Most Institutional Data is regulated in some way. As a steward of institutional data, you are responsible for the Institutional Data sent, stored or shared on all information technology devices -- personal or university-owned -- that you use. This responsibility includes choosing appropriate information technology (IT) resources to manage data and ensuring that the usage complies with state and federal regulations.
The regulatory environment surrounding data and data privacy is changing rapidly. See the Data Regulatory Compliance page for information about some of the regulations that impact your use of data and technology resources.
Refer to the Regulated Data Chart for guidance to help you choose appropriate technology tools for sending, storing and sharing institutional information. |
What is the Regulated Data Chart?
The Regulated Data Chart provides guidance to help you choose appropriate technology tools for sending, storing and sharing institutional information. The chart lists both cloud and on-premise services that you are likely to use as part of your daily work routine. Use the chart, as directed below.
Certain terms in this policy are defined at the end of the policy.
Entities Affected By This Policy
All University faculty and staff.
Reason for Policy
- Federal laws in the area of education, financial and health care records, as well as a number of state data breach notification laws and contractual provisions in government research grants, impose legal and technical restrictions on the appropriate use of institutional information. The university must comply with laws, contract provisions and other restrictions.
- At this time, it is not possible to use all institutional information indiscriminately on all IT services offered at SPU. University Counsel and CIS work together to obtain proper agreements and technical safeguards on both cloud and on-premise IT applications, but right now not all information has legal protection for use with all technologies.
Policy Version: 1.0 Responsible Office: Information Technology Effective Date: July 1, 2019 |
How to use the Regulated Data Chart
Before choosing a tool to send, store or share institutional information, ask two questions:
- Question 1: Does the Regulated Data Chart permit use of this IT service with the data type I am interested in working with?
- Question 2: Do my department/unit policies and my data steward permit use of this IT service with the data type I am working with?
If you don't know the answers to these questions, check with your supervisor.
If the answer to both questions is yes, you may use the IT tool to send and store the university data in question.
Important notes for chart users:
- Information in the chart applies to University contracted enterprise versions of the services listed and these should not be confused with consumer versions of these services or third party applications associated with these services that take institutional information outside of the protected technical environment that the University's contract with the vendor requires. Enterprise versions of cloud services are very similar to consumer versions in terms of features and capabilities. However, for enterprise versions, Seattle Pacific University
- negotiates institution-wide terms and prices.
- vets the service with its legal, policy, supply management, audit, and security specialists.
- integrates the service with SPU credentials and authentication environment (so that you can use your SPU Username+Password to log on, for example), when available.
- The Regulated Data Chart does not apply to data associated with faculty research unless that research falls under a regulation or contract.
The Regulated Data Chart indicates if appropriate technical safeguards and contractual protections are in place through for sending, storing, or sharing regulated or confidential data using a particular technology. Always check both the Regulated Data Chart and your local guidelines before deciding if a resource is a safe and acceptable for storing sensitive or regulated data.
Example: SPU's contract with (fictional) Vendor B requires that the company retain SPU's education records, such as a student's academic work, in a technical environment that protects against inadvertent disclosure and that the company implement privacy practices that meet FERPA standards. Because Vendor B is obligated to provide this level of protection, it is possible from a strictly contractual perspective, to send, store or share FERPA records using Vendor B's service. This contractual provision is the minimum, necessary requirement but is not, by itself, sufficient for permitted use of Vendor B's service with FERPA data. Although the Regulated Data Chart would indicate that this use is permissible, your data steward or your department/unit guidelines may still prohibit use of Vendor B's service.