Policies and Procedures Manual 2023-2024

3.60 Data Classification and Handling

  1. Purpose
    Any person who uses, stores or accesses data contained in the information technology systems (either academic or administrative) of Piedmont University ("Piedmont" or “University”) has the responsibility to safeguard that data. Data classification is one method of determining the safeguard requirements for certain data and the appropriate College response to any unauthorized release of that data. Such safeguards and response plans are not only good stewardship for College data, but are required by certain state and federal law and regulations.

  2. Scope
    This policy governs the privacy, security and integrity of University data stored on University IT systems and outlines the responsibilities of the individuals and organizational units that manage, use, access, store or transmit that data. This policy supplements, but does not supersede, the University’s Confidentiality Agreement.

  3. Policy
    1. Piedmont University IT Services maintains systems that store data essential to the performance of University business. All members of the community have a responsibility to protect University data from unauthorized access, use, storage, transmission, disclosure, or destruction.
    2. All University data is classified into four levels of security classification: Restricted (Protected) Data, Confidential (Sensitive) Data, Internal (Directory) Data, and Public Data. For the purposes of this policy, data not formally classified (Unclassified Data) will be considered Sensitive Data. For the purposes of the University’s Confidentiality Agreement, all data except Public Data is to be considered confidential.
      1. Restricted or Protected Data is data that (1) if compromised would expose members of the University and its community to a high risk of identity theft or financial fraud and (2) is protected by Federal or state law or regulations. Applicable law and regulatory requirements include (but are not limited to) the Family Educational Rights and Privacy Act (FERPA), the Fair and Accurate Credit Transactions Act (FACTA), the Health Insurance Portability and Accountability Act (HIPAA), Gramm-Leach-Bliley Act (GLBA), and other applicable Federal and Georgia State laws. Examples of Protected Data include, but are not limited to:
        1. Name
        2. Address (all geographic subdivisions smaller than state, including street address, city county, and zip code)
        3. All elements (except years) of dates related to an individual (including birthdate, admission date, discharge date, date of death, and exact age if over 89)
        4. Telephone numbers
        5. Fax number
        6. Email address
        7. Social Security Number
        8. Medical record number
        9. Health plan beneficiary number
        10. Account number
        11. Certificate or license number
        12. Vehicle identifiers and serial numbers, including license plate numbers
        13. Device identifiers and serial numbers, Passport Number, or any State ID Number
        14. Web URL
        15. Internet Protocol (IP) Address
        16. Finger or voice print
        17. Photographic image - Photographic images are not limited to images of the face.
        18. Any other characteristic that could uniquely identify the individual
        19. Credit Card Information (Number, expiration date, security code)
        20. Users’ Systems Passwords
        21. Medical history
        22. Disability
        23. Student and family financial history
        24. Student account balances
        25. Student Financial Aid history
        26. Student academic history, including student grades

