Data Classification Policy

Policy number 12-21
Responsible office Institutional Research
Enforcement official
Enforcement official
Director of Data Management
Classification Board of Trustees Policy
Category Information Technology and Data Security

Statement of policy

The Data Classification Policy provides a framework for classifying institutional data based on its level of sensitivity, value, and importance to the University consistent with the University’s Information Security Policies. Classification of data will help determine baseline security controls for the protected data and will guide decisions such as access, use, disclosure, modification, removal, and destruction of data.      

Summary of contents/major changes

Revise and replace prior version of the Data Classification Policy.  The previous versions of the Data Classification Policy categorized data into three categories: confidential, internal, and public. The current version has a more granular classification and has four categories: restricted, confidential, internal, and public. 

1. Purpose of Policy

This Policy serves as a foundation for the University’s data security practices and is consistent with the University’s data and records management standards. The University recognizes that the value of its data and data resources lies in their appropriate and widespread use. It is not the purpose of this Policy to create unnecessary restrictions to data access or to impede individuals’ use of the data in support of University business or academic pursuits. This Policy also serves to assure faculty, staff, and students that the privacy and confidentiality of their personal data will be maintained according to University policy and all state and federal laws and regulations.

2. Stakeholders Most Impacted by the Policy

The policy applies to all faculty, staff, third-party agents of the University, and any other University affiliates who are authorized to access institutional data.

3. Key Definitions

3.1 Restricted Data: Highly sensitive data intended for limited, specific use by a workgroup, department, or group of individuals with a legitimate need to know.

3.2 Confidential Data: Data intended for internal University business use only, with access restricted to those with a legitimate need; those with a legitimate need could constitute a large group (e.g. all student advisors or all faculty).

3.3 Internal Data: Internal data is information that must be guarded due to proprietary, ethical, or privacy considerations and must be protected from unauthorized access, modification, transmission, storage or other use.

3.4 Public Data: Data explicitly or implicitly approved for distribution to the public without restriction.

3.5 Executive sponsors: senior University officials who have planning and policy responsibility and accountability for major administrative data systems (e.g. student, human resources, financial, research, etc.) within their functional areas.

3.6 Data stewards: individuals appointed by the Executive Sponsors to implement established data policies and general administrative data security policies for their functional areas.

3.7 Data administrators: University employees who most often report to Data Stewards and whose duties provide them with an intricate understanding of the data in their area.

3.8 Director of data management: individual responsible for facilitating the coordination of data and systems governance to optimize data integration.

4. Full Policy Details

4.1 Scope

The Policy applies to all University data, regardless of the format or medium on which the data resides, including but not limited to: electronic, paper, or any other physical form. Examples of data protection measures may include storing data in secured areas, not placing sensitive data on public Web sites, proper disposal of data, strong passwords on computing devices, and utilizing adequate access control procedures.

Measures for data security are set by those who hold the roles listed above, by utilizing a combination of acceptable technology protocols and standards. Examples may include data encryption, data access controls, data retention and disposal procedures, data storage management, and end user training and awareness programs.

This Policy applies to all centrally managed, enterprise-level (University), administrative data and to all user-developed data stores and systems that may access University data regardless of the environment where the data reside, including but not limited to: midrange systems; servers; contracted cloud services; desktop computers; laptop computers; USB keys; flash drives; and any other mobile computing device. The policy applies regardless of the media on which data reside, including but not limited to: electronic, microfiche, printouts, and CD, as well as the form the data may take, including but not limited to: text, graphics, video, and voice.

This Policy does not apply to protected health information as defined by the Health Insurance Portability and Accountability Act (HIPAA). Such information shall be handled in accordance with the HIPAA Policies and Procedures adopted by the entity covered by HIPAA. Questions or concerns about HIPAA protections should be directed to the University HIPAA Privacy and Contact Officer currently located in the Office of the General Counsel.

4.2 Classification

Data must be maintained in a secure, accurate, and reliable manner and be readily available for authorized use. Data security measures will be implemented commensurate with the value, sensitivity, and risk involved.

To implement security at the appropriate level, to establish guidelines for legal/regulatory compliance, and to reduce or eliminate conflicting standards and controls, data will be classified into one of the following categories:

4.2.1 Restricted: Highly sensitive data intended for limited, specific use by a workgroup, department, or group of individuals with a legitimate need to know. Explicit authorization by the data steward is required for access because of legal, contractual, privacy, or other constraints. Unauthorized use or disclosure could have a catastrophicadverse impact on the University’s mission, operations, or reputation and/or result in identity theft.

Examples include:

  • Social Security Numbers
  • Credit card and financial account numbers
  • Driver’s license numbers
  • Student loan data
  • Personnel records, including performance reviews, discipline records, and appointment letters

4.2.2 Confidential: Data intended for internal University business use only, with access restricted to those with a legitimate need, even though those with a legitimate need could constitute a large group (e.g. all student advisors or all faculty).  Supervisors must approve access, and security officers must grant access.  Unauthorized use or disclosure could have a serious adverse impact on the University, affiliates, or individuals.

Examples include:

  • Student education records
  • Student directory information for those who have elected privacy
  • Student demographic information
  • Student ID numbers
  • Employee ID numbers

4.2.3 Internal: Internal data is information that must be guarded due to proprietary, ethical, or privacy considerations and must be protected from unauthorized access, modification, transmission, storage or other use. This classification applies even though there may not be any law or other regulation requiring this protection. Internal data is information that is restricted to personnel who have a legitimate need for access, though those with a legitimate need could constitute a large group (e.g. all Academic Affairs faculty and staff). Unauthorized use or disclosure could have a limited adverse impact on the University, affiliates, or individuals.

