Data Classification and HandlingTechnology Services
Purpose
Sensitive College data should be protected from unauthorized or accidental access, use, alteration, destruction, or disclosure. Classifying the College’s data sets minimum standards to ensure security, integrity, and confidentiality.
Scope
This policy, as well as all policies referenced herein, shall apply to all members of the College community, including faculty, students, staff, alumni, volunteers, official guests, courtesy account holders, and independent contractors who use, access, or otherwise manipulate, locally or remotely, College-owned or controlled data.
Policy Statement
College data must be categorized into one of three accepted classifications. Assigning one of these classifications assumes the data was collected or created on behalf of the College for legitimate business purposes. These accepted classifications are as follows:
- Highly Confidential Information
- Confidential Information
- Public Information
The originating individual/department will assume the role of data trustee. The data trustee will be responsible for the proper categorization of the data. If more than one department is responsible for the creation or collection of the data in question, they will work cooperatively to assign a classification. If an agreement between joint data trustees is not obtained, the data in question will be considered “confidential” until such time as an agreement determines otherwise. In cases where no agreement is forthcoming, Technology Services may choose to assign a classification.
Data trustees must consider the risk of harm to the College, and the impact of that harm, should the data in their charge be lost, stolen, shared, altered, or destroyed by unauthorized parties.
Data trustees and department leaders are responsible for implementing appropriate managerial, operational, physical, and technical safeguards to ensure that College data is secured at all times, and in all forms, in accordance with College policy, federal and state regulation, and other authorizing agreements. The implementation of controls for protecting highly confidential data should be done in consultation with the College’s Information Security Program Coordinator (the CTO) or their designee.
Definitions and Examples
Data classification
College-owned or controlled data should have a risk and impact-oriented classification that highlights minimum standards to ensure security, integrity, and confidentiality. These standards should be in alignment with federal and state guidelines and best practices, while offering necessary availability for decision-making and core business functions.
Highly Confidential Information
Includes data that contains personally identifiable information (PII), or personal (non-directory) information about any individual. This classification often includes data that is regulated at the federal or state level. Other statutes (EU), regulatory bodies, and authorizing agreements may also apply, but important examples include the following:
- Family Educational Rights and Privacy Act (FERPA)
- Gramm-Leach-Bliley Act (GLBA)
- Health Insurance Portability and Accountability Act (HIPAA)
- Payment Card Industry Data Security Standards (PCI/DSS)
- General Data Protection Regulation (GDPR)
- Stop Hacks and Improve Electronic Data Security Act (SHIELD Act)
Data Examples
- Protected health data
- Social Security numbers
- Payment card numbers
- Financial account numbers, including College and student accounts
- Driver’s license numbers
- Grievance/disciplinary records
Handling Requirements
- Use College-approved and supported systems for handling highly confidential data.
- Highly confidential data should only be shared with authorized users for legitimate business purposes.
- Highly confidential data should be encrypted during sending and when stored.
- Networks and systems that contain or handle highly confidential data should have appropriate firewalls, logging, monitoring, patching, anti-virus/malware, and physical security controls.
- Authorized handlers of highly confidential data should use College-issued computers to access, transmit, or process data. In certain circumstances, using a personal computer to connect to a College-issued computer may be sufficient.
- Highly confidential data should have a documented data retention policy.
- Risks and safeguards should be evaluated annually in coordination with the Information Security Program Coordinator.
Confidential Information
Less sensitive data that is usually withheld from public access for legal or other administrative reasons should be considered confidential. Departmental and internal handling standards should apply.
Data Examples
- Faculty and staff personnel records (benefits, salaries, performance evaluations, etc.)
- College insurance records
- Donor contact information and non-public gift giving amounts
- Fundraising data
- Non-public/internal policies
- Internal memos, emails, and non-public reports
- Budget and purchasing information
- Non-public contracts
- College and employee ID numbers
- Internal business documents
- Research/grant proposals
Handling Requirements
- Use College-approved and supported systems for handling confidential data.
- Confidential data should only be shared with authorized users for legitimate business purposes.
- Networks and systems that contain or handle confidential data should have appropriate firewalls, logging, monitoring, patching, anti-virus/malware, and physical security controls.
- Authorized handlers of confidential data should use College-issued computers to access, transmit, or process data. In certain circumstances, using a personal computer to connect to a College-issued computer may be sufficient.
Public Information
Information that is intended for public access, including unprotected websites, webpages, and freely distributed print materials.
Data Examples
- Directory data
- Public policies
- Online communications
- Catalog information
- Athletic rosters
Handling Requirements
- Use College-approved and supported systems for handling public data.
Policy Implementation Assistance
Contact the Chief Technology Officer for questions and comments on this policy.
Policy Authority
The XLT has responsibility for this policy and will obtain necessary approvals for changes.