Skip to main content
  • Library
  • News
  • Events
  • Directory
Rave Alerts Account Login
WSU Logo against a transparent background
  • Commencement
  • Academic Calendar
  • OneCard
  • Registrar
  • Online Bookstore
  • Housing
  • Tuition
  • Financial Aid
  • Transcript
  • FAFSA
  • Counseling Services
  • Student Handbook
  • Library
  • News
  • Events
  • Directory
  • MyWooState
    • Blackboard
    • Gmail
    • Self-Service
Rave Alerts Account Login
WSU Logo against a transparent background WSU Logo in white text against a transparent background
  1. Home
  2. MyWooState FacStaff
  3. Institutional Assessment &...
  4. Best Practices for Accessing,...

Best Practices for Accessing, Sharing, and Storing Data


IN THIS SECTION
  • Institutional Assessment
  • Institutional Research
  • Institutional Dashboards
  • Institutional Surveys and Reports
  • Strategic Planning
  • Data Requests
  • Best Practices for Accessing, Sharing, and Storing Data
Contact Us
Assessment & Planning
Shaughnessy Administration Building
Suite A-352
ir@worcester.edu
508-929-8119

Introduction

Worcester State University has created a Data Classification Policy that classifies institutional data into one of four levels based on the potential risk of harm to individuals or the University if the data were compromised. For each level, there are different standards for accessing, storing, sharing, and using the data. 

In practice, this means:

  • Not all data can be handled the same way
  • Sensitive data must be shared and stored more carefully
  • You are responsible for protecting any data you access
  • If you are unsure about the classification level or how to protect data, reach out to Information Technology Services or Institutional Research.

Data Classification Overview

For detailed information on the classification of specific types of data, see the Data Classification Table. 

  • Highly sensitive data protected by law, regulation, or contractual obligation whose unauthorized disclosure, alteration, or loss would cause severe harm to individuals or the University. 

    Examples: Government issued Identification numbers, personal financial information, protected health Information, authentication credentials. 

    Protection*:

    • Only share with authorized individuals with a legitimate business need. 
    • External sharing requires CIO approval, Data Trustee approval, and confidentiality agreement. 
    • Do not send as email attachment.
    • Do not copy/paste into or use with any AI tool.
    • Store in the source system whenever possible. If not possible, store on university-approved devices and systems with strong passwords and/or multifactor authentication. 

    *In addition to any legal or contractual requirements

  • Sensitive data that is not classified as restricted by law, regulation or contract but protected from public disclosure because its unauthorized release could cause significant harm to individuals or the University. 

    Examples: Student educational records when tied to identity, employment documentation, campus safety and security system details, admissions information, 

    Protection:

    • Minimize access and sharing.
    • Do not attach to emails.
    • Store on university approved devices and systems with strong passwords and/or multifactor authentication.
    • Only copy/paste or use with enterprise AI tools explicitly approved for confidential data. 
  • Non-public operational data that is intended for internal use, but not highly sensitive and not legally protected.

    Examples: Draft policies or reports, internal planning documents, faculty tenure & promotion materials, and information posted on the MyWooState portal. 

    Protection:

    • Do not store on personal devices. 
    • Do not share with external parties unless you have approval from the owner.
    • Can only be used with or copy/pasted into enterprise AI tools. 
  • Information that is intentionally made available to the public or legally required to be disclosed.  

    Examples: Press releases, published reports, directory information, and any information on the public website. 

    Protection:

    • No restrictions.

Data Security Best Practices

  • Use university-managed and supported devices.
  • Use settings to lock the device after a short period of inactivity.
  • Do not access non-public university data using public wi-fi
  • Do not access non-public university data on shared computers.
  • Only use the university approved VPN to remotely access non-public university data. 
  • Do not use AI platforms for restricted data and only use explicitly approved enterprise AI platforms for confidential data. 
  • If you must travel with confidential data, contact the Helpdesk to request full-disk encryption for your university-owned laptop. 
  • Share non-public data via google drive links rather than attaching to emails.
  • Remove identifying information whenever possible before sharing. This includes identification numbers, names, and date of birth.
  • Avoid forwarding emails with sensitive data to other people without permission from the sender. 
  • Do not assume that another employee has the same level of access to data as you do. Always check before sharing sensitive information. 

Common Questions

General

    • Institutional data is any information created, collected, stored, or used by Worcester State University as part of its operations. 
    • This includes student records, employee information, reports, emails, spreadsheets, and even printed documents. 
    • If you are using the data for university work, it is institutional data and must be handled according to the Data Classification Policy.
    • A Data Trustee is responsible for overseeing specific types of institutional data, including approving access and ensuring appropriate use.
    • The Data Trustees list provides a list of function areas and the position overseeing that type of data. 
    • First, check the Data Classification Table.  
    • If the data is not listed on the table, contact the Data Trustee for that type of data. 
    • You should treat the entire data set based on the highest classification level. If any restricted data is in the set, treat all data as restricted. 
    • If there are changes to laws, regulations, or statutes, the Data Trustee might change the classification level to a higher or lower level. 
    • De-identification or aggregation of data can also change the classification. For example, removing all identifying data such as ID#, name, date of birth can change a data set from confidential to internal. Aggregating data (totals rather than individual information) can also change a data set from confidential to internal or public. 
    • Always refer to the Data Classification Table or reach out to the Data Trustee or Institutional Research if you have questions about a classification level. 
    • When laws, regulations, or contracts impose stricter requirements, the stricter requirements supersede this policy.
    • Encryption locks a file with an encryption key or password. The file itself is scrambled and becomes unreadable without the appropriate key or password.
    • For Microsoft files like excel and word, open the file, click File > Info > Protect Workbook > Encrypt with Password. Then enter a password and store it separately. 
      • Microsoft cannot recover or reset lost passwords, so if you forget your password, you will permanently lose access to the file.
      • You should not provide the password in the same email as the encrypted document. 

