Data Classification Policy
Policy number | 12-21 |
Responsible office | Institutional Research |
Enforcement official |
Enforcement official
Director of Data Management
|
Classification | Board of Trustees Policy |
Category | Information Technology and Data Security |
Statement of policy
The Data Classification Policy provides a framework for classifying institutional data based on its level of sensitivity, value, and importance to the University consistent with the University’s Information Security Policies. Classification of data will help determine baseline security controls for the protected data and will guide decisions such as access, use, disclosure, modification, removal, and destruction of data.
Summary of contents/major changes
Revise and replace prior version of the Data Classification Policy. The previous versions of the Data Classification Policy categorized data into three categories: confidential, internal, and public. The current version has a more granular classification and has four categories: restricted, confidential, internal, and public.
1. Purpose of Policy
This Policy serves as a foundation for the University’s data security practices and is consistent with the University’s data and records management standards. The University recognizes that the value of its data and data resources lies in their appropriate and widespread use. It is not the purpose of this Policy to create unnecessary restrictions to data access or to impede individuals’ use of the data in support of University business or academic pursuits. This Policy also serves to assure faculty, staff, and students that the privacy and confidentiality of their personal data will be maintained according to University policy and all state and federal laws and regulations.
2. Stakeholders Most Impacted by the Policy
The policy applies to all faculty, staff, third-party agents of the University, and any other University affiliates who are authorized to access institutional data.
3. Key Definitions
3.1 Restricted Data: Highly sensitive data intended for limited, specific use by a workgroup, department, or group of individuals with a legitimate need to know.
3.2 Confidential Data: Data intended for internal University business use only, with access restricted to those with a legitimate need; those with a legitimate need could constitute a large group (e.g. all student advisors or all faculty).
3.3 Internal Data: Internal data is information that must be guarded due to proprietary, ethical, or privacy considerations and must be protected from unauthorized access, modification, transmission, storage or other use.
3.4 Public Data: Data explicitly or implicitly approved for distribution to the public without restriction.
3.5 Executive sponsors: senior University officials who have planning and policy responsibility and accountability for major administrative data systems (e.g. student, human resources, financial, research, etc.) within their functional areas.
3.6 Data stewards: individuals appointed by the Executive Sponsors to implement established data policies and general administrative data security policies for their functional areas.
3.7 Data administrators: University employees who most often report to Data Stewards and whose duties provide them with an intricate understanding of the data in their area.
3.8 Director of data management: individual responsible for facilitating the coordination of data and systems governance to optimize data integration.
4. Full Policy Details
4.1 Scope
The Policy applies to all University data, regardless of the format or medium on which the data resides, including but not limited to: electronic, paper, or any other physical form. Examples of data protection measures may include storing data in secured areas, not placing sensitive data on public Web sites, proper disposal of data, strong passwords on computing devices, and utilizing adequate access control procedures.
Measures for data security are set by those who hold the roles listed above, by utilizing a combination of acceptable technology protocols and standards. Examples may include data encryption, data access controls, data retention and disposal procedures, data storage management, and end user training and awareness programs.
This Policy applies to all centrally managed, enterprise-level (University), administrative data and to all user-developed data stores and systems that may access University data regardless of the environment where the data reside, including but not limited to: midrange systems; servers; contracted cloud services; desktop computers; laptop computers; USB keys; flash drives; and any other mobile computing device. The policy applies regardless of the media on which data reside, including but not limited to: electronic, microfiche, printouts, and CD, as well as the form the data may take, including but not limited to: text, graphics, video, and voice.
This Policy does not apply to protected health information as defined by the Health Insurance Portability and Accountability Act (HIPAA). Such information shall be handled in accordance with the HIPAA Policies and Procedures adopted by the entity covered by HIPAA. Questions or concerns about HIPAA protections should be directed to the University HIPAA Privacy and Contact Officer currently located in the Office of the General Counsel.
4.2 Classification
Data must be maintained in a secure, accurate, and reliable manner and be readily available for authorized use. Data security measures will be implemented commensurate with the value, sensitivity, and risk involved.
To implement security at the appropriate level, to establish guidelines for legal/regulatory compliance, and to reduce or eliminate conflicting standards and controls, data will be classified into one of the following categories:
4.2.1 Restricted: Highly sensitive data intended for limited, specific use by a workgroup, department, or group of individuals with a legitimate need to know. Explicit authorization by the data steward is required for access because of legal, contractual, privacy, or other constraints. Unauthorized use or disclosure could have a catastrophicadverse impact on the University’s mission, operations, or reputation and/or result in identity theft.
Examples include:
- Social Security Numbers
- Credit card and financial account numbers
- Driver’s license numbers
- Student loan data
- Personnel records, including performance reviews, discipline records, and appointment letters
4.2.2 Confidential: Data intended for internal University business use only, with access restricted to those with a legitimate need, even though those with a legitimate need could constitute a large group (e.g. all student advisors or all faculty). Supervisors must approve access, and security officers must grant access. Unauthorized use or disclosure could have a serious adverse impact on the University, affiliates, or individuals.
Examples include:
- Student education records
- Student directory information for those who have elected privacy
- Student demographic information
- Student ID numbers
- Employee ID numbers
4.2.3 Internal: Internal data is information that must be guarded due to proprietary, ethical, or privacy considerations and must be protected from unauthorized access, modification, transmission, storage or other use. This classification applies even though there may not be any law or other regulation requiring this protection. Internal data is information that is restricted to personnel who have a legitimate need for access, though those with a legitimate need could constitute a large group (e.g. all Academic Affairs faculty and staff). Unauthorized use or disclosure could have a limited adverse impact on the University, affiliates, or individuals.
