Skip to main content
  1. Home
  2. Technology
  3. IT Security
  4. Data Classification

Data Classification

Institutional Data Definition

The term "institutional data" is data in any form, location, or unit that meets one or more of the following criteria:

  1. It is subject to a legal obligation requiring the college to responsibly manage the data;
  2. It is substantive and relevant to the planning, managing, operating, documenting, staffing or auditing of one or more major administrative functions or multiple organizational units of the college;
  3. It is included in an official college report; or
  4. It is used to derive any data element that meets the above criteria.

Data Classifications

 
Institutional data must be assigned one of three classifications based on compliance, privacy, sensitivity, operational usage, and risk. These classifications take into consideration legal, regulatory, administrative, and contractual requirements; intellectual property and ethical considerations; strategic or proprietary value; and/or operational use. 
 
Authorization to access institutional data will vary and specific controls for access and protection will be applied in accordance with College policies. Institutional data classifications are as follows:  

Data protected by law, regulation, or contract, or that could cause significant harm to individuals or the College if disclosed. Access is strictly limited. Need to know. Least access privilege.  

  1. Encryption is required when storing or transmitting through a network (including transmission over wired and wireless networks, and via email).
  2. Examples: Student records (grades, transcripts), social security numbers, PII, credit card data.
  3. Protection: Must be encrypted, stored securely, and accessed only by authorized individuals with a clear business need.

Data intended for use within the College community. Not regulated by law, but unauthorized disclosure could harm operations, cause reputational damage, or create risk. Need to know. Least access privilege. 

 

  1. Examples: Internal reports, draft policies, meeting notes, intranet content, payroll, purchase orders.
  2. Protection: Accessible to faculty, staff, and students as needed, but not for external distribution without authorization.  Emailing of Internal and/or Restricted data requires encryption.

Unrestricted. Data approved for public release. Disclosure carries little or no risk to the college, though accuracy and integrity must always be maintained.

  1. Examples: Course catalogs, press releases, marketing materials, public websites, published research, policies, web accessible employee directory.
  2. Protection: No confidentiality controls required, but must remain accurate, complete, and safeguarded from unauthorized changes. 

 

Related Categories

Data Management

Classifications

Governance

Tools & Resources

Training