Location: Bowdoin / IT / Policies / Data Classification Policy

Data Classification Policy

Authority

This policy is approved by the Chief Information Officer (CIO).

Summary

All College data is classified into defined access levels. Data may not be accessed without proper authorization.

The purpose of this policy is to protect the information resources of the College from unauthorized access or damage. The requirement to safeguard information resources must be balanced with the need to support the pursuit of legitimate academic objectives. The value of data as an institutional resource increases through its widespread and appropriate use; its value diminishes through misuse, misinterpretation, or unnecessary restrictions to its access.

1. Classification of Data

All College data is classified into levels of sensitivity to provide a basis for understanding and managing college data.  Accurate classification provides the basis to apply an appropriate level of security to college data.  These classifications of data take into account the legal protections (by statute, regulation, or by the data subject’s choice), contractual agreements, ethical considerations, or strategic or proprietary worth.  Data can also be classified as a result of the application of “prudent stewardship”, where there is no reason to protect the data other than to reduce the possibility of harm or embarrassment to individuals or to the institution.

By default, all institutional data will be designated as "Sensitive".  College employees will have access to the data for use in the conduct of college business.

2. Classification Levels

The classification level assigned to data will guide data owners, data custodians, business and technical project teams, and any others who may obtain or store data, in the security protections and access authorization mechanisms appropriate for that data. Such categorization encourages the discussion and subsequent full understanding of the nature of the data being displayed or manipulated.  Data is classified as one of the following:

  • Public (low level of sensitivity)
    Access to “Public” institutional data may be granted to any requester. Public data is not considered confidential. Examples of Public data include published directory information and academic course descriptions. The integrity of Public data must be protected, and the appropriate owner must authorize replication of the data. Even when data is considered Public, it cannot be released (copied or replicated) without appropriate approvals.
  • Sensitive (moderate level of sensitivity)
    Access to “Sensitive” data must be requested from, and authorized by, the Data Owner who is responsible for the data.  Data may be accessed by persons as part of their job responsibilities. The integrity of this data is of primary importance, and the confidentiality of this data must be protected. Examples of Sensitive data include purchasing data, financial transactions that do not include restricted data, information covered by non-disclosure agreements and Library transactions.
  • Restricted (highest level of sensitivity)
    Access to “Restricted” data must be controlled from creation to destruction, and will be granted only to those persons affiliated with the College who require such access in order to perform their job, or to those individuals permitted by law. The confidentiality of data is of primary importance, although the integrity of the data must also be ensured. Access to restricted data must be requested from, and authorized by, the Data Owner who is responsible for the data. Restricted data includes information protected by law or regulation whose improper use or disclosure could:
        
    • Adversely affect the ability of the college to accomplish its mission
    • Lead to the possibility of identity theft by release of personally identifiable information of college constituents
    • Put the college into a state of non-compliance with various state and federal regulations such as FERPA, HIPAA, and GLBA
    • Put the college into a state of non-compliance with contractual obligations such as PCI DSS

    The specification of data as restricted should include reference to the legal or externally imposed constraint that requires the restriction, the categories of users typically given access to the data, and under what conditions or restrictions access is typically given.

    Examples of Restricted data include social security numbers, student registration, grades, financial aid data and bank account numbers.

3. Roles and Responsibilities

Chief Information Security Officer

The Chief Information Security Officer implements policies and procedures to comply with the Health Insurance Portability and Accountability Act of 1996 (HIPPA), Family Education Rights and Privacy Act (FERPA), and others governing the treatment of individually identifiable information.

Data Trustees

Data Trustees are senior college officials or their designees who have planning, policy-level and management responsibility for data within their functional areas.  Data Trustees responsibilities include:

  • Assigning and overseeing Data Owners
  • Overseeing the establishment of data policies in their areas
  • Determining legal and regulatory requirements for data in their areas
  • Promoting appropriate use and data quality

Data Owners

Data Owners are college officials having direct operational-level responsibility for the management of one or more types of data.  Data Owners are assigned by the Data Trustee and are generally associate deans, associate vice presidents, directors or managers.  Data Owner responsibilities include:

  • The application of this and related policies to the systems, data, and other information resources under their care or control
  • Assigning data classification labels using the college's data classification methodology
  • Identifying and implementing safeguards for Restricted Data
  • Communicating and providing education on the required minimum safeguards for protected data to authorized data users and data custodians

In cases where multiple data owners collect and maintain the same restricted data elements, the data owners must work together to implement a common set of safeguards.

Data Custodians

Data Custodians are Information & Technology or computer system administrators responsible for the operation and management of systems and servers which collect, manage, and provide access to college data.  Data Custodians must be authorized by the appropriate Data Owner or the CIO.  Data Custodian responsibilities include:

  • Maintaining physical and system security and safeguards appropriate to the classification level of the data in their custody
  • Complying with applicable college computer security standards
  • Managing Data Consumer access as authorized by appropriate Data Owners
  • Following data handling and protection policies and procedures established by Data Owners and Information Security

Data Consumers

Data Consumers are the individual college community members who have been granted access to college data in order to perform assigned duties or in fulfillment of assigned roles or functions at the college.  This access is granted solely for the conduct of college business.  Data Consumer responsibilities include:

  • Following the policies and procedures established by the appropriate Data Owner and Information Security
  • Complying with federal and state laws, regulations, and policies associated with the college data used
  • Implementing safeguards prescribed by appropriate Data Owners for Restricted Data
  • Reporting any unauthorized access or data misuse to Information Security or the appropriate Data Owner for remediation

Updated 4/6/2009.  See version 1.