Data Storage Standard – what it is and why you need to care

Before your eyes glaze over, answer these simple questions:

  • Where do you store your University data?
  • Does it contain personal or highly sensitive information?
  • Do you use a cloud-based storage service like Dropbox or Google Drive?
  • What types of documents do you share with people outside of the University, or in another country?

As technology continues to evolve and our dependency on information sharing increases, it is becoming increasingly critical to ensure that academic and administrative staff classify, store and share their data appropriately.

The border between work life and personal life is becoming blurred.”

“People are demanding 24/7 access to their information—both personal and professional,” says Kevin Vadnais, Information Security Manager in IT Services. “Consequently, they have turned to cloud-based services which can provide constant availability to all of their information. The border between work life and personal life is becoming blurred. Perceived security and acceptable use of cloud-based solutions is often flawed and the University is taking steps to bridge that knowledge gap so that users are aware of the risks and benefits.

“There is also a difference between personal storage and work-related storage. Some personal storage solutions are free to a pre-set limit, and users pay over and above that, as is the case with Dropbox and Google Drive. Users are asked to either accept the end-user license agreement, or not use it. Most people do not take the time to read them and just accept the terms. Work-related, or enterprise, storage solutions are better protected through contracts between the enterprise or business and the cloud provider. Specific services are spelled out and privacy implications are assessed for that business or enterprise.”

To assist in educating the University community, IT Services has created and authorized a Data Storage Standard which is available on the University Policy website. This standard provides four points of guidance and expectations regarding the secure management of information with which individuals, departments and faculties have been entrusted.

We want people to balance the convenience of a cloud storage vendor with the risks of potential data loss, and to make the appropriate decision.”

“We want people to balance the convenience of a cloud storage vendor, such as Dropbox, with the risks of potential data loss, and to make the appropriate decision,” Vadnais adds.

Below are the highlights of the Standards. Faculty and staff are encouraged to not only review the document, but to download it or bookmark the page so that it is a constant reminder of their responsibilities.

  1. On-campus storage should be utilized for information that has specific requirements or constraints specifying it cannot be stored on systems outside of Canada, e.g. research funding requirements which mandate where resulting data is stored. These solutions typically include network shares (research drives, department shares, etc.), and P Drives.
  2. Cloud storage, commonly provided by third-party vendors such as Dropbox, Microsoft OneDrive’s personal and enterprise solutions, and Google Drive, etc., host users’ data in a robust data centre environment which is not located on campus. This environment typically resides in one or more geographic locations outside of Canada and, as such, subjects that data to the legal jurisdiction of the hosting country. Depending on the sensitivity of data being stored, additional security measures, such as encryption, may be required. (Selection of a third-party encryption tool is underway to support secure usage of cloud storage.)
  3. IT Services is currently developing online training on data storage and selecting the appropriate storage location for your data based on sensitivity. Staff and faculty will be asked to complete the training every two years, and again when significant changes are made to the data storage standard. This will ensure their knowledge is up to date on the latest technologies, threats, privacy implications, and best practices for data management. Training is not expected to take longer than 10-15 minutes.
  4. The use of email as a data management tool is a common practice at the University but is an unsustainable and risky strategy. Lost devices, compromised passwords, and human error (accidently sending the wrong information) can all lead to inadvertent data loss and possibly privacy breaches. While email is generally secure it is not appropriate for sending all types of data. Faculty and staff should become familiar with the data storage standard and use the appropriate storage and sharing technologies based on the data they are working with. The University is also exploring the use of email encryption services if sensitive information must be shared via email.

In addition to these four points, IT Services has implemented a data classification strategy to assist University users to determine the level of rigour that should be applied to specific pieces of information. These definitions classify the four types of data as follows:

  1. No/Low Risk – Category 1
    Information that is publicly available and poses little to no risk of negative consequences should it be seen outside the University:

  2. Medium Risk – Category 2
    Information typically used and shared in daily operational activities by University staff and faculty. This is not data we would normally publish outside of the businesses, but is not considered sensitive:

    • Meeting Minutes
    • Student coursework submitted to instructors
    • Preliminary research reports/results
    • Operational budget items (travel costs, office supplies, etc.)
  3. High Risk – Category 3
    Information that, if compromised, would be harmful to the University’s reputation or to an individual:

