Information Governance: Information Classification
Effective Date: 22 October 2012
Last Updated: 14 April 2017
Responsible University Officer:
Procedure Owner: J. Kelly Flanagan
(responsible for developing, implementing, &
managing the procedure)
Procedure Contact: Christine Tolman
(First point of contact for procedure users)
Information Security and Appropriate Use Policy
ENTITIES AFFECTED BY THIS PROCEDURE:
Any persons with responsibility for classifying, providing access to, or using university information
Identification and classification of university information is essential for ensuring that the appropriate degree of protection is applied to university information. This procedure describes how the university classifies information.
Responsibility for Classification:
Information stewards are responsible for classifying the information in their academic or administrative units into one of the four categories defined below. Classifications are to be determined in consultation with appropriate Information Trustees and are then used to govern access and security requirements. In addition, information stewards are responsible for periodically evaluating the classifications assigned and for providing information concerning access or availability of information in their academic or administrative unit.
Information is classified into one of the following four categories according to its use, sensitivity, risk, and importance to the university and in compliance with university policy, state and federal regulations, and other obligations regarding privacy and confidentiality of information.
Public—information which may, or must, be available to the general public and has been formally approved for public release. (Examples: Course catalog, directory information)
Internal—information which is generally accessible within the University to those with a legitimate university purpose as allowed by statute, regulations, other legal obligations or mandates or policy; not intended for entities or persons outside the University. This information must be protected against unauthorized use, access, disclosure, acquisition, modification, loss, or deletion. (Examples: Student records, Employee contact information, University policies and procedures, Organization charts)
Confidential—Information which is requires special handling and controls specific to each work environment that limit access and use; may not be specifically protected by statute, regulations, or other legal mandates; but is considered by the University’s senior management to be private and confidential and as such must be protected against unauthorized use, access, disclosure, acquisition, modification, loss, or deletion; (Examples: Salary or performance information, Donor contact Information, Contracts)
Highly Confidential—Information which requires the strictest rules of handling and usage; is protected and / or regulated by statutes, policies, or regulations; and may also include information for which an Information Trustee has exercised his or her right to restrict access. (Examples: Social Security Number, Credit Card Number, Personal medical records)
Considerations when Classifying Information:
Default Classification. All information is considered non-public and classified as “Confidential” until classified otherwise.
Aggregated or Combined Data. Some information may have little or no sensitivity in isolation, but may be highly sensitive when combined with other data. For that reason, information stewards may classify aggregated or combined data with a more restrictive classification.
Approvals. All information classifications are subject to final approval by the Information Trustees.
The key online forms related to this procedure are:
- Data Sharing Agreement
- Data Glossaries
Classification Questions: If you have questions about the appropriate classification for any information not specifically mentioned above, please contact your line leader and/or the Office of the General Counsel.
Information Protection Questions: If you have any questions about appropriate protection of information, please contact the Information Security Officer.
CES Information and Risk Classifications
FREQUENTLY ASKED QUESTIONS
There are no frequently asked questions for this procedure—yet.
Access to Student Records Policy
Access to Student Records Procedure
Institutional Assessment and Analysis; Information/Study Request Policy
Computer and Electronic Communications General Use Policy
2 October 2012
14 April 2017