Purpose
Scope

Institutional Data Classification Levels
Classification of Institutional Data
Rubrics for Classification
Predefined Types of Restricted Data
Related state or federal privacy regulations
Related Policies and Guidelines
Data Handling Recommendations

Purpose

The purpose of this policy is to define a framework for classifying and handling Institutional Data based on its level of sensitivity, value and criticality to the University.
Data classification, in the context of information security, is the classification of data based on its impact to the University should that data be disclosed, altered or destroyed without authorization. Classification of data helps determine what baseline security controls are appropriate for safeguarding that data.

Scope

This Policy applies to all employees and third-party Agents of the University as well as any other University affiliates who access, process, or store Institutional Data.

Institutional Data Classification

Levels

Institutional Data is any data related to the business of the University including, but not limited to, financial, personnel, student, alumni, communication, and physical resources. It includes data maintained at the department level as well as centrally, regardless of the media or system on which they reside. In the case of data in digital format, Institutional Data includes records that are stored in on-premise University data systems as well as systems provided by means of Internet-hosted service providers (i.e., "Cloud" hosted systems or applications). All institutional data must be maintained on University-approved systems (storage of Institutional data in any personal accounts, such as personal Dropbox accounts or personal Google accounts, among others, is prohibited).
All Institutional Data is classified into one of three classifications: Restricted, Private, or Public.

A.  Restricted Data

Data should be classified as Restricted when the unauthorized disclosure, alteration or destruction of that data could cause a significant level of risk to the University or its affiliates.  Examples of Restricted data include data protected by state or federal privacy regulations and data protected by confidentiality agreements.  The highest level of security controls should be applied to Restricted data.
Confidential Data / Sensitive Data are generalized terms that typically represent data classified as Restricted, according to the data classification scheme defined in this Guideline.  These terms are often used interchangeably.

B.  Private Data

Data should be classified as Private when the unauthorized disclosure, alteration or destruction of that data could result in a moderate level of risk to the University or its affiliates.  By default, all Institutional Data that is not explicitly classified as Restricted or Public data should be treated as Private data.  A reasonable level of security controls should be applied to Private data.

C.  Public Data

Data should be classified as Public when the unauthorized disclosure, alteration or destruction of that data would results in little or no risk to the University and its affiliates.  Examples of Public data include press releases, course information and research publications.  While little or no controls are required to protect the confidentiality of Public data, some level of control is required to prevent unauthorized modification or destruction of Public data.
Non-public Information is defined as any information that is classified as Private or Restricted Information according to the data classification scheme defined in this Guideline.

Data Collections

Data Stewards may wish to assign a single classification to a collection of data that is common in purpose or function. When classifying a collection of data, the most restrictive classification of any of the individual data elements should be used. For example, if a data collection consists of a student's name, address and social security number, the data collection should be classified as Restricted even though the student's name and address may be considered Public information. Authorization for access to a data collection is governed by its most restrictive data field. When retrieval of restricted data is required by a third party, it will authorized only by order of the General Counsel.

Classification of Institutional Data

Classification Process (major examples – not an exhaustive list)

Classification of Institutional Data is performed by an appropriate University Data Steward in cooperation with Information Services and related Data Governors.
A Data Governor is the relevant office that is responsible for the accuracy, integrity, and timeliness of certain data, and that has authority to grant or deny permission to access to that data.
A Data Steward is an employee of the University assigned by the relevant Data Governor to oversee the lifecycle of one or more sets of Institutional Data.
On a regular basis, the Data Steward will evaluate the classification of Institutional Data to ensure the assigned classification is appropriate based on changes to legal and contractual obligations or changes in the use of the data or its value to the University. Conducting an evaluation on at least an annual basis is encouraged.
If a Data Steward determines that the classification of a certain data set has changed, an analysis of security controls should be performed to determine whether existing controls are consistent with the new classification. If gaps are found in existing security controls, they should be corrected in a timely manner, commensurate with the level of risk presented by the gaps.
In general, University information is managed according to protocols defined by the following offices: