Skip to page content
Skip to main content
University of Maryland
  • School Colleges & Schools
  • Gift Make A Gift

IT Service Desk

Find solutions and report issues

IT Service Desk

Find solutions and report issues

 DIT Logo
  • Service Catalog
  • Support Articles
  • Get Support
  • My Cases
  • Service Status
  • Live Chat
  • Log in
  • Home
  • Articles(IT Support)
  • Self-help IT Services
  • Data Inventory FAQ
Data Inventory FAQ -
KB0018345 -
  • 10.0 - Updated on 06-26-2024 by Robert Hopkins
  • 9.0 - Updated on 06-05-2024 by Sussan Dehghan-Kavoosi
  • 8.0 - Updated on 06-05-2024 by Shelby Shone
  • 7.0 - Updated on 06-05-2024 by Shelby Shone
  • 6.0 - Updated on 06-05-2024 by Shelby Shone
  • 5.0 - Updated on 06-05-2024 by Shelby Shone
  • 4.0 - Updated on 05-24-2024 by Robert Hopkins
  • 3.0 - Updated on 04-29-2024 by Ryan Raines
  • 2.0 - Updated on 04-26-2024 by Ryan Raines

Data Inventory FAQ

Article metadata. Revised by Robert Hopkins
This article was updated • 5mo agoabout a year ago
This article has 246 views. • 246 Views This article has average rating: 0 out of 5 stars • ( ) ( ) ( ) ( ) ( )

Table of Contents

  • Why do we need to fill out the Data Inventory Google sheet?
  • When does the data inventory need to be completed?
  • What is not in-scope?
  • What is in scope?
  • Who should fill out the Data Inventory Google sheet?
  • What if the primary purpose of a system doesn't fit the provided options?
  • How do I estimate expected expenses for privacy and security updates?
  • What types of data should I include in the Type of Data in System section?
  • How do I handle systems with multiple data types?
  • What if I don't know the data retention schedule for a system?
  • What if I use a central system (Google Drive or Box for example)?
  • What if I operate a system that others use?
  • What is a System of Record?
  • The data I manage is sensitive, are you asking us to put our data in this Google sheet?
  • Data Inventory Template

Why do we need to fill out the Data Inventory Google sheet?

The sheet helps us maintain a comprehensive record of systems and their data elements, ensuring proper management and protection of information. It's a crucial step in our commitment to data privacy and security. Per MD Higher Education State Law (point a), a data inventory needs to be completed.

Top

When does the data inventory need to be completed?

October 1st, 2024.

Top

What is not in-scope?

  • Human-subjects research (covered by the IRB)
  • Public data (websites for example)
  • Login data
  • Systems of record that are endpoints/only used by one person
  • De-identified data
  • Physical data

Top

What is in scope?

  • People data that is stored, collected, managed electronically
  • Systems that are used by a department/unit to process data on a procedural basis (recurring, not a one-off scenario)

Top

Who should fill out the Data Inventory Google sheet?

The individuals responsible for the systems should complete the sheet. Usually, this may include IT system owners or designated representatives.

Top

What if the primary purpose of a system doesn't fit the provided options?

Use the If other, please describe field to provide a brief description of the system's purpose.

Top

How do I estimate expected expenses for privacy and security updates?

The MD Higher Ed Privacy Law requires that we evaluate and document the technical and financial feasibility of implementing privacy controls and services within the system. We've chosen to interpret this as expense of privacy and security updates (as cost is what would also drive technical feasibility). We've chosen to interpret this as expense of privacy and security updates (as cost is what would also drive technical feasibility). Think of this in terms of how much labor and financial expenses it may take to replace the system.

This evaluation does not require exact implementation plans, and it does not require precise budgeting numbers - provide your best (broad) estimate of whether updates would be cheap/easy (low/no cost), budget-busting or impossible (high cost), or somewhere in between (moderate). In performing this evaluation, you might consider: 

  • The system's age.
  • Its complexity (was it developed at UMD? Has it been customized?).
  • Its expense.
  • The number of people needed to support it.
  • The number of people that use it.

Top

What types of data should I include in the Type of Data in System section?

Some types of data have been pre-entered into the sheet.

  • If your data fits within one of those categories, select it.
  • If your data is different from what is in the drop-down on the sheet, simply select Other and describe your data type in the following column.

Top

How do I handle systems with multiple data types?

If a system contains multiple data types, mark Y for Multiple Data Types. Use the Additional Data Types sheet to provide details about each type. Make sure the Name of System matches on both sheets.

Top

What if I don't know the data retention schedule for a system?

That's fine. This column is only intended to measure awareness of data retention at UMD. No is a perfectly acceptable answer.

Top

What if I use a central system (Google Drive or Box for example)?

Provide the name of the service (in Column A), and collect and provide the information related to the types of data you have and the reasons you have or use it (Columns M-U). You may ignore columns B-L.

Google Drive and Box are expected to be an entry for nearly every inventory. No endpoints should be captured here, only systems of record that are used collaboratively (multiple people for the same purpose).

Google Group/Box NPA/Shared Departmental Folders in cloud storage = (probably) system of record, individual folders do not.

For every system of record within Google Drive and Box, please create an entry for every instance where the purpose is different. If you use google drive for 5 different objectives (all collaboratively used), there should be 5 entries for each of those objectives.

Top

What if I operate a system that others use?

If you use the system yourself, document the primary purpose you use the system for, and note in column E This system is also administered on behalf of other departments. If you do not use the system, do the same, but you may ignore Columns M-U.

Top

What is a System of Record?

A system of record is the source of truth for information about a person, regardless of whether the System of Record is managed by DIT, another division, a college, or a department.  

A system of record can also be defined as the place (system) where information about a person originates (only electronic data) or where data is manipulated in a way to create or process it as something new and unique.

For example, if a college or department developed an application that tracks the progress of graduate students in their unit and creates additional information not in campuswide systems (such as advisors’ comments), that application would be a System of Record that needs to be included, because it is the only official record of those comments.

Top

The data I manage is sensitive, are you asking us to put our data in this Google sheet?

No, this inventory will include information about what is stored and where (called metadata), but not any of the actual data stored in the Systems of Record.

Top

Data Inventory Template

Click for access to the Data Inventory Template. 

Review this example of a completed Data Inventory.

Top

Related Articles

Complete the Data Inventory Sheet
Article Metadata 228 Views Article has 228 views • updated 6mo agoabout a year ago
Helpful?

Division of Information Technology | University of Maryland | 301.405.1500 | itsupport@umd.edu | Web Accessibility | Privacy Notice

© 2024 All rights reserved

DIT on Facebook DIT on Twitter DIT on Instagram