Data governance is the framework the University of Dayton is using to manage its data assets, establishing policies, procedures, and standards to ensure data is:

• Accurate: Correct and reliable.
• Consistent: Uniform across all university systems and applications.
• Secure: Protected from unauthorized access and breaches.
• Compliant: Handled in accordance with applicable laws and regulations.
• Usable: Accessible to those who need it, when they need it.

Strong data governance supports the University in many ways:

• Improved Decision-Making: Reliable and accurate data leads to smarter, more effective decisions.
• Enhanced Regulatory Compliance: Helps us meet evolving data privacy standards (like GDPR and HIPAA), minimizing risks.
• Stronger Data Security: Establishes access controls and security protocols to reduce the risk of breaches and unauthorized access.
• Enhanced Data Quality: Ensures data is complete, consistent, and trustworthy.
• Operational Efficiency: Streamlines operations by eliminating data silos and redundancies, thereby improving productivity.
• Builds Community Trust: Demonstrates that we take protecting sensitive data seriously.
• Empowered Data Access: Enables more community members to access the data they need, without sacrificing security.

Data governance helps us get the most value from our data while managing risks and staying compliant. Want to learn more?  Visit go.udayton.edu/datagovernance.

The University collects, processes, and stores a wide range of data, much of it sensitive and subject to specific compliance requirements. To ensure proper data management and security, accountability is crucial.

Data Stewards: Upholding UD’s Data Governance Standards

As outlined in the Record Retention Schedule and the Data Governance Core Group section of our Data Governance website, various offices serve as Data Stewards for specific types of data.  These Data Stewards and their designees:

• Protect Access: Ensure that only individuals with a legitimate, job-related need can access specific data systems.
• Manage Data Use: Oversee data use, including reviewing requests for new processes or tools.
• Approve Data Sharing: Approve or deny any requests to share data outside University systems, particularly with external vendors or service providers.

Without this oversight, we increase the risk of data breaches and violations of legal or industry regulations.

While UD’s Information Security Policy establishes a general security baseline, it defers to the judgment and authority of the Data Stewards.  Their guidance and exceptions take precedence for the data types they manage.

For questions about data, data sharing,  or to request approval for sharing data outside of established processes, submit a Data Request or Question for a Data Steward.  Your request will be routed to the appropriate Data Steward(s) for quick response and/or approval.

The University of Dayton classifies data into four categories to ensure appropriate access and handling based on the potential risk of unauthorized disclosure.

• Restricted: Extremely sensitive information requiring strict protection, such as Financial account details or Social Security numbers.
• High: Sensitive information only accessible to specific individuals with an established need.
• Medium: Information that can be freely shared between UD employees
• Low: Publicly available information

A more general term, Sensitive Information, includes any information other than that classified as Low.

Restricted Data: Protecting Our Most Sensitive Information

Restricted data is the university's most sensitive information. Unauthorized access can lead to severe consequences, including identity theft, financial losses, and legal penalties, not just for UD but also for the community members who entrust us with their data.

Examples of Restricted Data:

• Government-issued identifiers (e.g., Social Security Number, passport numbers, driver’s license numbers)
• Financial Account Information
• Individually identifiable health or medical information (e.g., HIPAA data)
• Controlled Research Data
• Biometric Information

Storage and Access Requirements:

• Restricted data must not be stored on employee computers.
• It should be accessed and stored only through established and approved University systems and unit processes (e.g., Banner).
• Box can be used for storing restricted data, but sharing must be thoughtfully managed using Unit-managed versus personally created folders.
• Email should not be used for sharing restricted data unless additional, robust security measures are implemented. See “How safe is email?” for more information.

If you require access to Restricted information, need to share it internally or externally, or have any questions, contact the relevant Data Steward for guidance.

High Data: Sensitive Information with Controlled Access

The High data category contains information meant only for specific UD communities or employees with established needs. 

Examples of High Data:

• Information protected under FERPA, in general
• Non-directory student information
• Personnel records
• Donor information
• Non-public legal work and litigation information
• Budget and financial transaction information
• Information designated as confidential by vendor contracts, NDAs, and Data Use Agreements
• IRB records

Storage and Sharing Guidelines:

• High data may be stored on University-provided computers.
• Approved cloud storage options include Box and Google Drive.
• Microsoft OneDrive is not an approved storage solution for high data.
• Do not share high data via email unless additional safeguards are in place to protect the data. See “How safe is email?” for more information.

