Data Classification Policy

SECTION I. PURPOSE

St. Thomas takes seriously its commitment to respect and protect the privacy of its students, alumni, faculty and staff, as well as to protect the confidentiality of information important to the university's mission. The purpose of this policy is to provide a structured and consistent classification framework for defining the university’s data security levels, which will establish the foundation for appropriate access control policies and procedures used across the university.

SECTION II. SCOPE AND APPLICABILITY

This policy applies to all St. Thomas employees (faculty, staff, and student workers), student clubs and organizations, contractors and volunteers. This policy is applicable to all Data, as defined in this policy.

This policy does not apply to information that is the personal property of individuals covered by the policy, such as personal notes that are unrelated to university operations.

SECTION III. DEFINITIONS

When used in this policy, the following terms have the following meanings:

  • Data is all information generated or owned by the university (including, but not limited to, information generated or developed by the university’s employees, contractors and volunteers in the course of performing their duties and responsibilities to the university, unless the university has waived its ownership rights to the Data) and information not generated or owned by the university but which the university has the duty to manage. This information can exist in any form including, but not limited to, print, electronic and digital.
  • Data Owner is the designated person at the university assigned as the owner and decision maker on the respective set of Data. The Data Owner sets the appropriate data classification and determines the impact the Data has for continuity and disaster recovery purposes.
  • Data Steward is a faculty or staff member who has been assigned as the person directly responsible for the care and management of a certain type of Data. Data Stewards are responsible for approving access to the Data they manage. For example, the Registrar is responsible for approving access to Student Data.
  • FERPA-Protected Student Data includes all components of a student’s education record protected under the Family Educational Rights and Privacy Act (FERPA). See the university’s Student Records Privacy Policy (also known as the FERPA Policy) for more information.
  • Least Privilege Required is a security concept that users should only be granted the minimum level of access required to complete their job duties.
  • Payment Card Information (PCI) is information defined by standards established by the major credit card companies that are required to be followed by all organizations accepting payment card transactions.
  • Personally Identifiable Information (PII) includes a combination of a person’s name recorded together with other personally identifiable data elements that are protected by federal or state regulations or are not so protected but could readily be used for identity theft.
  • Protected Health Information (PHI) is health-related information protected by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) or other regulations that require extra levels of security to ensure PHI is maintained confidentially.

 SECTION IV. DATA ACCESS GENERALLY

The university classifies and provides access to Data on a “need to know” basis as it relates to specific job, contractor or volunteer duties and responsibilities. Wherever practicable, the university assigns access based on Least Privilege Required such that users are only granted the permissions needed to perform their specific duties and responsibilities and no more.

SECTION V. DATA CLASSIFICATION

The university has classified its Data assets into the categories of I-Green, II-Yellow, III-Red for the purpose of determining who is allowed to access the Data and what security precautions must be taken to protect it against unauthorized access.

Data security measures must be implemented commensurate with the sensitivity of the Data and the risk to the university if the Data is compromised. It is the responsibility of the applicable Data Owner to evaluate and classify Data according to the classification system adopted by the university and described below. If Data of more than one level of sensitivity exists in the same system where Data is stored, such Data shall be classified at the highest level of sensitivity.

The university has adopted the following three security classifications of Data:

Category III - Red

Data to be protected with the highest levels of security as defined and/or required by contractual terms or applicable laws and regulations.

Data the disclosure of which would likely result in material risk of harm to individuals or the university.

Access to Category III - Red Data will be subject to the highest level of security controls as defined in the appendices to this policy.

Examples include, but are not limited to:

  • Payment Card Information (PCI)
    • Credit or debit card number.
    • Credit card security code (CVV) number.
    • Card magnetic stripe data.
    • Protected Health Information (PHI)
      • Any information about an individual’s health status, the provision of health care to the individual, or payment for health care to an individual, which is created or received by the university (including by employees or units or by contractors or volunteers in the course of providing services to the university), in combination with identifying information for the individual.
      • Personally Identifiable Information (PII) protected by state or federal law against unauthorized disclosure:
        • First initial or first name and last name together with any of the following:
          • Social security number;
          • Driver’s license number or other government-issued identification card number;
          • Financial account number (including credit or debit card numbers), or any security code, access code or password that permits access to the financial account; or
          • Any unique biometric data, including fingerprint, voice print, retina or iris image, or other unique physical representation.
          • Non-public individual donor information to the extent it contains PII.
          • Individually Identifiable Human Subject Research Data as defined by the university’s Institutional Review Board and applicable law.