Examples include:
- Planning documents
- Business partner information where no more restrictive confidentiality agreement exists
- Technical documents relating to information systems or processes
4.2.4 Public: Data explicitly or implicitly approved for distribution to the public without restriction. Disclosure of public data will likely have little or no adverse impact on the University, affiliates, or individuals.
Examples include:
- Student directory information for students who have not elected privacy
- Course descriptions
- Course schedules
- Commonly reported statistics (e.g. those found on the Institutional Research public web site)
4.3 Responsibilities
The following roles and responsibilities are established for carrying out this data policy:
4.3.1 Executive sponsors – By understanding the planning needs of the institution, they are able to anticipate how data will be used to meet institutional needs. Executive sponsors meet as part of the Information Technology Executive Advisory Board to approve policy or administrative decisions that promote data quality, security, integration, and alignment.
4.3.2 Data stewards – Data stewards are responsible for safeguarding the data from unauthorized access and abuse through established security and authorization procedures and educational programs. They authorize the use of data within their functional areas and monitor this use to verify appropriate data access. They support access by providing appropriate documentation and training to support University data users.
4.3.3 Data administrators – Data Administrators work with the Data Stewards to establish procedures for the responsible management of data, including data entry, auditing and reporting. Some Data Administrators may work in a technology unit outside of the functional unit, but have responsibilities such as security and access as decided by the stewards. Data Administrators may also be responsible for implementing backup and retention plans or ensuring proper performance of database software and hardware.
4.3.4 Director of data management - The Director coordinates and promotes data policies and procedures in the primary enterprise data systems — student, human resources, finance, research, etc. — ensuring representation of the interests of data stewards, managers, and key users. This individual is also responsible for promoting a University culture that supports data governance in all areas, including critical peripheral databases that exist beyond the primary systems. The Director works with the campus community to define a campus-wide structure of data stewardship by making the roles and responsibilities associated with data management and compliance monitoring explicit. The Director of Data Management provides input to the Information Technology Executive Advisory Board. The Executive Sponsors appoint the Director of Data Management.
5. Accountability
Any person found to be in violation of this policy will be subject to appropriate disciplinary action as defined by current University policy or contract.
6. Related Procedures and Guidelines
The WMU Sensitive Data Guide shows the various WMU supported data storage or application solutions that could be used to store data elements as outlined in this policy.
7. Additional Information
The table below shows some common data elements and their classifications as they relate to this policy. This table is for illustration purposes only and is not intended to be a comprehensive list.
Data Element (s) | Justification, Policy, and/or Regulation | Data Classification |
Social Security Number | Michigan Social Security Number Privacy Act | Restricted |
Driver’s License Number | Restricted | |
Passport Number | Restricted | |
FAFSA Data | Higher Education Act/NASFAA Ethical Principles | Restricted |
Credit/Debit Card Numbers | Gramm-Leach Bliley Act | Restricted |
Bank Account Information | Gramm-Leach Bliley Act | Restricted |
Student Loan Application Data | Gramm-Leach Bliley Act | Restricted |
Financial Account Data Associated with Student Loans | Gramm-Leach Bliley Act | Restricted |
Personnel Records | Bullard-Plawecki | Restricted |
Student ID Photos | Restricted | |
Student Disability | FERPA | Restricted |
Student Education Record | FERPA | Confidential |
Student Directory Information (for those who have elected privacy) | FERPA | Confidential |
Student Demographic Data | FERPA | Confidential |
Student ID Numbers | FERPA | Confidential |
Student Birth Dates | FERPA | Confidential |
Admission Status | NACAC Statement of Principles of Good Practice (SPGP) | Confidential |
Scholarships Awarded to High School Students | NACAC Statement of Principles of Good Practice (SPGP) | Restricted |
Library Patron Records and Transactions | Michigan Library Privacy Act, 1982 | Confidential |
Employee ID Numbers | Confidential | |
Gift history, prospective donor information, and alumni education information | Confidential | |
Student Conduct Data | FERPA | Confidential |
Alumni Contact Information | Internal | |
Student Directory Information (for those who have not elected privacy) | FERPA | Public |
8. Resources
Effective date of current version | July 18, 2018 |
Revision history |
Friday, August 1, 2008 - 12:00pm
Revised by: WMU LAN Managers Group
Friday, August 1, 2008 - 12:00pm
Revised by: Office of Information Technology leadership team
Monday, September 1, 2008 - 12:00am
Revised by: Campus Information Security Committee
Thursday, January 1, 2009 - 12:00pm
Revised by: Campus Information Security Committee
Thursday, January 1, 2009 - 12:00pm
Approved by: Campus Information Security Committee
Tuesday, July 1, 2014 - 12:00pm
Revised by: IT Executive Advisory Board
Tuesday, November 1, 2016 - 12:00pm
Revised by: IT Executive Advisory Board
Sunday, July 8, 2018 - 12:00pm
Revised by: Data Stewards Committee
|
Proposed date of next review | August 1, 2022 |
Certified by |
Fen Yu Director, Institutional Research and Director Data Management November 6, 2019 |
At the direction of |
Jennifer P. Bott Provost, Vice President of Academic Affairs November 6, 2019 |