In this guide:
Classify Your Data
Duke’s Data Classification Standard defines three classes of information: Sensitive, Restricted, and Public and provides examples of data types for each classification.
Several types of Sensitive data require additional protections, including:
- Student data protected by FERPA (such as grades)
- HIPAA/ePHI data
- Social Security numbers
- Credit card data
Should you have to work with any of these data types, please contact your IT support or the security offices (email@example.com) for guidelines on protections for the data.
Find Approved Services by Classification
The Duke Services and Data Classification policy contains a chart that outlines which Duke services meet the minimum security requirements for use with Sensitive, Restricted, and Public data.
- The SecureIt decision tree tool provides information on tools and services to help you secure Duke data based on guidance from the Security Offices.
Secure Data and Systems Based on Classification
The Policies, Procedures, and Standards page contains a collection of requirements for securing Duke systems and information and includes standards that define requirements based on data classification.
- Data Loss Prevention (DLP) Tool Access and Use Policy
- Data Loss Prevention (DLP) Tool Usage Procedure
- Duke University Standard: Encryption
- Media Control and Disposal
- Duke University Standard: Logging
- Records Retention Guidelines
- Whole Disk Encryption
- Duke Health Information Security Office: Encryption Video
- Securing Metadata
The individual(s) ultimately responsible for determining the sensitivity of the data, who can access it, and how it should be protected. Examples: Duke's Registrar is the data steward for FERPA (student) data such as grades; a principal investigator is the data steward for his/her research project.
Typically an IT administrator responsible for securing the data according to the directives of the data steward. Data managers should have a good working knowledge of how to securely manage systems and applications.
The individuals who have been approved by the data steward to access the data. They are responsible for their access to the data, including the security of the account and any data they may have access to or be in possession of.
Research data may go through all classifications during the cycle of research. While a study is in progress, the data may be classified as Sensitive, but after the study is closed and the data shared according to NIH or NSF guidelines, it may be Public. Research budgets are always Sensitive, but federally funded research proposals are often Public (as they may be requested from the funding agency with a FOIA request).
Principal Investigator (PI)
The PI is considered the data steward for the data in his or her portfolio.
As a teacher, faculty are responsible for following FERPA regulations. In general, this is accomplished by following the instructions from the Provost about grading and course conduct.
Students involved in research are to follow the research protocols and security requirements and processes. Students involved with Duke Health must follow the HIPAA regulations and treat PHI as Sensitive.
Duke Health workforce
Employees, volunteers, trainees and other persons whose conducts, in the performance of work for a covered entity (e.g., Duke Health System, Private Diagnostic Clinic, School of Medicine), is under the control of such entity, whether or not they are paid by the covered entity.
HIPAA treats all PHI as sensitive.
FERPA applies to Duke trainee interactions.
IT staff are not usually Data Stewards, so their responsibilities follow the Data Steward's designation and requirements.
Expected to follow work instructions and staff policies. Applying common sense to unknown situations and asking for guidance can go a long way to a compliant atmosphere. Responsible for the individual security of their Duke account and the data to which they have been granted access.