Purpose
-
To assign a level of sensitivity to all data managed and maintained by Saint Joseph's University (“the University”).
-
To help Data Stewards determine who is permitted access to information owned by the University based on its sensitivity level.
-
To help Data Stewards determine what security measures are necessary to protect University information against unauthorized access.
Policy
The Data Classification Policy (“Policy”) of Saint Joseph's University (“the University”) assigns a level of sensitivity to data as it is being created, amended, enhanced, stored, or transmitted. Based on its classification level, data must be maintained in an appropriately secure, accurate, and reliable manner and be readily available for authorized use. Data security measures must be implemented commensurate with the classification of the data, which is based on its sensitivity, and the risks associated with improper disclosure.
Capitalized terms used in this policy will have the meaning defined in the Glossary of Terms for Information Security and Related Policies.
Scope
The University-assigned Data Stewards, as defined in the Data Stewardship Policy, are responsible for evaluating and assigning an appropriate data classification to data residing in their functional areas. The Data Stewards are responsible for implementing appropriate managerial, operational, physical, and technical controls for access to, use of, transmission of, and disposal of University data. Each system containing data classified as Confidential or Sensitive must have its security architecture reviewed and approved by the Office of Information Technology (OIT).
The table below describes three classification types for institutional data: Confidential, Sensitive and Unrestricted.
|
Classification Type
|
Electronic Form
|
Print Form
|
|
Confidential
|
Restricted, high-risk information about an individual or the University. Must be encrypted when in transit on the network and secured and monitored in electronic or physical data storage. Data must be protected with strong passwords. Data cannot be copied onto portable media (including laptops).
Data may not be housed on any personal storage or personal third-party website or storage. Data may only be stored on authorized locations:
-
Departmental Shares
-
Banner Information Systems
-
University Data Warehouse
-
Banner Document Management System
-
Hosted repositories in the United States of America acquired through contractually approved, third-party agreements
Must not be posted on any website or sent through email.
|
For disposal, documents must be shredded using cross cut shredders
Retained documents must be stored in locked cabinets.
|
|
Sensitive
|
Data must be protected with strong passwords. Data cannot be copied onto portable media (including laptops) unless encryption is provided by OIT.
Data may not be housed on any personal storage or personal third-party website or storage. Data may only be stored on authorized University provided system storage.
-
Departmental Shares
-
Banner Information Systems
-
University Data Warehouse
-
Banner Document Management System
-
Hosted repositories in the United States of America acquired through contractually approved, third-party agreements
Must not be posted on any public website or sent through email.
|
For disposal, documents must be shredded using cross cut shredders
Retained documents must be stored in locked cabinets.
|
|
Unrestricted
|
Information that is generally available and open to the public. This information may be posted externally with appropriate approval (unit head). May be sent through email.
|
For disposal, documents do not require shredding.
Retained documents do not require locks.
|
Refer to the Information Security Policy for additional details on access authorization.
The table below lists specific data elements for each classification type.
|
Data Element
|
Classification
|
Additional notes
|
|
CONFIDENTIAL Category
|
|
|
|
Bank Account Number or other financial account numbers
|
Confidential
|
In combination w/personally identifiable information, access accounts or password
|
|
Certificate/License number
|
Confidential
|
|
|
Credit Card number
|
Confidential
|
|
|
Date of Birth/Age
|
Confidential
|
|
|
Debit Card Number
|
Confidential
|
|
|
Donor Information – Any personal information included with the donation amount
|
Confidential
|
|
|
Driver's License Number
|
Confidential
|
|
|
Health Information (Medical record numbers, health details, beneficiaries, other identifiers)
|
Confidential
|
|
|
Health Information - Student Disability
|
Confidential
|
|
|
Passport number
|
Confidential
|
|
|
Passwords, passphrases, PIN numbers, security questions
|
Confidential
|
|
|
Payroll information (e.g. Salary, W2, taxes, deductions, etc.)
|
Confidential
|
|
|
Photographic Images – Full Face
|
Confidential
|
Student consent is included in the Student Handbook (Photo and Video Release section).
Additional consent may be gathered for use by SJU
|
|
Social Security Number
|
Confidential
|
|
|
Social Security Number – Last four digits in combination with another confidential data element
|
Confidential
|
|
|
State Identification Card Number
|
Confidential
|
|
|
Student Loan Information
|
Confidential
|
|
|
Student Loan Information - Account Numbers
|
Confidential
|
|
|
Student Loan Information - Credit information including Credit Scores
|
Confidential
|
|
|
Visa number
|
Confidential
|
|
|
End of Confidential Data Type
|
|
SENSITIVE Category
|
|
|
|
Background Check Verification
|
Sensitive
|
|
|
Benefits enrollment info
|
Sensitive
|
|
|
Citizenship
|
Sensitive
|
|
|
Class lists
|
Sensitive
|
|
|
Compensation
|
Sensitive
|
|
|
Country of birth or citizenship
|
Sensitive
|
|
|
Dates of first and last employment at SJU
|
Sensitive
|
|
|
Donor Information – Names, addresses and other personal information
|
Sensitive
|
No donation amount
|
|
Education and Training Background
|
Sensitive
|
|
|
Emergency Contact
|
Sensitive
|
|
|
Ethnicity
|
Sensitive
|
|
|
Exams
|
Sensitive
|
Deferred from confidential to sensitive.
|
|
Faculty / Staff Email address
|
Sensitive
|
Can be placed on the external website at the approval of the Department head for departmental pages
|
|
Gender
|
Sensitive
|
|
|
Health Information - Student Disability
|
Sensitive
|
|
|
Home Mailing Address
|
Sensitive
|
|
|
Home Phone
|
Sensitive
|
|
|
Job action reason (e.g. terminations or leave)
|
Sensitive
|
|
|
Marital Status
|
Sensitive
|
|
|
Military Status
|
Sensitive
|
|
|
Previous work experience
|
Sensitive
|
|
|
Progress Grades, Test Scores
|
Sensitive
|
|
|
Salary Grade
|
Sensitive
|
|
|
Student Email Addresses
|
Sensitive
|
|
|
Student Grades - Final
|
Sensitive
|
FERPA training of faculty to reinforce best practices including encryption of grades stored on desktop and laptop computers.
|
|
Student Judicial and/or Disciplinary records
|
Sensitive
|
Deferred from confidential to sensitive.
|
|
Username
|
Sensitive
|
|
|
Veteran Status
|
Sensitive
|
|
|
Visa status
|
Sensitive
|
|
|
Work Authorization (I-9)
|
Sensitive
|
|
|
End of Sensitive Data Type
|
|
UNRESTRICTED CATEGORY
|
|
|
|
Affiliation
|
Public
|
|
|
Business Address
|
Public
|
|
|
Business Telephone Number
|
Public
|
|
|
Course Information
|
Public
|
|
|
Department
|
Public
|
|
|
Job Title
|
Public
|
|
|
Job Description
|
Public
|
|
|
Name
|
Public
|
|
|
Press Releases
|
Public
|
|
|
SJU Directory Information per FERPA Policy
|
Public
|
|
|
End of Unrestricted Data Type
|