Accessing Data

    • Access to data is based on a legitimate business need. 
    • Data access is authorized by the Data Trustee for that functional area. 
    • The university VPN, provided through Cisco AnyConnect, allows secure access to university systems when working remotely. 
    • Do not access non-public data from personal computers or devices. 
    • Avoid accessing non-public university data using public wi-fi unless connected through the university VPN.
    • No. Having access to data does not automatically mean you are permitted to share with others.
    • Individuals may have rights to access certain records under applicable laws and university procedures. Contact the appropriate office for guidance.

Sharing Data

    • The preferred method for sharing data is through Google Drive using your WSU account. 
      • Upload the file to Google Drive and share it with specific individuals. 
      • The general access should be set to “Restricted”, rather than “Anyone with the link.”
      • Set permissions to “Viewer” unless editing is required. 
      • You can prevent viewers from downloading, copying and printing by clicking the gear icon on the sharing pop-up and uncheck ‘Commenters and Viewers’ under “People who can download, copy and print.”
      • You can also set an expiration date for access. 
    • Restricted data must not be sent via email.
    • Confidential data may be shared internally via email, but attachments should be avoided when possible. Instead, upload the file to Google Drive and share a link with specific individuals.
    • If you must attach the data to an email encrypt the file and include a confidentiality statement in the email text. 
    • Sharing data externally requires approval.
    • Restricted data requires approval from the CIO, the appropriate Data Trustee, and a confidentiality agreement in place.
    • Confidential data requires approval from the appropriate Data Trustee.
    • Internal data requires approval from the owner. 
    • If you are unsure whether external sharing is permitted, do not share the data until approval is obtained.
    • Utilize google drive rather than attaching the data to the email. 
    • Restricted and Confidential data should not be shared through personal text messaging or unapproved messaging applications.
    • Restricted and Confidential data should not be forwarded to personal email accounts.

Storing Data

    • Confidential and Restricted data should only be stored on university-managed devices that are encrypted and secured.
    • Restricted and confidential data should not be stored on personal devices.
    • Avoid downloading files unnecessarily. When possible, work directly in the source system or using secure systems such as Google Drive. 
    • Yes, but only your WSU account should be used.
    • Files should be shared with specific individuals and not broadly accessible unless appropriate.
    • Do not use personal Google accounts, Dropbox, or other non-university storage services for institutional data.
    • Avoid storing Restricted or Confidential data on removable media unless explicitly approved and encrypted.
    • The most secure way to travel with Confidential data is by using full-disk encryption (FDE) on a University-owned laptop. 
    • Contact the Helpdesk to request FDE for your system.
    • Physical materials that contain Restricted or Confidential data must be locked in a secure location and only accessed by authorized users with a legitimate need.

Data Disposal

    • Before deleting files or destroying documents, be sure to check federal or state retention requirements.
    • Digital files with sensitive data should be deleted from devices when no longer required. In addition to deleting the file, be sure to empty the recycling bin as well. 
    • To permanently delete files to be completely unrecoverable, for example, if you are changing computers contact Information Technology Services for sanitization. 
    • Physical materials should be shredded or otherwise destroyed prior to disposal.

AI Tools

    • Restricted data must never be entered into any AI tool, either though copy/paste or attachments.
    • Confidential data may only be used with university-approved enterprise AI tools that have been explicitly approved for confidential data.
    • Public AI tools using personal accounts should not be used with non-public institutional data.
    • Internal data may only be used with enterprise AI tools. 
    • Public data may be used freely.
    • If you are unsure whether a tool is approved for institutional data, ask Information Technology Services. 

Reporting a Data Incident

    • Contact Information Technology Services immediately. 
    • Prompt reporting allows the university to reduce potential harm and meet legal obligations when necessary.
    • Improper handling of data can result in harm to individuals and the university, including identity theft, legal penalties, and reputational damage.
    • Violations of the Data Classification Policy may result in loss of access or disciplinary action.
Contact Us
Assessment & Planning
Shaughnessy Administration Building
Suite A-352
ir@worcester.edu
508-929-8119
WSU Logo in white text against a transparent background
WSU Logo in white text against a transparent background
Quicklinks
  • Academics
  • Admissions & Aid
  • Campus Life
  • Community Impact
  • Alumni & Giving
  • Governance
  • En español: Admisiones y Ayuda
Helpful Links
  • Online Bookstore
  • Careers
  • Directions
  • University Police
  • Administrative Offices
  • Campus Map
  • Transcript Requests
  • Title IX
  • Student Accessibility Services
Connect with us on Social Media
Facebook
Instagram
YouTube
TikTok
CONTACT US
Copyright © 2026 Worcester State University
  • Student Consumer Information
  • Campus Accessibility
  • Privacy Policy
  • Public Records Requests