Examples include:

  • Planning documents
  • Business partner information where no more restrictive confidentiality agreement exists
  • Technical documents relating to information systems or processes

4.2.4 Public: Data explicitly or implicitly approved for distribution to the public without restriction.  Disclosure of public data will likely have little or no adverse impact on the University, affiliates, or individuals.

Examples include:

  • Student directory information for students who have not elected privacy
  • Course descriptions
  • Course schedules
  • Commonly reported statistics (e.g. those found on the Institutional Research public web site)

4.3 Responsibilities

The following roles and responsibilities are established for carrying out this data policy:

4.3.1 Executive sponsors – By understanding the planning needs of the institution, they are able to anticipate how data will be used to meet institutional needs. Executive sponsors meet as part of the Information Technology Executive Advisory Board to approve policy or administrative decisions that promote data quality, security, integration, and alignment.

4.3.2 Data stewards – Data stewards are responsible for safeguarding the data from unauthorized access and abuse through established security and authorization procedures and educational programs. They authorize the use of data within their functional areas and monitor this use to verify appropriate data access. They support access by providing appropriate documentation and training to support University data users.

4.3.3 Data administrators – Data Administrators work with the Data Stewards to establish procedures for the responsible management of data, including data entry, auditing and reporting. Some Data Administrators may work in a technology unit outside of the functional unit, but have responsibilities such as security and access as decided by the stewards. Data Administrators may also be responsible for implementing backup and retention plans or ensuring proper performance of database software and hardware.

4.3.4 Director of data management - The Director coordinates and promotes data policies and procedures in the primary enterprise data systems — student, human resources, finance, research, etc. — ensuring representation of the interests of data stewards, managers, and key users. This individual is also responsible for promoting a University culture that supports data governance in all areas, including critical peripheral databases that exist beyond the primary systems. The Director works with the campus community to define a campus-wide structure of data stewardship by making the roles and responsibilities associated with data management and compliance monitoring explicit. The Director of Data Management provides input to the Information Technology Executive Advisory Board. The Executive Sponsors appoint the Director of Data Management.

5. Accountability

Any person found to be in violation of this policy will be subject to appropriate disciplinary action as defined by current University policy or contract.

6. Related Procedures and Guidelines

The WMU Sensitive Data Guide shows the various WMU supported data storage or application solutions that could be used to store data elements as outlined in this policy.

7. Additional Information

The table below shows some common data elements and their classifications as they relate to this policy.  This table is for illustration purposes only and is not intended to be a comprehensive list.

Data Element (s) Justification, Policy, and/or Regulation Data Classification
Social Security Number  Michigan Social Security Number Privacy Act  Restricted 
Driver’s License Number   Restricted 
Passport Number    Restricted 
FAFSA Data  Higher Education Act/NASFAA Ethical Principles Restricted 
Credit/Debit Card Numbers Gramm-Leach Bliley Act  Restricted 
Bank Account Information Gramm-Leach Bliley Act  Restricted 
Student Loan Application Data Gramm-Leach Bliley Act  Restricted 
Financial Account Data Associated with Student Loans  Gramm-Leach Bliley Act  Restricted 
Personnel Records Bullard-Plawecki Restricted 
Student ID Photos    Restricted 
Student Disability FERPA Restricted 
Student Education Record FERPA Confidential 
Student Directory Information (for those who have elected privacy) FERPA Confidential 
Student Demographic Data FERPA Confidential 
Student ID Numbers  FERPA Confidential 
Student Birth Dates FERPA Confidential 
Admission Status  NACAC Statement of Principles of Good Practice (SPGP)  Confidential 
Scholarships Awarded to High School Students  NACAC Statement of Principles of Good Practice (SPGP)  Restricted 
Library Patron Records and Transactions Michigan Library Privacy Act, 1982  Confidential 
Employee ID Numbers    Confidential  
Gift history, prospective donor information, and alumni education information   Confidential  
Student Conduct Data FERPA Confidential  
Alumni Contact Information   Internal
Student Directory Information (for those who have not elected privacy) FERPA Public 

8. Resources 

History
Effective date of current version July 18, 2018
Revision history
Friday, August 1, 2008 - 12:00pm Revised by: WMU LAN Managers Group
Friday, August 1, 2008 - 12:00pm Revised by: Office of Information Technology leadership team
Monday, September 1, 2008 - 12:00am Revised by: Campus Information Security Committee
Thursday, January 1, 2009 - 12:00pm Revised by: Campus Information Security Committee
Thursday, January 1, 2009 - 12:00pm Approved by: Campus Information Security Committee
Tuesday, July 1, 2014 - 12:00pm Revised by: IT Executive Advisory Board
Tuesday, November 1, 2016 - 12:00pm Revised by: IT Executive Advisory Board
Sunday, July 8, 2018 - 12:00pm Revised by: Data Stewards Committee
Proposed date of next review August 1, 2022
Authorization
Certified by

Fen Yu 

Director, Institutional Research and Director

Data Management 

November 6, 2019 

At the direction of

Jennifer P. Bott 

Provost, Vice President of Academic Affairs 

November 6, 2019