Data Classification Policy

Purpose

  • To assign a level of sensitivity to all data managed and maintained by Saint Joseph's University (“the University”). 

  • To help Data Stewards determine who is permitted access to information owned by the University based on its sensitivity level.

  • To help Data Stewards determine what security measures are necessary to protect University information against unauthorized access.

Policy

The Data Classification Policy (“Policy”) of Saint Joseph's University (“the University”) assigns a level of sensitivity to data as it is being created, amended, enhanced, stored, or transmitted.   Based on its classification level, data must be maintained in an appropriately secure, accurate, and reliable manner and be readily available for authorized use. Data security measures must be implemented commensurate with the classification of the data, which is based on its sensitivity, and the risks associated with improper disclosure.  

Capitalized terms used in this policy will have the meaning defined in the Glossary of Terms for Information Security and Related Policies.

Scope

The University-assigned Data Stewards, as defined in the Data Stewardship Policy, are responsible for evaluating and assigning an appropriate data classification to data residing in their functional areas. The Data Stewards are responsible for implementing appropriate managerial, operational, physical, and technical controls for access to, use of, transmission of, and disposal of University data.   Each system containing data classified as Confidential or Sensitive must have its security architecture reviewed and approved by the Office of Information Technology (OIT). 

The table below describes three classification types for institutional data:  Confidential, Sensitive and Unrestricted.   

Classification Type

Electronic Form

Print Form

Confidential

 

https://lh6.googleusercontent.com/nlvYBk4VUlkrX-A1u_wf8_Mqn5lBIhAi9lafcAf6LZMLCpr_vFFs8Ri6W2z_1FwEeWn4m_-bgT-5ZEM1hSLnfPA2l5HB4qVPe8rljrcniD7ltVlIO5rfQNxf2q0L4eG-yiVYMrjduxRNcLjAJw

Restricted, high-risk information about an individual or the University.  Must be encrypted when in transit on the network and secured and monitored in electronic or physical data storage.  Data must be protected with strong passwords.  Data cannot be copied onto portable media (including laptops).  

Data may not be housed on any personal storage or personal third-party website or storage.  Data may only be stored on authorized locations:

  • Departmental Shares

  • Banner Information Systems

  • University Data Warehouse

  • Banner Document Management System

  • Hosted repositories in the United States of America acquired through contractually approved, third-party agreements

Must not be posted on any website or sent through email.

For disposal,  documents must be shredded using  cross cut shredders

 

Retained documents must be stored in locked cabinets.

Sensitive

 

https://lh5.googleusercontent.com/1wM-mANOynfLyYOk2jIHMB7Rz522pWUi_0_j_MuLOTOhWPPXvdZc2sAy2q-_is1-8Bq4zkgQUwUww6pJ1FEhVH524Uz-5ihZTlDHx32LNkx85l5OSP0BlWXnjVI_PDdl9EsyINUUkzLxILZRQA

Data must be protected with strong passwords.  Data cannot be copied onto portable media (including laptops) unless encryption is provided by OIT.

Data may not be housed on any personal storage or personal third-party website or storage.  Data may only be stored on authorized University provided system storage.

  • Departmental Shares

  • Banner Information Systems

  • University Data Warehouse

  • Banner Document Management System

  • Hosted repositories in the United States of America acquired through contractually approved, third-party agreements

Must not be posted on any public website or sent through email.

For disposal,  documents must be shredded using cross cut shredders

 

Retained documents must be stored in locked cabinets.

Unrestricted

https://lh5.googleusercontent.com/vRmWXCPFfoAflDxwkvxze3JO7la9ypIDRphtYSb15zsp6sKQts3l-L_M9KrF1Uuuiiyx8H5bAtp5T6RXB2ErhvoCtlA8Yqq_PpH-qS8D-tkkD-s8FnQ5J_5TfpxCCNXZ2LlXufkAyTskNyTm6w

Information that is generally available and open to the public. This information may be posted externally with appropriate approval (unit head).  May be sent through email.

  • Departmental Shares

  • Banner

  • BDMS

  • SJU Google Documentation – can be shared with emails outside of SJU

  • SJU Gmail

For disposal, documents do not require shredding.  

Retained documents do not require locks.

Refer to the Information Security Policy for additional details on access authorization. 

 The table below lists specific data elements for each classification type. 

Data Element

Classification

Additional notes

CONFIDENTIAL Category 

 

Bank Account Number or other financial account numbers

Confidential

In combination w/personally identifiable information, access accounts or password

Certificate/License number

Confidential

 

Credit Card number

Confidential

 

Date of Birth/Age

Confidential

 

Debit Card Number

Confidential

 

Donor Information – Any personal information included with the donation amount

Confidential

 

Driver's License Number

Confidential

 

Health Information (Medical record numbers, health details, beneficiaries, other identifiers)

Confidential

 

Health Information - Student Disability

Confidential

 

Passport number

Confidential

 

Passwords, passphrases, PIN numbers, security questions

Confidential

 

Payroll information (e.g. Salary, W2, taxes, deductions, etc.)

Confidential

 

Photographic Images – Full Face

Confidential

Student consent is included in the Student Handbook (Photo and Video Release section). 

Additional consent may be gathered for use by SJU

Social Security Number

Confidential

 

Social Security Number – Last four digits in combination with another confidential data element

Confidential

 

State Identification Card Number

Confidential

 

Student Loan Information

Confidential

 

Student Loan Information - Account Numbers

Confidential

 

Student Loan Information - Credit information including Credit Scores

Confidential

 

Visa number

Confidential

 

End of Confidential Data Type

SENSITIVE Category

 

Background Check Verification

Sensitive

 

Benefits enrollment info

Sensitive

 

Citizenship

Sensitive

 

Class lists

Sensitive

 

Compensation

Sensitive

 

Country of birth or citizenship

Sensitive

 

Dates of first and last employment at SJU

Sensitive

 

Donor Information – Names, addresses and other personal information

Sensitive

No donation amount

Education and Training Background

Sensitive

 

Emergency Contact

Sensitive

 

Ethnicity

Sensitive

 

Exams

Sensitive

Deferred from confidential to sensitive.

Faculty / Staff Email address

Sensitive

Can be placed on the external website at the approval of the Department head for departmental pages

Gender

Sensitive

 

Health Information - Student Disability

Sensitive

 

Home Mailing Address

Sensitive

 

Home Phone

Sensitive

 

Job action reason (e.g. terminations or leave)

Sensitive

 

Marital Status

Sensitive

 

Military Status

Sensitive

 

Previous work experience

Sensitive

 

Progress Grades, Test Scores

Sensitive

 

Salary Grade

Sensitive

 

Student Email Addresses

Sensitive

 

Student Grades - Final

Sensitive

FERPA training of faculty to reinforce best practices including encryption of grades stored on desktop and laptop computers.  

Student Judicial and/or Disciplinary records

Sensitive

Deferred from confidential to sensitive.

Username

Sensitive

 

Veteran Status

Sensitive

 

Visa status

Sensitive

 

Work Authorization (I-9)

Sensitive

 

End of Sensitive Data Type

UNRESTRICTED CATEGORY

 

Affiliation

Public

 

Business Address

Public

 

Business Telephone Number

Public

 

Course Information

Public

 

Department

Public

 

Job Title

Public

 

Job Description

Public

 

Name

Public

 

Press Releases

Public

 

SJU Directory Information per FERPA Policy

Public

 

End of Unrestricted Data Type

 

 

Details

37277
Created
Mon 7/22/19 11:32 AM
Modified
Mon 7/22/19 11:43 AM