A system of record is the source of truth for information about a person, regardless of whether the System of Record is managed by DIT, another division, a college, or a department. For the purposes of this effort, filing cabinets or other forms of physical media should not be included. Similarly, this exercise also only applies to systems with information about people (including de-identified information). It does not apply to information about business operations, star charts, etc. Devices that serve a single person (employee laptops or individuals' filing cabinets for example) are out of scope for this exercise. Only systems that serve a department (or more) are required to be listed here. Collect information about the systems within your responsibility, including each system's functions, purpose, and usage.
Each system should have 1 primary contact. This contact should be the person that knows the most about the system, how it is used, and the data inside of it. This person is not necessarily an IT person. While there should be 1 primary contact, the data gathered for this sheet may require communication and collaboration with other individuals or units.
Explain the primary purpose of each system. While the items in the dropdown list represent common uses of a system, they are not an exclusive list. If your system's use isn't on the list, it is perfectly acceptable to select OTHER. Just be prepared to explain what that means.
Determine whether your system serves your own department, college, division, or entire institution.
Estimate a qualitative level of expense required in the event that the system would need to be changed to implement privacy updates, security updates, or both. Do not simply consider financial expenses. Also include personnel hours and change management efforts.
If the system is vendor-provided, collect details about the vendor, including their name and the product's name.
Determine whether your system is hosted on-premises or in the cloud. Some UMD systems may be hosted in the cloud, even though they are managed by UMD. If you are unsure, you can select Unsure.
Identify the types of data stored in each system. Data types need to be gathered, but individual data elements are too granular. For example, contact information is required, but phone number is too much detail. A given system may have more than one type of data. If this is the case, be prepared to use the Additional Data Types sheet to provide additional details. If you are unsure whether a particular data element might be included in a particular Data Type, check the Data Types w/examples sheet for ideas.
Define the primary purpose for collecting and using data in each system. This should generally match the system's purpose, but may not necessarily be the same. For example, ELMS is used to deliver course content, but the purpose of collecting data in ELMS could be described as student success initiatives.
Review UMD's data classification chart (IT-2) and determine whether the data in the system is Low, Moderate, High, or Restricted.
Determine whether your data is backed up. If you are not sure, select Unsure.
Verify if a data retention schedule is known for each system. If you have specific questions about what each column in the inventory means, or what you might be expected to fill in, check the Column Definitions sheet. Commonly asked questions can be found in the FAQs article, but any additional questions may be sent to privacy@umd.edu.
Click for access to the Data Inventory Template.