The sheet helps us maintain a comprehensive record of systems and their data elements, ensuring proper management and protection of information. It's a crucial step in our commitment to data privacy and security. Per MD Higher Education State Law (point a), a data inventory needs to be completed.
October 1st, 2024.
The individuals responsible for the systems should complete the sheet. Usually, this may include IT system owners or designated representatives.
Use the If other, please describe field to provide a brief description of the system's purpose.
The MD Higher Ed Privacy Law requires that we evaluate and document the technical and financial feasibility of implementing privacy controls and services within the system. We've chosen to interpret this as expense of privacy and security updates (as cost is what would also drive technical feasibility). We've chosen to interpret this as expense of privacy and security updates (as cost is what would also drive technical feasibility). Think of this in terms of how much labor and financial expenses it may take to replace the system.
This evaluation does not require exact implementation plans, and it does not require precise budgeting numbers - provide your best (broad) estimate of whether updates would be cheap/easy (low/no cost), budget-busting or impossible (high cost), or somewhere in between (moderate). In performing this evaluation, you might consider:
Some types of data have been pre-entered into the sheet.
If a system contains multiple data types, mark Y for Multiple Data Types. Use the Additional Data Types sheet to provide details about each type. Make sure the Name of System matches on both sheets.
That's fine. This column is only intended to measure awareness of data retention at UMD. No is a perfectly acceptable answer.
Provide the name of the service (in Column A), and collect and provide the information related to the types of data you have and the reasons you have or use it (Columns M-U). You may ignore columns B-L.
Google Drive and Box are expected to be an entry for nearly every inventory. No endpoints should be captured here, only systems of record that are used collaboratively (multiple people for the same purpose).
Google Group/Box NPA/Shared Departmental Folders in cloud storage = (probably) system of record, individual folders do not.
For every system of record within Google Drive and Box, please create an entry for every instance where the purpose is different. If you use google drive for 5 different objectives (all collaboratively used), there should be 5 entries for each of those objectives.
If you use the system yourself, document the primary purpose you use the system for, and note in column E This system is also administered on behalf of other departments. If you do not use the system, do the same, but you may ignore Columns M-U.
A system of record is the source of truth for information about a person, regardless of whether the System of Record is managed by DIT, another division, a college, or a department.
A system of record can also be defined as the place (system) where information about a person originates (only electronic data) or where data is manipulated in a way to create or process it as something new and unique.
For example, if a college or department developed an application that tracks the progress of graduate students in their unit and creates additional information not in campuswide systems (such as advisors’ comments), that application would be a System of Record that needs to be included, because it is the only official record of those comments.
No, this inventory will include information about what is stored and where (called metadata), but not any of the actual data stored in the Systems of Record.
Click for access to the Data Inventory Template.
Review this example of a completed Data Inventory.