Connecting Learning, Life and Aloha
‘O ka ‘imi na‘auao, ke ola a me ke aloha kā kākou e huliāmahi ai

Search and Help

Data Governance Information

On this page:

UH Data Governance Goals

Protect the privacy and security of “Protected Data” (all non-public data; includes Institutional Data and research data)

  • Produce higher quality data for informed decision making
  • Promote efficient use of resources
  • Increase transparency and accountability

Visit Data Governance training to see presentations and slides describing the standards and requirements. Also see the UH Cyber Hygiene Best Practices.

Frequently Asked Questions

What Information can I Collect Using Google Forms?

Google@UH makes it easy to conduct surveys and gather self-reported information through Google Forms. Per the UH Data Governance Intranet, the following guidelines apply.

If you are only collecting non-sensitive data (e.g., name, email address, campus affiliation, and answers to general questions), then it is acceptable to use Google Forms.

UH Information Security advises that it is not secure to store sensitive or regulated data (e.g., DOB, GPA, ethnicity, SSN, etc.) in Google Drive.

It is okay to store public and restricted data in Google Drive. Examples of what is considered public, restricted, sensitive, and regulated data can be found in the table below.

Data Classification Categories (EP 2.2.14)

Category Definition Examples
Public Access is not restricted and is subject to open records requests Student directory information, employee’s business contact info
Restricted¹ Used for UH business only; will not be=distributed to external parties; released externally only under the terms of a written MOA or contract Student contact information, UH ID number
Sensitive¹ Data subject to privacy considerations Date of birth, job applicant records, salary/payroll information, most student information
Regulated¹ Inadvertent disclosure or inappropriate access requires a breach notification by law or is subject to financial fines FN or first initial/LN in combination with SSN, driver license number, or bank information; credit card, HIPAA, or financial aid information

¹: Protected Data.

View more information on the UH Data Governance Intranet.

Public Data (No Risk)

Student Data Examples

  • Name
  • Major field of study
  • Class (i.e., freshman, sophomore, etc.)
  • Past/present participation in officially recognized activities/sports (including positions held and official statistics)
  • Weight/height of athletic team members
  • Dates of attendance
  • Previous institution(s) attended
  • Full or part-time status
  • Degree(s) conferred (including dates)
  • Honors and awards (including dean’s list)

Employee Data Examples

  • Name
  • Compensation (for executive/managerial and faculty only; salary ranges for all other groups)
  • Job title
  • Business address
  • Business phone number
  • UH email address
  • Job description
  • Education/training background
  • Type of appointment
  • Service computation date
  • Job code/occupational group/class code
  • Collective bargaining unit code
  • Department code/description
  • Island of employment
  • Photographs

Non-UH Individual* Data Examples

  • Name
  • Business address
  • Business phone number

Restricted (Low Risk; Protected Data)

Student Data Examples

  • UH email address / UH username
  • Address (street name and number)
  • Personal phone number
  • Emergency contact phone number
  • Non- UH email address
  • UH ID number (may be referred to as Student or Employee ID number)
  • Other identifiers for internal use such as Banner PIDM, ODSPIDM, etc.
  • Photographs
  • Security camera videos

Employee Data Examples

  • UH ID number (may be referred to as Student or Employee ID number)
  • Non- UH email address
  • Other identifiers for internal use such as Banner PIDM, ODSPIDM, etc.
  • Security camera videos

Non-UH Individual Data Examples

  • Email address
  • Security camera videos

Other

  • Administrative/business data used for operational purposes, unless public disclosure is allowed under Chapter 92F-12
  • Research photos

Sensitive (Medium Risk; Protected Data)

Student Data Examples

  • Demographic data (date of birth, gender, ethnicity, etc.)
  • Other education record data that is not considered directory or restricted information, such as grades, course taken, GPA, etc.

Employee Data Examples

  • Date of birth
  • Personal Address
  • Personal phone number
  • Job applicant records (names, transcripts, background checks, etc.)
  • Salary and payroll information
  • Access codes, passwords, and PINs for online information systems
  • Answers to “security questions” (e.g., what is the name of your favorite pet?)
  • Confidential information subject to attorney-client privilege
  • Information made confidential by a collective bargaining agreement

Non-UH Individual Data Examples

  • Home address
  • Personal phone number
  • Demographic data (date of birth, gender, ethnicity, etc.)

Other

  • UH research data involving personal identifiable information

Regulated (High Risk; Protected Data)

Student and Employee Data Examples

  • An individual’s first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted:
    • Social Security Number
    • Driver license number or
    • Hawaiʻi identification card number
    • and Account number, credit or debit card number, access code, or password that would permit access to an individual’s financial account)
  • Credit cards and other financial information subject to Payment Card Industry Data Security Standard (PCIDSS) information and the Gramm-Leach-Bliley Act (GLBA)
  • Individually Identifiable Health Information (IIHI) and Health Insurance Portability and Accountability Act (HIPAA) data
  • Financial aid information included on the Free Application for Federal Student Aid (FAFSA) application (e.g., income, asset, and other financial data, marital and dependency status, household size, etc.) and subject to the Gramm-Leach-Bliley Act (GLBA)

Other

  • Regulatory requirements as defined in contracts such as:
    • NIST SP 800-171 Controlled Unclassified Information (CUI)
    • Cybersecurity Maturity Model Certification (CMMC)
    • Export controlled information

Best Practices

Access

Best practice: Grant access
to Protected Data based on an individual's legitimate interest or need to know.