If you require access to High information, need to share it internally or externally, or have any questions, contact the relevant Data Steward for guidance.

Medium Data: Sharing Within the University Community

Medium data includes information considered sensitive but low-risk, and can be freely shared among University of Dayton employees.

Examples of Medium Data:

• University ID numbers
• Internal memos
• Non-public contracts

Storage and Sharing Guidelines:

• Medium data may be stored on University-provided computers.
• Approved cloud storage options include Box and Google Drive.
• Microsoft OneDrive is not an approved storage solution for sensitive information.
• Medium data may be shared via email with other University of Dayton community members.

If you need to share Medium information with non-UD employees or with individuals outside the University of Dayton, contact the relevant Data Steward for guidance.

Low Data: Public Information and Considerations

Low data (aka Public) is generally considered risk-free and can be shared freely, both within and outside the university. While there are typically no restrictions on sharing, storage, or communication of Low data, it's crucial to remember that context matters. What is considered low data for one group may not be for another.

For Example, Media Requests for Degree and Class Year:

• For alumni, this information is often publicly available (e.g., in online yearbooks).
• For current students, this information is considered directory information under FERPA and is classified as Medium data, requiring Data Steward approval for external sharing.

Contact the relevant Data Steward for guidance if you have any questions regarding this category.

UDRI acts as the “Data Steward” for Restricted Controlled Unclassified Information (CUI) and International Traffic in Arms Regulations (ITAR) data related to UD’s sponsored research. Due to rigorous federal compliance mandates, employees working for or with UDRI on projects involving this data must understand critical distinctions between UD’s and UDRI’s information security policies. Key differences include, but are not limited to:

• System Restrictions for CUI/ITAR Data: CUI and ITAR data for UD-sponsored research shall be restricted to UDRI-managed systems, including email and file-sharing services. UD-managed systems and equipment are not authorized to store or transmit this type of data.
• BYOD Restrictions for UDRI Systems: UDRI does not permit Bring Your Own Device (BYOD) for direct access to UDRI systems or data. However, access may be allowed through a properly configured Virtual Desktop Infrastructure (VDI).
• VPN Requirement for Off-Network Access: A Virtual Private Network (VPN) connection is required whenever a UDRI-managed device connects to any third-party network, including the University of Dayton’s network.

For detailed UDRI-specific information regarding CUI and ITAR compliance, refer to UDRI's Insite page.  If you have questions or would like more information regarding UDRI’s policies, procedures, or data handling requirements, contact helpdesk@udri.udayton.edu or security@udri.udayton.edu.

University data is vital for providing essential services to our community, including event management, research, education, and healthcare. However, unauthorized access or modification poses significant risks. To protect UD and its community from potential harm due to data breaches or misuse, all data sharing must be deliberate and secure.

Key Principles for Data Sharing:

• Access Control: Access to University systems and data is granted individually through established and approved processes.
• Internal Sharing: Employees needing data access should be granted their own authorized access.
• External Sharing:
  • Approval:  Sharing data with external parties (non-employees, third-party providers) requires approval from the Data Steward and Legal Affairs.
  • Handling Contracts: Agreements and contracts must include robust confidentiality and data security clauses, appropriate to the data's classification.

Email is a powerful and convenient communication tool that connects people and organizations across the globe. It's been around for decades, and while it has evolved to address many security concerns, it's not without its flaws:

Common Email Security Risks:

• Encryption isn’t automatic.
  • Email systems don’t all enable encryption. Encryption must be intentionally set up and correctly configured, and many individuals and organizations don’t take this extra step. Without it, emails can be intercepted in transit, particularly on poorly secured networks.
• Human error is easy and common.
  • There’s no built-in way to prevent someone from forwarding an email, sending it to the wrong recipient, or attaching the wrong file. Once it’s sent, you lose control over where it goes and who sees it.
• Inboxes are often unsecured archives.
  • Many people use their inbox as a long-term archive of messages and attachments, raising the risk that an attacker could gain access to years of stored data.

Secure Alternatives:

• Do not use email for data classified as "Restricted" or "High" sensitivity.
• Use UD-approved platforms like Box or Google Drive for secure file sharing via controlled links.
• Password-protect your attachment, sharing the password with your recipient via an alternative method (not in the same or even the next email you send them).

Yes! The University provides annual Security Awareness training for all employees to help promote a culture of cybersecurity and data protection.

