee will review the request and determine if further discussion is required with the requestor or others involved with the request.
- If approved, the Data Governance Committee will notify the requestor and publish the change to the official list of approved “Data Protection Categorization” choices on the website. Inventories that rely upon “Data Protection Categorization” (e.g., Data Element Dictionary) will be updated.
- If not approved, the Data Governance Committee will articulate the rejection and send it back to the requestor.
Resources
Does this “Data Protection Categorization” replace the existing data categorizations in the Georgia Tech Data Access Policy?
Yes. Existing data categories I through IV are replaced with Data Protection Categorizations of “Protected” or “Public”.
What data protections are required for “Protected” Organizational Data?
Please see Cyber Security’s Data Protection Safeguards and Protected Data Practices
What data protections are required for “Public” Organizational Data?
Please see Cyber Security’s Data Protection Safeguards and Protected Data Practices
What if I am unsure of the appropriate Data Protection Categorization for Organizational Data?
You should categorize the Organizational Data as “Protected,” as this is the default “Data Protection Categorization.”
What if Organizational Data is also regulated?
All Organizational Data will have a Data Regulation Categorization which informs which regulations (if any) apply to the data. Please see Cyber Security’s Data Protection Safeguards and Protected Data Practices for more information.
Is FERPA directory information categorized as “Protected?”
Yes. Student information is not targeted for public use. Protected data, including FERPA directory information, may be subject to disclosure under FERPA, the Georgia Open Records Act, or other applicable laws and regulations.
Examples of various types of Organizational Data and their “Data Protection Categorization”
| Faculty/Staff Information | |
| Georgia Tech Email Address | Public |
| Georgia Tech Phone Number | Public |
| Georgia Tech Work Address | Public |
Personal and Emergency Contact Information (without permission to publish) | Protected |
| Social Security Number | Protected |
| Employee ID Number (GT ID and PeopleSoft ID) | Protected |
| BuzzCard Number | Protected |
| Compensation Information | Protected |
| Performance Evaluations | Protected |
| Benefits Elections | Protected |
| Health Information | Protected |
| Georgia Tech Account Password | Protected |
| Student Information | |
| FERPA Directory Information | Protected |
| Social Security Number | Protected |
| Student ID Number (GT ID) | Protected |
| BuzzCard Number | Protected |
| Admission Information | Protected |
| Student Information | Protected |
| Financial Aid and Scholarship Information | Protected |
| Housing Information | Protected |
| Health Information | Protected |
| Georgia Tech Account Password | Protected |
| Research Information | |
| Published Research Data | Protected |
| Sponsored Project Contracts, Grants, and Associate Protocols | Protected |
| Non-Sponsored Research Information | Protected |
| Technology Licensing and Invention Disclosure Information | Protected |
| Unpublished Research Data | Protected |
| Proprietary Information Obtained by Georgia Tech under Nondisclosure Agreement | Protected |
| Intellectual Property Owned by Georgia Tech | Protected |
| General Business Information | |
| Public Websites (e.g., http://www.gatech.edu) | Public |
| Organizational Charts | Public |
| Public Relations Brochures (containing General Georgia Tech Information) | Public |
| Annual Reports | Public |
| Protected | |
| Chat Logs | Protected |
| Internal Websites | Protected |
| Customer Personal Checks | Protected |
| Purchasing Receipts | Protected |
| Network Diagrams | Protected |
| Georgia Tech Financial Account Number | Protected |
| Purchasing and Receiving Reports | Protected |
| Travel Reimbursement Forms | Protected |
| Purchasing Card (P-Card) Numbers | Protected |
| Credit Card Numbers | Protected |
| Library Records Information | |
| Library Catalogue Information | Public |
| Active Interlibrary Loan Records | Protected |
| Library Databases | Protected |
| Active Circulation Records | Protected |
| Security Camera Recordings | Protected |
| Environmental and Physical Information | |
| Georgia Tech Building Blueprints | Protected |
| Chematix Chemical Tracking System | Protected |
| Building HVAC Monitoring/Control Data | Protected |
| BuzzCard System | Protected |
| Continuum System | Protected |
| Building Safety Plans | Protected |
| Revision Date | Author | Description |
| 2022-10-28 | Zachary Hayes, Data Governance | Expanded examples of public and protected data |
| 2021-07-27 | Zachary Hayes, Data Governance | New |