4.0 Policy
Union College has established the following requirements enumerated below regarding the classification of data to protect the institution’s information:
4.1 Data Ownership and Accountability
Data owners are identified as the individuals, roles or committees primarily responsible for information assets. These individuals are responsible for:
- Identifying the organization’s information assets under their areas of supervision; and
- Maintaining an accurate and complete inventory for data classification and handling purposes.
Data owners are accountable for ensuring that their information assets receive an initial classification upon creation and a re-classification whenever reasonable. Re-classification of an information asset should be performed by the asset owners whenever the asset is significantly modified. Additionally, data owners are also responsible for reporting deficiencies in security controls to management.
4.2 Data Classification
Classification of data will be performed by the data asset owner based on specific, finite criteria. Refer to the Data Classification and Handling Procedure to determine how data should be classified. Data classifications will be defined as follows:
- HIGH RISK - Information whose loss, corruption, or unauthorized disclosure would cause severe personal, financial or reputational harm to the institution, institution staff or the community we serve. Federal or state breach notification would be required, identity or financial fraud, extreme revenue loss, or the unavailability of extremely critical systems or services would occur. Common examples include, but are not limited to, some elements of Family Educational Rights and Privacy Act (FERPA) data, financial aid data covered under Title IV of the Higher Education Act (as amended) and Gramm-Leach-Bliley Act (15 U.S. Code § 6801), social security number, banking and health information, payment card information and information systems’ authentication data.
- MEDIUM RISK – Information whose loss, corruption, or unauthorized disclosure would likely cause limited personal, financial or reputational harm to the institution, institution staff or the community we serve. Federal or state breach notification would not be required, limited identity theft and very little revenue loss would occur, and the availability of critical systems would not be affected. Common examples include, but are not limited to, some elements of Family Educational Rights and Privacy Act (FERPA) data, some data elements found in HR employment records, and passport and visa numbers.
- LOW RISK – Information whose loss, corruption, or unauthorized disclosure would cause minimal or no personal, financial or reputational harm to the institution, institution staff or the community we serve. Common examples include, but are not limited sales and marketing strategies, promotional information, and policies.
4.3 DIRECTORY INFORMATION
4.3.1 Academic Personnel and Staff Directory Information
Academic Personnel and Staff Directory Information is defined as the following:
- Full Name
- Title
- Department
- Office location
- Room
- Phone Extension
- Email address
4.3.2 Student Directory Information
Student Directory Information is defined as the following:
- Name of student
- Telephone number
- Email address
- Class level
- Dates of attendance
- Major field of study
- Number of course units in which student is enrolled
- Degrees and honors received
- Last school attended
- Participation in official student activities
- For intercollegiate athletic team members only:
4.4 Data Handling
Information assets shall be handled according to their prescribed classification, including access controls, labeling, retention policies and destruction methods. The specific methods must be described in the Data Classification and Handling Procedure.
4.5 Re-Classification
A re-evaluation of classified data assets will be performed at least once per year by the responsible data owners. Re-classification of data assets should be considered whenever the data asset is modified, retired or destroyed.
4.6 Classification Inheritance
Logical or physical assets that “contain” a data asset may inherit classification from the data asset(s) contained therein. In these cases, the inherited classification shall be the highest classification of all contained data assets.