Classification Procedure

ADMINISTRATIVE PROCEDURE

Information Governance: Information Classification

Procedure Contents

  • Related Policy
  • Entities Affected
  • Procedure Context
  • Procedure
  • Forms/Instructions
  • Appendices
  • Additional Contacts
  • FAQ
  • Related Information
  • History

Effective Date:  22 October 2012

Last Updated:  14 April 2017

Responsible University Officer:

VP Technology/CIO

 

Procedure Owner:  J. Kelly Flanagan

(responsible for developing, implementing, &

   managing the procedure)

 

Procedure Contact:  Christine Tolman

 (First point of contact for procedure users)

  

 

RELATED POLICY:  

Information Security and Appropriate Use Policy

ENTITIES AFFECTED BY THIS PROCEDURE: 

Any persons with responsibility for classifying, providing access to, or using university information

PROCEDURE CONTEXT:

Identification and classification of university information is essential for ensuring that the appropriate degree of protection is applied to university information.  This procedure describes how the university classifies information.


PROCEDURE:

Responsibility for Classification:

Information stewards are responsible for classifying the information in their academic or administrative units into one of the four categories defined below.   Classifications are to be determined in consultation with appropriate Information Trustees and are then used to govern access and security requirements.  In addition, information stewards are responsible for periodically evaluating the classifications assigned and for providing information concerning access or availability of information in their academic or administrative unit.

Information Classifications:

Information is classified into one of the following four categories according to its use, sensitivity, risk, and importance to the university and in compliance with university policy, state and federal regulations, and other obligations regarding privacy and confidentiality of information.

Public—information which may, or must, be available to the general public and has been formally approved for public release. (Examples:  Course catalog, directory information)

Internal—information which is generally accessible within the University to those with a legitimate university purpose as allowed by statute, regulations, other legal obligations or mandates or policy; not intended for entities or persons outside the University.  This information must be protected against unauthorized use, access, disclosure, acquisition, modification, loss, or deletion.  (Examples: Student records, Employee contact information, University policies and procedures, Organization charts)

Confidential—Information which is requires special handling and controls specific to each work environment that limit access and use; may not be specifically protected by statute, regulations, or other legal mandates; but is considered by the University’s senior management to be private and confidential and as such must be protected against unauthorized use, access, disclosure, acquisition, modification, loss, or deletion;   (Examples:  Salary or performance information, Donor contact Information, Contracts)

Highly Confidential—Information which requires the strictest rules of handling and usage; is protected and / or regulated by statutes, policies, or regulations; and may also include information for which an Information Trustee has exercised his or her right to restrict access.  (Examples: Social Security Number, Credit Card Number, Personal medical records)

Considerations when Classifying Information: 

Default Classification.  All information is considered non-public and classified as “Confidential” until classified otherwise.

Aggregated or Combined Data.  Some information may have little or no sensitivity in isolation, but may be highly sensitive when combined with other data. For that reason, information stewards may classify aggregated or combined data with a more restrictive classification.

Approvals.   All information classifications are subject to final approval by the Information Trustees. 

FORMS/INSTRUCTIONS

The key online forms related to this procedure are:

  • Data Sharing Agreement
  • Data Glossaries

ADDITIONAL CONTACTS

Classification Questions:  If you have questions about the appropriate classification for any information not specifically mentioned above, please contact your line leader and/or the Office of the General Counsel.   

Information Protection Questions:  If you have any questions about appropriate protection of information, please contact the Information Security Officer.

APPENDICES

CES Information and Risk Classifications

FREQUENTLY ASKED QUESTIONS

There are no frequently asked questions for this procedure—yet.


RELATED INFORMATION

Access to Student Records Policy

Access to Student Records Procedure

Institutional Assessment and Analysis; Information/Study Request Policy

Computer and Electronic Communications General Use Policy

HISTORY

Effective:

2 October  2012

Superseded:

14 April 2017