Data Classification Policy and Usage Guidelines
Whether you study, teach or work at the College, you possess information that should be protected from exposure. Personal information has a lot in common with money – it has value, whether it’s your SSN, bank account number, or account usernames & passwords. These are all pieces of information that you should only share in rare cases and never by email. If someone you don’t know asks you for this type of information, assume by default they have no right to know it.
You may also have access to information about other people that should be protected, in some cases by law. At Williams, information owned, used, created or maintained by the College is classified into the following four categories:
Protected
State and Federal laws and some contracts require the College to protect certain types of information. Some of the key legal requirements are listed below. Other laws may apply as well, including those in states other than Massachusetts if victims of a data breach reside elsewhere.
- Massachusetts Identity Theft Law (protects name of living persons in combination with SSN or financial account number or driver’s license number)
- HIPAA: Health Insurance Portability & Privacy Act (protects personal health information)
- GLBA: Gramm-Leach Bliley Act (protects non-public financial information, including student loan information)
- PCI DSS: Payment Card Industry Data Security Standards (protects credit and debit card information)
Confidential
In addition to Protected information, College employees have access to other sensitive information which should be protected from public disclosure. Confidential information must be treated as such and should not be discussed or disclosed to others except as required to perform one’s job. This includes student educational records covered by the Family Education Rights & Privacy Act of 1974 (FERPA), alumni information, employee and job applicant information, financial information and faculty research information.
Internal
The Internal category includes information that is potentially sensitive and is not intended to be shared with the public. Internal information generally should not be disclosed outside of the College without the permission of the person or group that created it. It is the responsibility of the owner to designate information as Internal where appropriate. If you have questions about whether information is Internal or how to treat Internal data, you should talk to your department head.
Public
Public data is information that may be disclosed to any person regardless of their affiliation with the College. The Public classification is not limited to data that is of public interest or intended to be distributed to the public; the classification applies to data that do not require any level of protection from disclosure.
Here are some Data Classification examples:
Type of Data | Data Classification |
Social Security Numbers | Protected |
Bank Account Numbers | Protected |
Health Information | Protected |
Student Grades | Confidential |
Student Class Schedules | Confidential |
Job Applicant Information | Confidential |
Alumni Information | Confidential |
Building Plans | Internal |
Unpublished Research | Internal |
Events Calendar | Public |
Where to Store Classified College Data Securely
Location | Data Classification |
Software applications designed for managing classified information (e.g. financial, human resources, student, alumni) |
Safe for Protected, Confidential, Internal, Public |
On-campus secured network storage (e.g. Microsoft File Services, dedicated secure servers) |
Safe for Protected, Confidential, Internal, Public |
Local computer storage (e.g. hard disk, C: drive) |
Safe for Confidential, Internal, Public Use for Protected data must first be cleared with department head and data must be encrypted. |
Williams College Gmail, including attachments | Safe for Confidential, Internal, Public |
Williams College Google Drive | Safe for Confidential, Internal, Public |
Portable device storage (e.g. smart phone, tablet, laptop, USB drive) |
Safe for Internal, Public Use for Protected or Need to Know data must first be cleared with department head and device security features enabled. |
Other storage locations or services (e.g. Box, DropBox) |
Use for Williams College data must first be cleared with department head. |
Encryption
If you do need to send or save data securely, there are encryption options available for almost all file types and devices which can help mitigate the risk of a data breach. For example, Mac and PC laptop storage can be encrypted so it’s inaccessible without a password. iPhones and tablets can (and should) be locked with passcodes. Flash (thumb) drives can also be encrypted for secure travel. Word documents and PDFs have the option to protect with passwords.
General guidelines and tools are available at:
http://oit.williams.edu/help-docs/security/file-encryption/