Legal and Compliance data includes information related to an institution's legal and regulatory obligations, as well as records of compliance activities to ensure adherence to relevant laws and regulations, mitigate legal risks, and support strategic decision-making.
The Legal and Compliance Data Domain is divided into Subdomains providing information on a more granular level.
Data Trustee: TBD
Data classification is a practice that helps us understand the value of our data and identify more sensitive data. The more sensitive the data, the more cautious you must be about accessing and sharing it with others and the more protections it needs to safeguard it from mishandling or misuse.
Vanderbilt University has a Data Classification Policy that has categorized VU data into the 4 levels listed below. Data classification for transactional row level data are assigned at the Subdomain level. However the same data may be classified differently dependent on the format of the data.
*See the next tab for some domain specific data classification guidelines and examples.
| Level 1 - Public | Level 2 - Institutional Only | Level 3 - Restricted | Level 4 - Critical |
|---|---|---|---|
| Intended for public release or distribution. | Private to VU and should not be available to non-VU individuals without permission. | Confidential by law or contract, or should not be shared with unauthorized persons. | Confidential by law or contract and requires bespoke security requirements. |
Visit the VUIT Cybersecurity website for more information and guidance on Data Classification.
Additional Data Classification Rationale & Guidelines for Legal & Compliance Data
Specific domain data may have different data classification levels depending on the type and format of a dataset.
Below are some domain specific guidelines and examples on classifying data. (more examples coming soon)
| Classification | Type of Data Elements | Example(s) |
|---|---|---|
| Level 4 - Critical | N/A | N/A |
| Level 3 - Restricted | Protected ID’s, private personal data | National Identification numbers, Date of Birth, Sex at Birth |
| Level 2 - Institutional Use Only | Non-sensitive directory information | Directory Information (name, address, email, phone) |
| Level 1 - Public | Aggregated Data and non-personally identifiable row level data | Some aggregate data may not be made public if there is a risk of personally identifying data classified at the internal or higher level. |
If you are not sure which classification level your data falls in or have questions about data handling and sharing, contact Data Governance Program Office.
Subdomains
Minimum Training & Requirements to Request Access to Legal & Compliance Data
- Departmental Approval Required.
Data Access Request Processes & Forms
TBD
Not sure how to start?
Reach out if you don’t know where to begin. The Office of Data and Strategic Analytics Partnering Team collaborate with leaders and serve as trusted advisers. Partners provide subject matter expertise and are available to assist with your data needs.