Data Classification Standards

Purpose

This Standard will establish guidelines for how information will be classified, and thus how it can be used, stored, and shared. Several laws govern how the College is allowed to use certain types of information. Misuse or release of regulated or sensitive information has direct legal, financial, and reputational consequences.

Scope

This Standard applies to staff, faculty, students, and volunteers while in the service of Whitman College. It also applies to any third party vendor creating, storing, or maintaining College data through contractual agreements.

Classifying Data

Properly classifying data helps data stewards, data custodians, project teams, and others who may obtain or store data understand the security protections and authorization mechanisms appropriate for that data. These classifications consider the legal protections, contractual agreements, ethical considerations, business needs in order to reduce the possibility of harm or embarrassment to individuals or the College. Categorization encourages discussion about the data helps everyone gain an understanding of the nature of the data being used or changed.

Levels of Classification

Data is classified as one of the following:

Public (low level of risk)

Access to Public institutional data may be granted to any requester. Public data is not considered confidential. Examples of public data include published directory information and course descriptions. The integrity of public data must be protected, and the appropriate owner must authorize replication of the data. Public data cannot be released without appropriate approvals.

Sensitive (moderate level of risk)

Access to Sensitive data must be requested from, and authorized by, the Data Steward who is responsible for the data. Data may be accessed by a person as part of their job responsibilities. The integrity of this data is of primary importance, and the confidentiality of this data must also be protected. Examples of sensitive data include purchasing data, financial transactions that do not include restricted data, information covered by non-disclosure agreements, and non-public research data.
By default, all institutional data will be designated as "Sensitive". College employees will have access to the data for use in the conduct of College business.

Restricted (highest level of risk)

Access to Restricted data must be controlled from creation to destruction, and will be granted only to those persons affiliated with the College who require such access in order to perform their job, or to those individuals permitted by law. The confidentiality and integrity of this data is of primary importance. Access to restricted data must be requested from, and authorized by, the Data Steward who is responsible for the data. Restricted data includes information protected by law or regulation and/or whose improper use or disclosure could:

  • Adversely affect the ability of the college to accomplish its mission
  • Lead to the possibility of identity theft by release of personally identifiable information of college constituents
  • Put the college into a state of non-compliance with various state and federal regulations such as FERPA, HIPAA, and GLBA
  • Cause the College significant financial or reputational harm

The specification of data as restricted should include reference to the legal or externally imposed constraint that requires the restriction, the categories of users typically given access to the data, and under what conditions or restrictions access is typically given.

Example: Personally Identifiable Information
Legal Restriction: RCW 19.255.010
Typical access: Business Office, Financial Aid, Human Resources, Registrar's Office
Access Restrictions: Access is only granted to those whose jobs require it.

Examples of Restricted data:

  • Personally Identifiable Information: an individual's first name or first initial and last name in combination with any one or more of the following data elements:
    • Social security number;
    • Driver's license number or Washington identification card number; or
    • Account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account.
  • Financial aid data
  • Foundation/Alumni donation records
  • Protected health information.

Data Handling Guidance

Public

  • If sharing is required, public data only should be made available via systems that the College has administrative control over the system
  • Systems used to share public data must be properly secured to prevent the unauthorized modification of published public data
  • No restrictions for viewing

Sensitive

  • Must be protected enough in order to prevent loss, theft, unauthorized access, and/or unauthorized disclosure
  • Stored in a closed, secure location in order to prevent disclosure when not in use, encryption when stored on portable drives that belong to the College.
  • Must not be stored on personal hard drives or devices.
  • Must not be disclosed to parties outside of the College without explicit written authorization.
  • Must not be stored on any cloud-based information systems not managed by the College.

Restricted

  • Stored only on college-owned devices -- restricted data is not permitted to be stored on any personally owned devices including mobile phones, tablets, portable drives, laptops, or home computers.
  • Protected by encryption when stored on any college owned devices or media such as mobile devices, optical or flash media, or backup tapes.
  • Protected by encryption when transmitted across public networks such as the Internet
  • Must be stored only in areas that have sufficient physical access control measures to afford adequate protection and prevent unauthorized access by members of the public, visitors, or other individuals not on a need-to-know basis
  • Must not be stored on non-Whitman-managed cloud services without approval and additional protections
  • Must not be emailed without additional protections
  • Exporting from database systems or making duplicate copies of reports should be minimized. Re-running reports as necessary is preferable to saving copies for future use.


Permitted Locations

Public Sensitive Restricted
Hard Drive Yes Yes Yes, encrypted
Portable Drive Yes Yes, encrypted Yes, encrypted
Network Storage (internal) Yes Yes Yes, encrypted
Cloud Storage (external) Yes Yes, Collge-managed No
Physical/Paper Yes Yes, but must be in private, lockable offices Yes, but musts be locked in offices and destroyed properly when no longer needed

note:  systems such as Colleague are considered secure; however, if you export data and/or save reports containing Restricted data - encryption should be applied.

Roles/Definitions

Data Stewards

Data Stewards have authority and final responsibility over data. All requests to view, manipulate, share, or present data must be approved by the appropriate Data Steward.

Data Custodians

Data Custodians are responsible for maintenance of data and ensuring data integrity and consistency.

Data Users

Data Users have permission to use specific data. Data Users do not have permission to manipulate or share data unless it has been granted by a Data Steward.

Types of storage

Internal hard drive:

Any non-removable drive internal to a computer

Portable (USB) drive:

Any drive that can be removed from a computer and easily connected to another computer. USB hard drive, USB thumb drive, etc.

Internal Network Storage:

Winfiles (K:), Admfiles (S:)

External Cloud Storage:

Examples: Google Drive, Microsoft OneDrive, Dropbox, Whitmail

Physical/paper files:

Examples: papers in a file cabinet, paper sitting on a desk, etc.

<update:  January 2019>