Data Classification Policy
Scope
All financial and administrative policies involving community members across campus, including volunteers are within the scope of this policy. If there is a variance between departmental expectations and the common approach described through college policy, the college will look to the campus community, including volunteers to support the spirit and the objectives of college policy. Unless specifically mentioned in a college policy, the college’s Board of Trustees are governed by their Bylaws.
Policy
The purpose of this policy is to protect the information resources of the college from unauthorized access or damage. The requirement to safeguard information resources must be balanced with the need to support the pursuit of legitimate academic and business objectives. The value of data as an institutional resource increases through its widespread and appropriate use; its value diminishes through misuse, misinterpretation, or unnecessary restrictions to its access.
College data is information generated by or for, owned by, or otherwise in the possession of Colorado College that is related to the college’s activities. College data may exist in any format (i.e. digital/electronic or paper) and includes, but is not limited to, all academic, administrative, and research data, as well as the computing infrastructure and program code that supports the business of the college.
All college data is classified into defined access levels. Data may not be accessed without proper authorization. Some data may be subject to specific protection requirements under a contract or grant, or according to a law or regulation not described here. In those circumstances, the most restrictive protection requirements should apply. If there are questions, contact the Information Security Office.
- Classification of Data
All college data is classified into levels of sensitivity to provide a basis for understanding and managing it. Accurate classification provides the basis to apply an appropriate level of security. These classifications of data take into account the legal protections (by statute, regulation, or by the data subject’s choice), contractual agreements, ethical considerations, and/or strategic or proprietary worth. Data can also be classified as a result of the application of “prudent stewardship,” where there is no reason to protect the data other than to reduce the possibility of harm or embarrassment to individuals and/or to the institution.
By default, all institutional data will be designated as "sensitive.” College employees will have access to the data for use in the conduct of college business.
- Classification Levels
The classification level assigned to data will guide data stewards, data custodians business and technical project teams, and any others who may obtain or store data in the security protections and access authorization mechanisms appropriate for that data. Such categorization encourages the discussion and subsequent full understanding of the nature of the data being displayed or manipulated. Data is classified as one of the following:
- Public (low level of sensitivity)
Access to public institutional data may be granted to any requester. Public data is not considered confidential. Examples of public data include press releases, published directory information, and academic course descriptions. The integrity of public data must be protected to prevent unauthorized modification, unintended use, or inadvertent/improper distribution, and the appropriate data manager must authorize replication of the data. Even when data is considered public, it cannot be released (copied or replicated) without appropriate approvals. - Sensitive (moderate level of sensitivity)
Access to “sensitive” data must be requested from, and authorized by, the data steward who is responsible for the data. Data may be accessed by persons as part of their job responsibilities. The integrity of this data is of primary importance, and the confidentiality of this data must be protected. Examples of sensitive data include purchasing records, financial transactions that do not include restricted data, information covered by non-disclosure agreements, and library transactions. - Restricted (highest level of sensitivity)
Access to “restricted” data must be controlled from creation to destruction and will be granted only to those persons affiliated with the college who require such access in order to perform their job or to those individuals permitted by law. The confidentiality of data is of primary importance, although the integrity of the data must also be ensured. Access to restricted data must be requested from, and authorized by, the data steward who is responsible for the data. Restricted data includes information protected by law or regulation whose improper use or disclosure could:- Adversely affect the ability of the college to accomplish its mission.
- Lead to the possibility of identity theft by release of personally identifiable information of college constituents.
- Put the college into a state of non-compliance with various state and federal regulations such as FERPA, HIPAA, and GLBA.
- Put the college into a state of non-compliance with contractual obligations such as PCI-DSS.
The specification of data as restricted should include reference to the legal or externally imposed constraint that requires the restriction, the categories of users typically given access to the data, and under what conditions or restrictions access is typically given.
Examples of restricted data include social security numbers, student registration, grades, financial aid data, and bank account numbers.