      2. Confidential or Sensitive Data is data that, while not explicitly protected by federal or state law, is proprietary to the University and would, if released, expose the University and members of the community to a heightened risk of identity theft or financial fraud. Examples of Sensitive Data include, but are not limited to:
        1. Employee salary or employment history
        2. Permanent or Local Address
        3. Department budgets
        4. Student registration Personal Identification Numbers
        5. Internal operating procedures and operational manuals
        6. Internal memoranda, emails, reports and other documents
        7. Technical documents such as system configurations and floor plans
      3. Internal or Directory Data is data that The University chooses to keep private, but any disclosure would most likely not cause material harm. It can also be used for University communication or to link records between University systems or reports. This could include directory information that is widely available to members of the University community, but nevertheless should be handled with care, since exposure could result in increased risk of financial fraud or identity theft for the University and members of the community. Examples of Internal/Directory Data include, but are not limited to:
        1. Departmental policies and procedures
        2. Grant applications
        3. Usernames
        4. Campus wide IDs
        5. ID photos
        6. Class Rosters/Advisor Rosters
      4. Public Data is data that the University may or must make available to the public with no legal or other restrictions, via its website or various reports, press releases, reports and the like. Examples of Public Data include:
        1. Information posted on the University’s website.
        2. The University phone directory
        3. The University’s annual financial reports
        4. Data published in the Integrated Postsecondary Education Data System documents.
        5. Copyrighted materials that are publicly available
      5. If in doubt as to how any data should be classified among the 4 levels of security classifications above, contact your supervisor and/or treat the information as confidential.
    3. The loss, unauthorized access to or disclosure agencies Data must be reported to the appropriate University officials, including the management of the organizational unit in which the data breach was discovered, the University’s Chief Information Officer (CIO) and the Technology Helpdesk so that the appropriate response to the incident, including required notification of appropriate federal and state agencies, can be initiated.
    4. The loss, unauthorized access to or disclosure of Sensitive Data should be reported to the management of the organizational unit in which the data breach was discovered for their appropriate response.
    5. The purposes of the University’s Confidentiality Agreement, all data except Public Data are considered confidential. The unauthorized access, disclosure or transmission of confidential information may result in disciplinary action by the University, including termination or expulsion, as outlined in the University’s Confidentiality Agreement and other relevant University policies.
    6. University data are assets belonging to the University. Departments which collect, use, store and transmit University data should classify their data according to the level of risk associated with handling that data and implement appropriate safeguards to that data based on that risk. Data is generally stored in sets. The classification of a data set should be to the highest level of any data element in that set; for example, a report containing a combination of protected, sensitive directory and public data should be considered protected and provided with the safeguards appropriate for protected data. Individuals and departments must implement appropriate safeguards for accessing, transmitting and storing University data. Examples of appropriate safeguards for Protected and Sensitive Data include, but are not limited to:
      1. The data must be protected to prevent loss, theft, and/or unauthorized access, disclosure, modification, and/or destruction.
      2. The data may only be accessed or disclosed if necessary for University business purposes and consistent with applicable University policies.
      3. The data must not be downloaded, stored or transmitted unless appropriately secured and/or encrypted.
      4. The data must not be posted on any website or shared file storage space unless University standard authentication methods are used.
      5. The data must be destroyed when no longer needed and in accordance with University policies.
      6. Disposal of data should follow the guidelines as stated below.

 

Classification

Receipt

Storage

Transfer

Disposal

RED

(Restricted, Sensitive and/or Confidential)

  • Encrypted methods (FTS or Encrypted CD) must be used when receiving personal information files.
  • Special delivery mail
  • External/Internal email to authorized recipients only.
  • Internal file network/SharePoint restricted to relevant/authorized personnel only
  • Lockable units for physical files
  • Internal email to authorized recipients only.
  • Internal file network/SharePoint restricted to relevant/authorized personnel only.
  • Intranet restricted to relevant personnel
  • Encrypted methods (FTS or encrypted CD) must be used when transferring personal information files.
  • Internal file network/SharePoint restricted to relevant/authorized personnel only.
  • External/Internal email to authorized recipients only. (use FTS whenever possible)
  • Hard copy destruction equivalent to shredding or certified confidential waste/recycling
  • Soft copy disposal must be in accordance with departmental procedures (archiving and deletion of files) and Kantar ITP protocols

Amber (Internal/

Proprietary – Business Use Only)

 

  • Internal email to necessary recipients only
  • Internal file network/SharePoint restricted to relevant personnel only.
  • Intranet restricted to relevant personnel only
  • Internal email to necessary recipients only
  • Internal file network/SharePoint restricted to relevant personnel only.
  • Intranet restricted to relevant personnel only
  • Internal email to necessary recipients only
  • Internal file network/SharePoint restricted to relevant personnel only
  • Intranet restricted to relevant personnel only
  • Hard copy destruction equivalent to shredding or certified confidential waste/recycling
  • Soft copy disposal must be in accordance with departmental procedures (archiving and deletion of files) and Kantar ITP

protocols

Green (Public)

  • No restrictions required
  • No restrictions required
  • No restrictions required
  • No restrictions required