Data Classification
Title:
Data Classification Policy
Effective Date::
2010
Responsible Office:
Information Technology, Provost
Last Updated:
April 20, 2023
Purpose
This document defines the William & Mary data classification scheme and establishes rules and procedures for protecting sensitive and protected university data processed, received, sent or maintained by or on behalf of the university.
Scope
This policy applies to all data owned or leased by William & Mary.
Definitions
Sensitive Data
Sensitive and personally identifiable information is highly confidential or personal information protected by statutes, regulations, university policies or contractual language which, if exposed or breached, could result in legal damages, fines/penalties, identify theft and/or financial fraud.
Sensitive and personally identifiable information includes any data that can be used to distinguish or trace an individual's identity, either alone or when combined with other information. Examples include a name, home address, email address, social security number, driver's license number, bank account number, passport number, date of birth, biometrics such as fingerprints, or information that is linked or linkable to an individual such as medical, educational, financial, and employment information.
Information such as gender, race, religion, and marital status are typically not considered PII alone. However, this information should still be treated as sensitive because it could identify an individual when combined with other data.
Specific examples of sensitive and personally identifiable information include:
- Social security numbers
- Driver's license numbers
- Credit/debit card numbers
- Passport numbers
- Taxpayer identification numbers
- Federal ID numbers
- Student financial aid data
- Employee health records
- Financial data that informs the university’s end-of-year financial statements
- System account credentials
Sensitive data does not include information in the William & Mary directory or data that is made public by the university. Furthermore, the university has no obligation to protect an individual’s personal information if the personal information is provided to a third-party by another supplier without the involvement of the university.
Protected Data
Protected Data is information that is protected by statutes, regulations, university policies or contractual language but which does not carry the same level of risk as Sensitive and Personally Identifiable Information. By way of illustration only, some examples of Protected Data include:
- Student educational records protected by the Family Educational Rights and Privacy Act (FERPA). Under FERPA, education records are any documents, files, and/or other materials that contain information directly related to a student, are personally identifiable to that student, and are maintained by the university or a university agent. These records include but are not limited to grades, transcripts, class lists, student course schedules, contact and family information, student health records, student financial information (at the postsecondary level), and student discipline files. The information may be recorded in any way, including, but not limited to, handwriting, print, computer media, videotape, audiotape, film, microfilm, microfiche, and e-mail.
- FERPA designates several types of records that are exceptions to this definition, including law enforcement records and medical and treatment records.
For more detailed information contact the University Registrar at ferpa@wm.edu or visit the webpage Student Records Privacy Policy and Notification of Rights under FERPA - Personal information or giving history collected from a donor, alumnus, or another individual
- Employment or non-identifiable personnel data
- Banner 93 numbers
- Performance evaluations
Non-Sensitive Data
Non-Sensitive data is information that may or must be open to the general public. It is defined as information with no existing local, national or international legal restrictions on access or usage. By way of illustration only, some examples of Non-Sensitive data include:
- Publicly posted press releases
- Publicly posted schedules of classes.
- Publicly posted interactive university maps, newsletters, newspapers, and magazines.
Public announcements, advertisements, directory information, and other freely available data on university websites.
Policy
Data Classification
Data processed, received, sent, or maintained by the university is classified into the following three categories:
- Sensitive
- Protected
- Non-Sensitive
Collecting Sensitive Data
There are laws governing university collection of sensitive data. The legal restrictions most commonly impacting the university are summarized below. For additional information, contact the Information Security Office.
- Sensitive data may only be collected, maintained, used, or disseminated as necessary to accomplish a proper academic or business purpose of the university or as required by law.
- Units requesting or collecting sensitive data must communicate why the data is being collected, how it will be used, and, if applicable, any consequences of not providing it.
Sending or Receiving Sensitive Data in Electronic or Physical Form
The following restrictions apply both to internal data transmissions (such as sharing files with another university employee) as well as transmissions to outside parties.
- Sensitive data sent or received electronically must be secured using encryption technology, a secure web transfer, or the Secure File Transfer Protocol. Other acceptable methods include transferring files between network drives on the university's internal network or using the university's secure cloud file system. The university's email system is not designed to support the transmission of sensitive data securely.