If a person requires access to perform his job duties and responsibilities, he is deemed to have a legitimate need to know. Neither curiosity nor personal interest constitutes a legitimate need to know. In cases where it is not clear whether an individual’s role merits certain access, a dialog between the supervisor and the data steward may prove helpful.

Best practice:
Grant individuals the minimal amount of access required for them to accomplish what they need to do.

The most restrictive set of permissions and privileges will be granted on a need to know basis (to the extent it can be feasibly accomplished) and only for the duration needed. This requirement applies not only to UH and RCUH community members and affiliates, but also to third party vendors who may require access to our data to perform the services for which they were hired. The vendor’s contract should indicate that only authorized employees within their company may access UH Institutional Data.

Storage

Best practice:
Protect data based on the data element with the highest level of sensitivity within a record or document.

Identify what data classifications (Public, Restricted, Sensitive, and Regulated) your data falls under to determine what security measures are needed. ITS Minimum Security Standards are technical guidelines that tell you what security measures are required for different devices. They are located at: https://www.hawaii.edu/infosec/minimum-standards/.

If your data is subject to other standards, acts, or policies that differ from the ITS Minimum Security Standards, the more stringent security requirement will take precedence. Also, if you are working with Regulated Data, check the applicable standard, act, or policy requirements for any additional security requirements.

Contact your campus IT department or the ITS Information Security Team at infosec@hawaii.edu for assistance in understanding what you need to do to ensure these security requirements are met.

Data classified as Sensitive or Regulated must be secured. This means that electronic files containing such data must be encrypted during storage and when being transferred; paper documents must be kept in a locked drawer, cabinet, and/or room.

Best practice:
Keep only what you need.

When data has fulfilled its specified purpose, especially if it is Sensitive and/or Regulated data, de-identify or destroy it. The tendency to keep data beyond its usefulness is very common, but by retaining the data, you also retain the risk of an inadvertent exposure or breach. In fact, many of UH’s data breaches involved Regulated data that were no longer administratively needed.

Be aware, however, your data may be subject to records retention requirements based on federal or state regulations or industry standards that will dictate how long, at a minimum, you will need to retain those records. The state’s General Records Schedule (GRS) provides retention standards for records common across state agencies, such as general administrative, fiscal, and human resource records. The GRS is located at: https://ags.hawaii.gov/archives/about-us/records-management/records-retention-and-disposition-schedules/. Retention schedules for student records and the UH Children’s Centers are located in the appendices of UH Executive Policy 2.216. The retention periods stated in these schedules specify the minimum length of time to retain records and apply to original records, not duplicates. Should a record have conflicting retention periods, follow the more conservative (i.e., longer) period.

Getting rid of Sensitive and Regulated data no longer needed, either by de-identifying or deleting/destroying the data, greatly reduces the risk of data exposures and breaches to the University. Bottom line: Do not keep Sensitive and Regulated data “just in case” you think you may need it.

Best practice:
Do not keep duplicate records, especially if they contain personally identifiable information.

Records containing data that is considered the official "source of truth" or "system of record" for the University may be subject to specified retention periods. For example, personnel records of employees held by human resources offices, student transcript data maintained by campus registrars in Banner, and enrollment and graduation data reported by the Institutional Research, Analysis, and Planning Office are considered official data and/or records of the University. These records have retention periods associated with them.

Duplicate records, however, do not have the same retention requirements that systems of record have, and can be disposed of after they are no longer administratively needed. Reasons not to keep duplicate records beyond their useful life is an increased potential for exposure if there is a data breach, a need for storage space (whether it is hard disk or physical space), and an ongoing obligation to continue securely maintaining the records. Regularly purging duplicate files with PII that are no longer needed is a good practice to adopt.

Data Use

Best practice:
Use data only for the purpose intended. Protected Data should not be re-used or re-disclosed without approval or consent. This idea is integral to data privacy rights where an individual has the right to control how personal information is collected and used.

When entering into an agreement with another party, e.g., contracting a vendor for services or partnering with another organization, it is the responsibility of the UH unit to read through and understand the terms of the agreement. This includes making sure the agreement does not give the third party the rights to re-use and re-disclose data for their own gain.

