Scope
This policy applies to all information systems containing University information.
Purpose
Define the classifications of data and the required security controls associated with the data classification. This policy is not intended to supersede the law or specific policies hyperlinked below, and any conflicts will be controlled by the specific policies and not this one.
Data Classifications
University information will be classified as legally restricted, confidential, internal, or public, as defined below. Data should be held at the highest classification until classified otherwise. Collections of data (e.g., database, document repositories, web servers, etc.) should be treated at the highest classification of any data contained within the collection. If you have a question on the classification of data, please contact your Chief Information Security Officer or Office of Legal Counsel.
Legally Restricted and Confidential Data or Information
What it is: Information which is necessary for people to perform their work at the University and is properly available to others at the University, but is not appropriate to be known by the general public. Access to this type of data requires authentication (i.e., a username and password). | ||
Examples may include: | ||
|
||
Some common documents that may contain internal information: | ||
|
|
What it is: Information that is available to all members of the University and may be made available to the general public. The University reserves the right to control the content and format of Public data. This type of information is frequently accessible from the Internet that does not require authentication. | ||
Examples may include: | ||
|
|
|
Some common documents that may contain public information: | ||
|
|
Definitions
University Information – Any University business or academic information created or managed by students, staff, faculty, contractors, consultants, temporary employees, guests, volunteers, and others affiliated with the University.
Breach – The unauthorized acquisition, access, use, or disclosure of sensitive information that compromises the security or privacy of such information.
Protected Health Information (PHI) – Health information (oral or recorded) that associated an individual with a health care provider, a health condition or diagnosis, a health care facility, or a health care plan. Because this information is so prevalent in the health care and research operations of the University, it is recommended that staff who work in these areas assume that most communication contains PHI. Information is considered to be de-identified under HIPAA if all of the following 18 identifiers are removed:
- Names;
- All geographic subdivisions smaller than a State, including: street address, city, county, precinct, zip codes and their equivalent geocodes, except for the initial three digits of a zip code if, according to the current publicly available data from the Bureau of Census:
- (1) the geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000; and
- (2) the initial three digits of the zip code or all such geographic units containing 20,000 or fewer people is changed to 000.
- All elements of dates (except year) for dates directly related to an individual, including: birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older;
- Telephone numbers;
- Fax numbers;
- Email addresses;
- Social Security numbers;
- Medical record numbers;
- Account numbers;
- Certificate/license numbers;
- Vehicle identifiers and serial numbers, including license plate numbers;
- Device identifiers and serial numbers;
- Web Universal Resource Locators (URLs);
- Internet Protocol (IP) address numbers;
- Biometric identifiers, including finger and voice prints;
- Full face photographic images and any comparable images; and
- Any other unique identifying numbers, characteristics, or codes.
In order to de-identify PHI, please follow the requirements in Policy OP30.
Employee Personally Identifiable Information (PII) – A group of personal data points. When data points are combined, personal identity theft or forgery is possible. The University safeguards PII of all University employees and defines PII as the following:
- SSN
- Bank account information
- Credit or debit card information
- Home address
- Home telephone number
- Personal email address
- Internet identification name or password
- Parent’s surname prior to marriage
- Driver’s license number or non-driver identification number
Payment Card Information – A 16-digit number on a credit or debit card, the security code, an individual’s PIN, the expiration date of the card, and individual card holder’s name. This information must comply with the Credit Card Policy.
FERPA (Federal Education Rights and Privacy Act of 1974) – Federal legislation that protects the privacy of students’ records.
FERPA Education Records – Any records that are directly related to a student and maintained by the University. For more information, see the University’s FERPA Policy.
Student Directory Information – The University considers the following to be student directory information:
- Name
- Campus address
- Email address
- Major
- University phone number
- Dates of attendance
- Participation in activities and sports
- Height and weight of athletic team members
- Degrees and awards received
- Date of birth
- Most recent institution attended
- Other similar information
It cannot include race, gender, SSN, grades, GPA, country of citizenship, or religion.
Employee Directory Information – The University considers the following to be employee directory information:
- Name
- Office address
- University email address
- University phone number
- Job title
- Department
It can not include any data points defined in Employee PII.
Personnel Records – Any information that holds records related to employment at the University. These can include:
- Hire and appointment letters
- Salary information
- Performance reviews
- Warnings and disciplinary documents
- Attendance records
- Background investigations
- Immunizations