 

  • Non-public intellectual property for which patent protection will be sought, including invention disclosures, patent applications and related research data.

Category II - Yellow

Data required by law not to be disclosed without consent of the subject of the information, that is not covered under Category III - Red.

Data that is proprietary or produced only for use by members of the university community or service providers to the university who have a legitimate business purpose to access such Data.

Data of which the disclosure likely would not result in material risk of harm to the university or individuals, but could result in some risk of harm to the university or individuals, or which the university otherwise has chosen to keep confidential.

Examples include, but are not limited to:

  • FERPA-Protected Student Data not covered under Category III - Red.
  • St. Thomas employee Data not covered in Category III - Red.
  • Non-public intellectual property and research data not covered under in Category III - Red.
  • St. Thomas ID numbers associated with names and other information that could identify individuals (but without other PII).
  • Non-public individual donor information (to the extent it is not covered under Category III – Red).Internal operating procedures and manuals.
  • Internal memoranda, emails related to university work or operations that do not fall into another category, reports and other documents not containing sensitive or highly sensitive data.
  • Technical documents such as system configurations and floor plans.

Category I - Green

Publicly available information that is unrelated to the university.

Data that an authorized university representative approves to be publicly disclosed.

Data that is contractually or otherwise required to be made available to the general public with no restrictions on its access or use.

Examples include, but are not limited to:

  • General information and marketing materials about the university such as press releases, campus maps, athletic results, information about academic program offerings.
  • St. Thomas e-mail addresses.
  • University reports filed with federal or state governments and generally available to the public.
  • Copyrighted materials that are publicly available.
  • Student information covered as “Directory information” under FERPA if not restricted by individual student action.
  • Published research.

SECTION VI. SECURITY CONTROLS AND APPROPRIATE SYSTEM USE

The appendices for this policy will include the required security controls and allowed university systems for each Data security classification. These appendices will be updated from time to time by the policy owner to accommodate changes in technology or university processes. Significant changes to these controls will be reviewed by the University Technology Advisory Committee and its security-related subcommittee.

Information Technology Services will implement technical controls to verify and enforce that Data are being handled in accordance with this policy.

Appendix A to Data Security Classification Policy
Security Classifications for Common Data Categories

Faculty / Staff Information

Category Level

St. Thomas Email Address

Category I - Green

St. Thomas Work Address

Category I - Green

St. Thomas Phone Number

Category I - Green

Performance Review Information

Category II - Yellow

Salary Information

Category II - Yellow

St. Thomas ID Number (without other information)

Category II - Yellow

Individual Benefits Elections (other than Social Security Numbers)

Category II - Yellow

St. Thomas Account Password

Category III - Red

Social Security Number

Category III - Red

 

 

Student Information

Category

St. Thomas ID Number (without other information)

Category II - Yellow

Education Records (excluding Directory Information)

Category II - Yellow

St. Thomas Account Password

Category III - Red

Social Security Number

Category III - Red

 

 

Research Information

Category

Sponsored Research and Related Intellectual Property and Research Data subject to contracts with confidentiality obligations

Category III - Red

Published Research Data

Category I - Green

Unpublished Research Data not subject to contract

Category II - Yellow

Non-Public Intellectual Property for which patent protection will be sought

Category III - Red

Individually Identifiable Human Subject Research Data

Category III - Red

 

 

General Business Information

Category

Annual Reports

Category I - Green

Organization Charts

Category I - Green

Public Websites

Category I - Green

Public Relations and Marketing Brochures and Materials

Category I - Green

Internal Intranet Websites

Category II - Yellow

Work-Related Email

Category II - Yellow

University Financial Account Numbers (Org and Index Codes)

Category II - Yellow

Travel Reimbursement Forms

Category II - Yellow

Bank Account Numbers / Direct Deposit Account Numbers

Category III - Red

Payment/Credit Card Numbers

Category III - Red

 

 

Library Records

Category

Library Catalog Information

Category I - Green

Library Databases

Category II - Yellow

Active Interlibrary Loan Records

Category II - Yellow

Active Circulation Records

Category II - Yellow

 

 Data Classification Policy Appendix B - PDF Version 

 

Data Classification Policy Appendix B - Controls - PDF Version

Save

Save

Save

Save

Save

Save

Save

Save

Save

Save

Save

Save

Save

Save

Save