Data Classification and Governance (VII.B.6)

Volume VII: Information Technology
Chapter B: Security
Responsible Executive: Vice President for Information Technology
Responsible Office: Office of the Vice President for Information Technology
Date Issued: March 1, 2010
Date Last Revised: November 18, 2011


Statement of Policy
Reason for This Policy
Individuals and Entities Affected by This Policy
Who Should Know This Policy
Web Site Address for This Policy
Related Documents, Forms, and Tools
History and Updates


Identification and classification of university data are essential for ensuring that the appropriate degree of protection is applied to university data. All Purdue University data will be reviewed on a periodic basis and classified according to its use, sensitivity, and importance to the University and in compliance with federal and/or state laws.


Purdue University academic and administrative data are important university resources and assets. Data used by the University often contains detailed information about Purdue University, as well as personal information about Purdue University students, faculty, staff, and other third parties affiliated with the University. Protecting such information is driven by a variety of considerations including legal, academic, financial, and other business requirements. This policy provides a framework for the governance and classification of university data in order to ensure the privacy and security of that data.


All units, students, faculty, and staff of Purdue University are governed by this policy.


Vice Presidents
Department Heads and Chairs
Principal Investigators
Faculty and Staff
Non-employee (third-party) users of University data


There are no exclusions to this policy.



SubjectContactTelephoneE-mail/Web Address
Policy Clarification ITaP Networks and Security
Questions Regarding Data Classification Data Stewards


Data Custodian
Individuals who need and use university data on a daily basis as part of their assigned employment duties or functions.

Data Steward
An individual assigned by an Information Owner to facilitate the interpretation and implementation of data policies and guidelines.

Information Owner
The unit administrative head who is the final authority and decision maker with respect to data used in university business. Information Owners have decision-making authority over any data used by the unit administrative function, as well as any data, forms, files, information, and records, regardless of format.

Information that may or must be open to the general public that has no existing local, national, or international legal restrictions on access.

Information protected due to protective statutes, policies, or regulations. This level also represents information that isn't by default protected by legal statute, but for which the Information Owner has exercised his or her right to restrict access.

Information protected due to proprietary, ethical, or privacy considerations. This classification applies even though there may not be a direct statutory, regulatory, or common-law basis for requiring this protection.


Information Owner
Interpret and implement access and availability issues and safeguard university data, or delegate this responsibility to a Data Steward.

Chief Information Officer (CIO)
Serve as Information Owner, or designate an Information Owner, for those enterprise-wide directories and applications that serve a multitude of university functions and do not have a cross-functional team that acts as the Information Owner. In these instances, the CIO or designee is also responsible for identifying, communicating with, and building consensus among all parties, directors, deans, department heads, etc. whenever a decision regarding the data is needed.

Data Stewards
Facilitate the interpretation and implementation of data policies and guidelines to meet the needs of the University for the use of data.

Participate with Information Owners, business staff, IT data administration staff, application development teams, and knowledgeable departmental staff on projects creating, maintaining, and using university data.

Data Custodian
Be familiar with the university's data governance and classification structure.

Comply with this policy and related standards, guidelines, and procedures issued by the University in support of this policy.

Non-Employee (Third-Party) Users of University Data
Be familiar with the university's data governance and classification structure.

Comply with this policy and any additional stipulations outlined in written contracts with Purdue University.


Data Governance and Classification
The University's data is organized by the area responsible for it. Every piece of data owned, used, or maintained by the University must have one or more Information Owner(s) identified in the event that questions concerning access and availability arise. Information Owners must designate a Data Steward for his or her administrative unit.

An Information Owner, in consultation with the relevant Data Steward, must classify the data and records used in his or her administrative unit into the following three risk categories: Public, Sensitive, or Restricted. Classification of university data is an ongoing process, and the definitions of university data, as well as the classification of specific data elements must be evaluated annually.

Any data item or information that is not classified will be assumed to be of the Restricted classification until otherwise determined, unless the data is known to be addressed by applicable law or statute (e.g., certain records that might be considered publicly available under applicable Indiana law).

Data Handling
The designated Data Stewards, both individually and collectively, must implement and interpret data handling requirements and guidelines for the use of university data and will post such information online. Data Custodians must follow the data handling requirements and guidelines issued by the Data Stewards. Information Owners and their designees may also issue additional guidelines, procedures, or other requirements as necessary to appropriately handle data used in his or her specific administrative unit.

Data Stewards are required to further consult with university-designated compliance officers for various laws, including but not limited to, the Family Educational Rights and Privacy Act (FERPA), the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Gramm-Leach-Bliley Act (GLBA), and the Indiana Access to Public Records Act regarding appropriate use of data according to such laws.

Purdue University policy for dealing with the disclosure of university records in response to a request for access under Indiana's Access to Public Records Act or in response to a third-party subpoena is addressed in policy VIII.A.3, "Disclosure of University Records in Connection with the 'Access to Public Records' Act and in Response to Third-Party Subpoenas." Nothing in this policy should be construed to conflict with policy VIII.A.3.

Violations of this policy or any other university policy or regulation may result in disciplinary action or sanctions in accordance with university policy and procedures.


Data Classification and Handling Web site:

Listing of Data Stewards for University Departments:

Listing of Information Owners and Administrative Data Classification by Area:

Purdue University Data Classification and Handling Requirements:

Disclosure of University Records in Connection with the "Access to Public Records" Act and in Response to Third-Party Subpoenas, (VIII.A.3):


November 18, 2011: Policy number changed to VII.B.6 (formerly V.1.8).

March 1, 2010: This is the first policy to address this issue. The implementation of this policy allows for policy V.1.5, Proper Disposal of Electronic Media, Interim, to be rescinded and incorporated into IT procedural guidelines.


There are no appendices to this policy.

Purdue University, 610 Purdue Mall, West Lafayette, IN 47907, (765) 494-4600

© 2017 Purdue University | An equal access/equal opportunity university | Copyright Complaints | Maintained by University Policy Office

Trouble with this page? Disability-related accessibility issue? Please contact University Policy Office at