Data Regulation Categorization
Procedures
- A Data Steward must assign each “Data Regulation Categorization” to a Data Element.
- A Data Steward must assign each “Data Regulation Categorization” to a Data Sub-Domain, which may be derived by choosing the highest requirements categorization from Data Elements within the Data Sub-Domain.
- An Associate Data Trustee must assign each “Data Regulation Categorization” to a Data Domain, which may be derived by choosing the highest requirements categorization from its Data Sub-Domains.
- A System Owner must assign each “Data Regulation Categorization” to an Information System, which may be derived by choosing the highest requirements categorization from the Organizational Data within the Information System.
- A report or a data set that contains Organizational Data may indicate the “Data Regulation Categorization(s)” in order to communicate to its intended audience the type of requirements the report or data set contains.
The “Data Regulation Categorization” indicates which, if any, local, USG, state, federal, and international laws or regulations may apply to Organizational Data and Information Systems. This categorization also may indicate if additional specifications are required due to grants, contracts, or other agreements entered into by, or for the benefit of, Georgia Tech. The following categorizations are available:
| Data Regulation Categorizations | Categorization Statement | Categorization Choices |
|---|---|---|
| FERPA (Family Educational Rights and Privacy Act) |
The Information System or Organizational Data contains data protected by FERPA. | True or False |
| HIPAA (Health Insurance Portability and Accountability Act) |
The Information System or Organizational Data contains data protected by HIPAA. | True or False |
| GLBA (Gramm-Leach-Bliley Act) |
The Information System or Organizational Data contains data protected by GLBA. | True or False |
| EU GDPR (European Union General Data Protection Regulation) |
The Information System or Organizational Data contains data protected by EU GDPR. | True or False |
| Research Requirements | The Information System or Organizational Data contains data protected by research requirements. Examples include FAR, DFAR, CUI, etc. | True or False |
| Export Control | The Information System or Organizational Data contains data protected by export control. Examples include ITAR, EAR, OFAC, etc. | True or False |
| Non-Regulated | The Information System or Organizational Data does not contain data that is regulated by any of these regulation categorizations. | True or False |
- An individual must submit a request to add a new categorization, change the name and/or definition of an existing categorization, or deprecate the use of an existing categorization to the Data Governance Committee. The request must include:
- Name of the categorization (proposed name if new or changing)
- Definition of the categorization (proposed definition if new or changing)
- Reason the modification is requested
- The Data Governance Committee will review the request and determine if further discussion is required with the requestor or others involved with the request.
- If approved, the Data Governance Committee will notify the requestor and publish the change to the official list of approved “Data Regulation Categorization” choices on the website. Inventories that rely upon “Data Regulation Categorization” (e.g., Data Element Dictionary) will be updated.
- If not approved, the Data Governance Committee will articulate the rejection and send it back to the requestor.
Resources
Regulated Organizational Data may include requirements that surpass the minimum protections required for Protected Data as outlined in Cyber Security’s Data Protection Safeguards and Protected Data Practices. The Regulated Organizational Data must adhere to the highest requirements when combining protections from Cyber Security’s requirements and the regulation’s requirements. Please see Cyber Security’s Data Protection Safeguards and Protected Data Practices for more information
Yes. Organizational Data may be disclosed under the Georgia Open Records Act subject to requirements and exceptions noted in the law. Please contact Institute Communications for more information.
Yes. Organizational Data may be exempt from disclosure under the provisions of the Georgia Open Records Act or other applicable state or federal laws. Specifications contained in Georgia Tech grants, contracts, and other agreements entered into by, or for the benefit of, Georgia Tech may also provide exemptions from disclosure
| Regulation | Business Contact(s) | Legal Contact(s) |
|---|---|---|
| FERPA | Reta Pikowsky Office of the Registrar |
Kate Wasch Susann Estroff |
| HIPAA | John Scuderi Stamps Health Services |
Sally Robertson |
| GLBA | Marie Mons Office of Scholarships and Financial Aid |
|
| EU GDPR | Sally Robertson Office of the General Counsel |
Sally Robertson |
| Research Requirements | ||
| Export Control | Lacee Harris Office of the General Counsel |
|
| Georgia Open Records Act | Jamila Hudson-Allen Institute Communications |
Kate Wasch |
| Revision Date | Author | Description |
|---|---|---|
| 2021-07-27 | Zachary Hayes, Data Governance | New |