- For any other release of sensitive data by the university to a third-party the sender must ensure that the third-party is aware of the confidentiality obligations applicable.
- Sensitive data sent in physical form, such as through the post office or interdepartmental mail, must be secured in a sealed envelope or similar method with a clear marking indicating confidentiality of the contents.
- Routine exchange of sensitive data with a vendor or application hosting provider requires that the vendor or hosting provider undergo a security review, including a third-party assessment of the vendor’s security controls. The sender must also ensure that there are contractual requirements describing which party is responsible for securing sensitive data in transit, how the data will be secured, and any specific confidentiality obligations.
Storing Sensitive Data
Sensitive data should only be stored on university-administered servers or the university’s approved cloud storage systems. If sensitive data must be stored on personal or college-owned devices, including but not limited to laptops, personal computers, CDs, flash or thumb drives, cell phones, or personal computing devices (i.e. smartphones, tablets, etc...), the data must be encrypted according to the university’s Data Encryption Standard and the device must be password protected.
Sensitive data that will be stored by a vendor or application hosting provider must be protected and secured to the same standards applied by the university. Use of third-party vendors or application hosting vendors must adhere to the policy and procedures detailed in the university’s Application Hosting Policy.
- Sensitive data saved in non-electronic form (i.e. paper or a whiteboard) must be protected from unauthorized access when left unattended and destroyed when it is no longer needed. For example, papers with sensitive data cannot be left on an unattended desk but instead must be filed in a locked cabinet or a locked office.
Sending or Receiving Protected Data in Electronic or Physical Form
The following restrictions apply both to internal data transmissions (such as sharing files with another university employee) as well as transmissions to outside parties.
- Transmission of FERPA protected data using the university's electronic communications systems must be restricted to recipients with a legitimate educational interest. Emailing FERPA data to large groups of people is generally a violation of this restriction unless it is verified that each recipient has a legitimate educational interest.
- Protected data sent or received electronically can be transmitted using the university’s email system. In addition, protected data can be transmitted using secure web transfer, or the Secure File Transfer Protocol. Other acceptable methods include transferring files between network drives on the university's internal network or using the university's secure web file system.
- For any other release of protected data by the university to a third-party the sender must ensure that the third-party is aware of the confidentiality obligations applicable.
- Protected data sent in physical form, such as through the post office or interdepartmental mail, must be secured in a sealed envelope or similar method.
- Faxing protected data is permitted provided that the recipient is notified in advance and is available to retrieve the fax immediately following transmission or able to secure it upon receipt (i.e., receiving a fax in an office that is only accessible by the recipient). Individuals receiving faxed documents with protected data are responsible for securing the document after receipt.
- Routine exchange of protected data with a vendor or application hosting provider requires that the vendor or hosting provider undergo a security review and contractual requirements describing which party is responsible for securing protected data in transit and how the data will be secured, and any specific confidentiality obligations.
Storing Protected Data
- Protected data should only be stored on university-administered servers or the university’s approved cloud storage systems. If protected data must be stored on personal or college-owned devices, including but not limited to laptops, personal computers, CDs, flash or thumb drives, cell phones, or personal computing devices (i.e. smartphones, tablets, etc...), the data must be encrypted according to the university’s Data Encryption Standard and the device must be password protected.
- Protected data that will be stored by a vendor or application hosting provider must be protected and secured to the same standards applied by the university.
Destruction of Electronic Media Containing Sensitive or Protected Data
Electronic media including computers, jump or flash drives, CD/DVDs or servers on which sensitive data has been stored must be disposed of according to the university's Standard for the Disposal of Electronic Data.
Non-Compliance
An employee’s failure to comply with any of the above policy statements may result in being disciplined, in accordance with general university employment policies and procedures that apply to the respective category of employees. The university may also temporarily deny access to university information systems and may refer the case to the appropriate local, state, or federal authority for further disposition.
A student’s failure to comply with any of the above policy statements may result in disciplinary actions in accordance with the Student Handbook. Depending on the nature and severity of the violation, the university may take one or more of the disciplinary actions listed under Administration of Student Code of Conduct, Section VII. The university may also temporarily deny access to university information systems and may refer the case to the appropriate local, state, or federal authority for further disposition.