ºìÌÒÊÓƵ

Information Technology

Data Classification and Handling Guidelines

Data in the Moderate, High, and Restricted classifications are all considered “sensitive.” Sensitive college data should only be collected, stored, and shared when there is a specific business need and must be handled in a way that's consistent with its level of risk.

Restricted Sensitive

Definition

  • Access and use is subject to special regulatory requirements.
  • Unauthorized access has significant legal or financial consequences and may result in mandatory notification, credit monitoring services, or other obligatory measures.
  • Systems may be in place to log and audit access.

Examples

  • Social security numbers, bank account numbers, passport, and visa numbers, Personally Identifiable Information, date of birth (Oregon ID Theft Act)
  • Credit cardholder data (PCI)
  • Financial aid "customer information" (GLBA)

Guidance (minimum requirements)

  • Never store or transmit unless encrypted.
  • May not be stored in Google or on personally-owned devices.
  • No removable media (thumb drive, DVD, hard drive) unless the files are encrypted.
  • Departments are responsible for developing policies, procedures, and training that ensures compliance by employees and volunteers who handle restricted data.

High Sensitive

Definition

  • Access and use is restricted by laws, regulations, contractual agreements, or college policy.
  • Unauthorized access or use may have serious legal and financial consequences, as well as damage to reputation.

Examples

  • Staff and faculty employment records
  • Student transcripts
  • Disciplinary records
  • Personal health information
  • IT security documentation
  • Financial and health insurance accounts, and other personal information (OCIPA)
  • Personal information (GDPR)

Guidance

  • May be stored in the cloud if protected by contractual agreement (e.g., Crashplan, Google, Handshake).
  • Do not store on personally-owned devices.
  • No removable media (thumb drive, DVD, hard drive) unless the files are encrypted.
  • ºìÌÒÊÓƵ Google Drive is secure but Shared Drive or file encryption is required to prevent accidental oversharing.

Moderate Sensitive

Definition

  • Unauthorized access or use poses moderate risk of damage to the individual and/or the college.

Examples

  • ºìÌÒÊÓƵ ID
  • Student education record, or directory information if student has opted out (FERPA)
  • Letters of recommendation
  • College correspondence
  • Meeting minutes
  • Unpublished research data
  • Computer sales, bookstore, and food service transaction records (excluding payment data)
  • Library borrowing history
  • Donor data
  • Maps of campus utilities and infrastructure
  • Law enforcement records (ARMS data)
  • Disability services data (AIM, etc.)
  • Contracts not covered by special NDA provisions

Guidance

  • Data should only be shared with individuals who have a specific business need.
  • Can be transmitted via Gmail between ºìÌÒÊÓƵ email addresses.
  • Can be shared in ºìÌÒÊÓƵ Google Drive (only share with specific individuals or defined teams).
  • May publish to the web or store in Moodle, with authentication.
  • May store on personally-owned devices if encrypted.

Low

Definition

  • Access has low to no risk to individuals or the college.

Examples

  • Published information and data
  • Course syllabi
  • Directory information
  • Username
  • Campus map

Guidance

  • Information may be shared publicly though, in some cases, individuals may opt out.