- Roles and Responsibilities
Information Security Office
The Information Security Office implements policies and procedures to comply with the Health Insurance Portability and Accountability Act of 1996 (HIPPA), Family Education Rights and Privacy Act (FERPA), and others governing the treatment of individually identifiable information.
Data Trustees
Data trustees are cabinet members or their senior level designee who have policy-making and planning responsibilities for data. Data trustees’ responsibilities include:
- Designating data stewards and assigning data management roles for their units.
- Providing leadership in their areas for the maintenance of data integrity and data reporting processes.
- Setting priorities for external reporting for their academic or administrative units.
Data Stewards
Data stewards are administrators with direct operational responsibility for one or more types of institutional data. Individual units or departments have stewardship responsibilities for particular elements and/or aspects of the data. Data stewards are designated by the respective data trustees, and their responsibilities include, but are not limited to:
- Determining data access in the administrative unit.
- Creating and managing processes to ensure data integrity.
- Certifying data entered in the college’s storage systems.
- Certifying analysis and published reports.
- Communicating administrative unit changes to data related policies or practices to campus stakeholders.
- Approving, in collaboration with data trustees, the unit’s participation in external surveys and for overseeing the integrity of data collected, managed and reported by the unit.
- Developing and maintaining an inventory of external surveys submitted by the unit.
- Working with the Office of Institutional Planning and Effectiveness, as appropriate, to ensure that institutional data elements are properly defined and common shared data standards and structures are identified, documented, and made available to all users.
- Being familiar with and staying abreast of compliance requirements relevant to the data over which they have responsibility.
- Performing regular assessments of procedures designed to ensure data integrity and evaluate the effectiveness of the specific check points.
- Submitting an annual report to the Data Governance Council on compliance with data management policies and procedures.
- Establishing appropriate training protocols for data custodians and data users around structure, definitions, and use of institutional data and academic or administrative unit data policies.
- Coordinating, directly or through a designee, with the Administrative Systems Advisory Committee (ASAC) to ensure all third-party vendor contracts have been reviewed and meet necessary data protection and compliance requirements.
- Ensuring all data custodians and data users receive proper training in the structure, definitions, and use of institutional data, as well as relevant academic or administrative unit data policies.
- Ensuring all training for data custodians and data users is properly documented and any deficiencies are noted.
- Overseeing the establishment of data policies in their areas.
- Classifying data using the college’s data classification system.
- Identifying safeguards for restricted data.
In cases where multiple data stewards collect and maintain the same restricted data elements, the data stewards must work together to implement a common set of safeguards.
Data Custodians
Data custodians are academic or administrative unit employees responsible for data management. Data custodian responsibilities include:
- Managing activities such as the creation, storage, maintenance, cataloguing, use, integration, dissemination, and disposal of data, as well as any data administration activities assigned to them by the data stewards.
- Ensuring that procedures are in place to carry out data policies and comply with standards approved by the college.
Data Users
Data users are unit employees or community members who access college data to perform their assigned duties. Since data may cross functional lines, data used by any one data user may have different data custodians and data stewards. Data user responsibilities include:
- Complying with institutional data policies and for following established procedures.
- Reporting any unauthorized access or data misuse to the Information Security Office, the appropriate data steward, or the college’s online anonymous reporting system for remediation.
Education
Creating awareness of the importance of data classification is an important component in establishing an environment in which each individual feels responsible and empowered to act in the community’s best interests. All departments will provide opportunities for individuals to learn about their roles in creating a secure data environment.
Procedures
None
Definitions
FERPA: Family Educational Rights & Privacy Act protects the privacy of student educational records.
GLBA: Gramm-Leach Bliley Act protects non-public financial information, including student loan information.
HIPAA: Health Insurance Portability & Privacy Act protects personal health information.
PCI DSS: Payment Card Industry Data Security Standards protects credit and debit card information
PII: Personally Identifiable Information includes, but is not limited to, addresses, phone numbers, email addresses, social security numbers, financial and bank account numbers, etc.