In addition to this general training, employees may also be assigned specialized training based on the types of data they handle. These subject-specific trainings cover key regulations and frameworks, including but not limited to:

• Cybersecurity Maturity Model Certification (CMMC)
• Family Educational Rights and Privacy Act (FERPA)
• Gramm-Leach-Bliley Act (GLBA)
• Payment Card Industry Data Security Standard (PCI DSS)

According to CNN, the average person has over 100 online accounts. When it comes to your personal life, you likely have accounts for music, TV, banking, news, social media, utilities, etc. At UD, we try to streamline it to just one account for all your university business.

While your UD account is designed to handle all your University-related work, personal accounts should be kept separate.

There are a few key reasons why:

• Security: Separating work and personal accounts makes phishing attempts easier to spot and limits your exposure if one account is compromised.
• Privacy: You don’t want your personal life mixed into your work inbox, or worse, risk losing access to important personal accounts, and everything in those accounts, if you ever leave UD.
• Access Control: When you use a UD email to sign up for a personal service, UD technically controls that account. If your access is ever disabled, you could lose those personal services.

In some cases, a service may require your UD email to verify eligibility for a discount or access to a product.  However, you should avoid using your UD email as your primary contact for personal accounts when possible.

As mentioned above, you have a single UD account. By policy, passwords must be strong and are further protected by multifactor authentication (MFA). However, even MFA isn’t foolproof. If you reuse your UD password for other accounts or services, you increase the risk of your UD account being compromised.

The best practice? Use a unique, strong password for each of your sensitive accounts and enable MFA wherever it's available.

As a general best practice, personal equipment should not be used for UD business, and UD-owned equipment should not be used for personal activities.  However, in some cases, the use of personal devices may be necessary. The following guidance applies:

Personal Computers: UD-managed computers are maintained with current software and centrally managed security controls to ensure our data and networks are safe from attack. Personal devices may not meet those same security standards. If a University-issued device is unavailable, employees should utilize UD’s Virtual Desktop Infrastructure (VDI) to securely access University systems.

When it is necessary to use a personal computer:

• Access should be limited to secure, web-based University systems that require authentication using University credentials.
• No University data should be stored locally on the device.
• Access should be restricted to data classified as Low, Medium, or High. Restricted data must not be accessed or stored on personal equipment.

Part-time (adjunct) faculty are not typically issued UD-owned equipment. They are expected to use UD’s VDI or their personal devices to access essential systems like Google Drive, Canvas, Porches, and Banner for course management and grade entry.

Student employees should be provided with UD equipment or use VDI when working with Sensitive Information.

Mobile Phones: Use of personal mobile phones for voice communication is permissible. However, access to University data on personal phones should be carefully controlled:

• See “How safe is email?” for more information.
• University systems should be accessed via secure applications requiring login with your UD credentials and data should not be stored on the device.

USB Flash Drives and External Storage: University tools such as Google Drive and Box have largely replaced the need for removable storage.  When the use of external storage is necessary:

• Only devices procured by the University should be used.
• Devices must be encrypted if used to store Sensitive Information.

Questions or requests for exceptions should be directed to the relevant Data Steward.

Let’s give credit where it’s due: Google’s Gemini AI helped us put this FAQ together. As the UD community continues exploring how AI can enhance teaching, learning, research, and administration, it’s important to balance the power of these tools with our responsibilities, especially when it comes to data. 

All of us at UD have access to different types of data depending on our role and the systems we interact with. That’s why understanding the risks is just as important as exploring the possibilities. Two of the biggest concerns we’re seeing:

• Using AI tools that aren’t officially contracted by UD. These may collect and train on any data you provide.
• Sharing sensitive results with people who aren’t authorized to see them, sometimes unintentionally.

Here’s a short video that breaks down some of the risks associated with using AI and data.

For more information on how AI is used at UD, visit go.udayton.edu/ai.

If you’re concerned about an email you’ve received:

• Open the email (but do not click any links or download attachments).
• Click the “Phish Alert” icon in the Gmail side panel to report it directly to IT Risk Management.

If you suspect any other kind of IT security issue, such as:

• Denial of service (DoS) attacks
• Malware or virus infections
• Lost or stolen devices
• Unauthorized access to data

Report it immediately using the IT Security Incident Reporting form. Your report goes straight to the IT Risk Management Officer (IRMO), who will coordinate the right team to investigate and respond.

For any other questions, contact itriskmgmt@udayton.edu or 937-229-4387.