    • Employee/Student records
    • Payroll/Budget reports
    • Personally Identifiable Information (SIN’s, tax information, FOIP-related data)
    • Contracts and Terms
    • Passwords/Authentication information
  4. Critical Risk – Category 4
    Information in this category would cause significant damage to the institution if disclosed. Any data classified as a Category 4 should be given special attention as to its storage location, storage method and distribution channels:

    • Legal Proceedings/Appeals
    • Medical/Health information
    • Criminal Investigation results


U of L art collection data – gathered and accessible

When the University Art Gallery decided it needed a way to better manage its art collection data, it took advantage of a Canadian Heritage grant and consulted IT Services to assist with the implementation of The Museum System (TMS).

“TMS is a robust software product that is used by museums and galleries around the world to manage their cultural and scientific collections,” says Wim Chalmet, ITS Applications Support Analyst. “The grant covered the cost of the software, but the Gallery sought an in-kind donation of resources from us to implement the system.”data collection

IT Services looked at different available software packages, vetted the business requirements against the specifications, and validated that TMS would be a good choice.

Once the decision was made, IT assisted with how it would be implemented by setting up the infrastructure, network and services to ensure the environment would be appropriate. Then came the conversion.

“The implementation process involved converting data from the entire collection of approximately 17,000 pieces, which proved to be challenging,” says Chalmet. The data was in a variety of locations and programs, and it all needed to be amalgamated and put into one source. Much of the process to convert all the data was automated with the direction of the TMS vendor, and Gallery staff were heavily involved in fine tuning it.

“TMS staff have tons of experience helping clients convert data from a cat’s breakfast of sources, but at the U of L Gallery we were doing this for the first time,” says Gallery Manager Jon Oxley. “Data came from Banner, from our in-house Filemaker files from years back, and from a variety of image folders. TMS created the data-mapping template for us to review prior to the conversion. U of L Collection Registrar Juliet Graham had to carefully review over 100 source columns and target fields. Getting any one of them wrong would create considerable grief in the near future.”

The success of the project can be attributed to keeping Gallery staff fully involved with issues and concerns as they arose, says Chalmet. “It was really a collaborative effort between ITS, the vendor and the Gallery.”

Oxley agrees: “Before the pixels were drying on the contract last fall, Wim brought the Gallery staff together to explain how the project would proceed technically. Up until then we were completely absorbed with design and financial issues. There was a fair bit of educating Gallery staff, on Wim’s part, on the architecture of secure data in a public access world,” says Oxley. “The TMS technical staff were great, and extremely patient with the Gallery, but Wim always followed up conference call meetings to clear up the many things we were fuzzy on.”

The Gallery’s main impetus in using TMS was the quality of its eMuseum web portal into the Collection.emuseum

“While TMS is the application, eMuseum is the web front, or online presence of our art collection,” says Chalmet. “Anyone can go to the site and search the collection for pieces they may want to borrow for their own exhibitions, or cite in research. The public can view most pieces in the collection, subject to the artist’s copyrights, and any information the Gallery has about the pieces.”

Oxley says Gallery staff have been using the TMS database in-house for two months already, and are adding research data and images that have been accumulating in files over the years. “We use the database on a daily basis,” said Oxley. “It has already helped develop several coming exhibitions – it allows for incredibly quick theme searches, assists with planning for the resource power to move art, creates text copy and allows quick communication about artworks between Gallery staff.”

Over the summer, staff will be formatting the public collection database to gear it for the many students, faculty and curators – both on campus and around the globe – who will be using it for art and exhibition research.

Although the graphic design work has not yet been completed, the nuts and bolts of the U of L Art Gallery’s collection can be viewed at:

Portal & BI Initiative Update

The Luminis Portal work is proceeding as scheduled, with a minor delay in setting up a test environment due to Hurricane Sandy preventing Ellucian consultants from conducting their sessions.  The Advizor analytics installation and training is also proceeding as scheduled in Advancement, and early feedback is quite positive in terms of allowing staff to visualize their data in ways not previously possible.  The Operational Data Store and Enterprise Data Warehouse (ODS/EDW) planning details are still being worked through, but the project team is targeting January 2013 to begin this phase of the project once Ellucian resources are confirmed.