For vendors in particular, beware of contract language that allows the vendors to sell, share, or use PII beyond the intended purpose. When negotiating contracts involving Protected Data, require vendors and their subcontractors to seek UH approval before re-using or re-disclosing data. Data handling templates with such language are available in Executive Policy 8.200, Appendices 9A and 9B, located at https://www.hawaii.edu/offices/legal/contractspolicy/appendices/. If the vendor refuses to negotiate, find another vendor.

Be aware that data input into generative artificial intelligence (AI) software will be retained by those models as the software learns new patterns and structures. Unless the vendor's terms of service and privacy policies state that your data will be kept confidential, assume that the data you input will be retained forever and will be considered public information. Do not input PII when using generative AI software. Faculty should not assign classwork that require students to submit PII about themselves or others. Avoid sharing non-PII data that are copyrighted, confidential, or may be potentially proprietary. The general rule of thumb is if you do not want the world to know about something, do not share that information.

Best practice:
Whenever possible, use de-identified data. De-identified data is considered low risk in most cases because identifiers such as name and ID numbers have been removed. When de-identified data elements are considered in combination with other de-identified data elements, however, it may be possible to reconstruct the identity of an individual, especially with small datasets. If you have no specific need for identified data, opt to use de-identified data as there is no risk of harm if the data is exposed.

Best practice:
When publishing tables in reports or presentations, an effective strategy is to suppress small cell sizes to prevent possible identification of individuals. Although UH does not have a formal policy on small cell sizes, the standard guideline is to suppress cell sizes of 5 or less, however you may need to take into consideration other factors, such as the sensitivity of the data, your audience, and the purpose and corresponding level of detail required, when deciding what to release.

Cyber-Hygiene Best Practices

  • Anti-Malware/Antivirus Software and Host Based Firewalls
    • Install anti-malware/antivirus software and ensure its signatures are regularly updated.
    • Most modern operating systems include built-in firewalls, which are commonly referred to as Host Based Firewalls. Host Based Firewalls run on your device and provide an additional layer of protection from network cyber attacks.
  • Update Regularly
    • Enable automatic updates.
    • Software updates can be for operating systems, firmware, patches, and security fixes.
  • Multi-Factor Authentication (is required for UH systems or services)
    • Enable MFA on all applications and websites when offered.
    • MFA comes in many forms such as push, text, voice call, or hard token
    • MFA attacks are when you receive unsolicited authentication approval requests. If you are receiving these, you should immediately change your password.
    • MFA fatigue is when you receive multiple authentication approval requests and assume each request is legitimate. Be vigilant and only approve requests you initiate. If you approve a request you are unsure of, please contact the ITS Help Desk at help@hawaii.edu or (808) 956-8883.
  • Password Security
    • Create complex, memorable passwords.
    • Do not reuse passwords.
    • Use a password manager application
  • Use Encryption
    • Data stored on desktops, laptops, and removable storage media (USBs, external hard drive, and CD/DVDs) should be safeguarded with encryption.
    • Sensitive and Regulated data shall be encrypted when stored and transmitted.
    • When sending files, consider using the UH File Drop service: https://www.hawaii.edu/filedrop/
    • For more information on encryption please visit the following link: https://www.hawaii.edu/infosec/resources-tips/encryption/
  • Backup Your Data
    • Regularly back up your data, either on removable media or Google Drive for Public and Restricted data and UH Enterprise Dropbox for Sensitive and Regulated data.
    • Ensure your backup is encrypted.
    • Store your removable media that is not normally accessed on a day-to-day basis in a secured area such as a locked filing cabinet.
  • Unknown Storage Media or Devices
    • Do not plug in any “lost” or unknown storage media or devices into your computer.
  • Lock Your Devices
    • Whenever you step away from your device, lock the device so that a password is needed to regain access.
    • Configure your device to automatically lock when it is inactive.
  • Limit The Use of Administrative Accounts
    • Use a non-privileged user account for normal day-to-day activities like using the internet and email.
    • When you need to perform actions like installing or removing software, you log in with a privileged account, and then log out when done.
  • Phishing
    • Never open suspicious or unknown links or attachments, or scan QR codes in emails.
    • While phishing emails are common, phishing can come in other forms such as text messages and phone calls/voice mails.
    • Is the email poorly worded with misspellings? This is a common indicator of phishing.
    • If a known contact sends you a suspicious email or text message (spoofed) and you would like to verify authenticity, you should contact the person through official methods of communication, such as their office phone number.
  • Mobile Device (Smartphone/Tablet) Security
    • Ensure you have a passcode set.
    • Keep the mobile device’s operating system up to date and patched.
    • Only use trusted sources to install apps (Apple App Store, Google Play, Amazon Appstore).
    • Limit or avoid the amount of sensitive information you store or transmit on your mobile device.
    • Consider the use of encryption on your mobile device. Due to the portable size of mobile devices, they are at increased risk of being lost or stolen.
    • Avoid connecting to public or unknown wireless networks.

For other helpful hints on how to secure your device and protect your information, visit https://www.hawaii.edu/infosec/minimum-standards/cyber-hygiene/