Data Classification and Usage Guidelines

Data Classification and Usage Guidelines

Whether you study, teach or work at the College, you possess information that should be protected from exposure.  Personal information has a lot in common with money – it has value, whether it’s your SSN, bank account number, or account usernames & passwords.  These are all pieces of information that you should only share in rare cases and never by email.  If someone you don’t know asks you for this type of information, assume by default they have no right to know it.

You may also have access to information about other people that should be protected, in some cases by law.  At Williams, information owned, used, created or maintained by the College is classified into the following four categories:

Protected

State and Federal laws and some contracts require the College to protect certain types of information. Some of the key legal requirements are listed below. Other laws may apply as well, including those in states other than Massachusetts if victims of a data breach reside elsewhere.

  • Massachusetts Identity Theft Law (protects name of living persons in combination with SSN or financial account number or driver’s license number)
  • HIPAA: Health Insurance Portability & Privacy Act (protects personal health information)
  • GLBA: Gramm-Leach Bliley Act (protects non-public financial information, including student loan information)
  • PCI DSS: Payment Card Industry Data Security Standards (protects credit and debit card information)

Need to Know

In addition to Protected information, College employees have access to other sensitive information which should be protected from public disclosure. Need to Know information must be treated as confidential and should not be discussed or disclosed to others except as required to perform one’s job. This includes student educational records covered by the Family Education Rights & Privacy Act of 1974 (FERPA), alumni information, employee and job applicant information, financial information and faculty research information.

Internal

The Internal category includes information that is potentially sensitive and is not intended to be shared with the public. Internal information generally should not be disclosed outside of the College without the permission of the person or group that created it. It is the responsibility of the owner to designate information as Internal where appropriate. If you have questions about whether information is Internal or how to treat Internal data, you should talk to your department head.

Public

Public data is information that may be disclosed to any person regardless of their affiliation with the College. The Public classification is not limited to data that is of public interest or intended to be distributed to the public; the classification applies to data that do not require any level of protection from disclosure.

Here are some Data Classification examples:

Type of Data Data Classification
Social Security Numbers Protected
Bank Account Numbers Protected
Health Information Protected
Student Grades Need to Know
Student Class Schedules Need to Know
Job Applicant Information Need to Know
Alumni Information Need to Know
Building Plans Internal
Unpublished Research Internal
Events Calendar Public

 

Where to Store Classified College Data Securely

Location Data Classification
On-campus secured network storage
(e.g. Microsoft File Services, dedicated secure servers)
Safe for Protected, Need to Know, Internal, Public
Local computer storage
(e.g. hard disk, C: drive)
Safe for Need to Know, Internal, Public
Use for Protected data must first be cleared with department head and data must be encrypted.
Williams College Gmail, including attachments Safe for Need to Know, Internal, Public
Williams College Google Drive Safe for Need to Know, Internal, Public
Portable device storage
(e.g. smart phone, tablet, laptop, USB drive)
Safe for Internal, Public
Use for Protected or Need to Know data must first be cleared with department head and device security features enabled.

Encryption

If you do need to send or save data securely there are encryption options available for almost all file types and devices which can help mitigate the risk of a data breach.  For example, Mac and PC laptop storage can be encrypted so it’s inaccessible without a password.  iPhones and tablets can (and should) be locked with passcodes.  Flash (thumb) drives can also be encrypted for secure travel.  Word documents and PDFs have the option to protect with passwords.

General guidelines and tools are available at:

http://oit.williams.edu/help-docs/security/file-encryption/