�鶹��Ƶ Data Classification Policy

Navigate Planning and Assessment

Introduction

�鶹��Ƶ produces, collects, and uses many different types of electronic and paper data records to fulfill its mission. Federal, state, and local law as well as various university policies mandate privacy and protection, as well as openness, of certain records.

Purpose

The purpose of data classification is to establish a framework for classifying university data records based on sensitivity, value, and criticality. Classifying university records is the initial step in determining security controls for the protection of data.

University data is defined as all data owned, collected, licensed, or otherwise in possession of �鶹��Ƶ.

Scope

This policy applies to all individuals with access or authorization to produce, collect, or use �鶹��Ƶ data. The data subjects are university records and not records created for personal use. Specifically, the guideline applies to those who are responsible for classifying and approving the use of �鶹��Ƶ data.

Data Classification

Data classification, in the context of information security, is the classification of data based on its level of sensitivity and the impact to the university should that data be disclosed, altered, or destroyed without authorization. The classification of data helps determine what baseline security controls are appropriate for safeguarding that data. All institutional data should be classified into one of the three classifications level listed below:

Public Data

Is data that is intended for public disclosure and controlled by the university.
The loss of confidentiality, integrity, or availability of the data has no adverse impact on the university.
Requires authentication to publish and modify.
Examples: News releases, university catalog, university policies, event schedules, legally mandated disclosures, university directory information.

Private Data

Is data not generally available to the public and limited to individuals with an �鶹��Ƶ computing account.
The loss of confidentiality, integrity, or availability of the data could have a mildly adverse impact on the university.
Tightly controlled user and network access based on job responsibilities.
Stored and transferred using encryption where feasible.
Likely subject to Pennsylvania’s Right-To-Know Law with review for potential disclosure.
Examples: Personnel records, Student records (non-FERPA), tactical plans, non-public reports,budget information, deliberations about business processes, non-public course data stored in Learning Management System, IT documentation, Email communications, ID numbers.

Restricted Data

Restricted Data includes confidential or sensitive information.
Is data required by law/regulation to be protected.
The loss of the confidentiality, integrity, or availability of the data could have a significant adverse impact on the university.
Highest level of controlled user and network security.
Requires approval by leadership based on review of job responsibilities along with data use and requirements.
Stored and transmitted using encryption.
Not stored on shared or general-purpose storage including email.
Not subject to Pennsylvania’s Right-to-Know Law pursuant to specific exemptions in the Law.
Examples: Family Educational Rights and Privacy Act (FERPA) protected student records, Gramm-Leach Bliley Act (GLBA) protecting financial records, and medical records (HIPPA), SSN, payment card data, banking account numbers, passwords.

Guidelines

�鶹��Ƶ employees will be informed of these data classifications in addition to FERPA and other related policies. The university will inventory and manage data use within the Restricted and Confidential or Sensitive data elements.

Lead data stewards or domain experts are leaders who oversee the lifecycle of university data and who will determine the data classifications for their respective department, area, or function. These selected and privileged individuals may also serve as “security officers” to grant access to Restricted Data. At the current juncture, the University Reporting Team and Banner Security Officers will serve as the data stewards until a formal structure is implemented.

Institutional Research is the lead in managing data classification in relation to �鶹��Ƶ requirements locally and within the Pennsylvania State System of Higher Education.

Classification should be revisited on a periodic basis or when new technologies or systems are implemented. This activity again should be led by Institutional Research and data stewards or domain experts.

Definitions and Supporting Documentation

Confidential or Sensitive Data is typically classified as Restricted data based on the classification policy.
Data Steward is a senior-level employee of the university who oversees the lifecycle of one or more sets of institutional data.
Institutional/University Data is defined as all data owned, collected, licensed, or otherwise in possession of �鶹��Ƶ.
Non-Public Information is defined as any information classified as Private or Restricted data based on the classification policy.

Resources

�鶹��Ƶ IT Policies

FERPA

Computer Account Retention Policy

Gram-Leach-Biley Act

Information Protection Policy

�鶹��Ƶ Acceptable Use Policy

Health Service Policies

Right-to-Know Policy

FAQ

What is PII?

What is a Data Breach?

What is the Breach of Personal Information Act?

For meeting security breach notification requirements, as defined by the Commonwealth of Pennsylvania is a person’s first name or first initial and last name in combination with one or more following data elements:

Social security number
State-issued driver’s license number
State-issued identification card number
Financial account number in combination with security with a security code, access code, or password
Medical and/or health insurance information
Username or email address in combination with password or security question

If my personal information is breached, will I be notified?

The Commonwealth’s breach notification law currently permits email notice if a prior business relationship exists and a valid email address for the individual requiring notification is available, electronic notice will also be allowed if the notice directs the person whose personal information has been materially compromised by a breach of the security of the system to promptly change the person’s password and security question or answer, as applicable, or to take other steps appropriate to protect the person’s online account to the extent the entity has sufficient contact information for the person.

How soon after a breach will an individual be notified?

Where can I review the Breach of Personal Information Notification Act?

Am I permitted to store private or restricted university data using Apple iCloud, Google Cloud or another provider?