Data Classification Policy and Usage Guidelines

Data Classification Policy and Usage Guidelines

Whether you study, teach or work at the College, you possess information that should be protected from exposure.  Personal information has a lot in common with money – it has value, whether it’s your SSN, bank account number, or account usernames & passwords.  These are all pieces of information that you should only share in rare cases and never by email.  If someone you don’t know asks you for this type of information, assume by default they have no right to know it.

You may also have access to information about other people that should be protected, in some cases by law.  At Williams, information owned, used, created or maintained by the College is classified into the following four categories:

Protected

State and Federal laws and some contracts require the College to protect certain types of information. Some of the key legal requirements are listed below. Other laws may apply as well, including those in states other than Massachusetts if victims of a data breach reside elsewhere.

  • Massachusetts Identity Theft Law (protects name of living persons in combination with SSN or financial account number or driver’s license number)
  • HIPAA: Health Insurance Portability & Privacy Act (protects personal health information)
  • GLBA: Gramm-Leach Bliley Act (protects non-public financial information, including student loan information)
  • PCI DSS: Payment Card Industry Data Security Standards (protects credit and debit card information)

Confidential

In addition to Protected information, College employees have access to other sensitive information which should be protected from public disclosure. Confidential information must be treated as such and should not be discussed or disclosed to others except as required to perform one’s job. This includes student educational records covered by the Family Education Rights & Privacy Act of 1974 (FERPA), alumni information, employee and job applicant information, financial information and faculty research information.

Internal

The Internal category includes information that is potentially sensitive and is not intended to be shared with the public. Internal information generally should not be disclosed outside of the College without the permission of the person or group that created it. It is the responsibility of the owner to designate information as Internal where appropriate. If you have questions about whether information is Internal or how to treat Internal data, you should talk to your department head.

Public

Public data is information that may be disclosed to any person regardless of their affiliation with the College. The Public classification is not limited to data that is of public interest or intended to be distributed to the public; the classification applies to data that do not require any level of protection from disclosure.

Here are some Data Classification examples:

Type of Data Data Classification
Social Security Numbers Protected
Bank Account Numbers Protected
Health Information Protected
Student Grades Confidential
Student Class Schedules Confidential
Job Applicant Information Confidential
Alumni Information Confidential
Building Plans Internal
Unpublished Research Internal
Events Calendar Public

 

Where to Store Classified College Data Securely

Location Data Classification
Software applications designed for managing classified information
(e.g. financial, human resources, student, alumni)
Safe for Protected, Confidential, Internal, Public
On-campus secured network storage
(e.g. Microsoft File Services, dedicated secure servers)
Safe for Protected, Confidential, Internal, Public
Local computer storage
(e.g. hard disk, C: drive)
Safe for Confidential, Internal, Public
Use for Protected data must first be cleared with department head and data must be encrypted.
Williams College Gmail, including attachments Safe for Confidential, Internal, Public
Williams College Google Drive Safe for Confidential, Internal, Public
Portable device storage
(e.g. smart phone, tablet, laptop, USB drive)
Safe for Internal, Public
Use for Protected or Need to Know data must first be cleared with department head and device security features enabled.
Other storage locations or services
(e.g. Box, DropBox)
Use for Williams College data must first be cleared with department head.

Encryption

If you do need to send or save data securely, there are encryption options available for almost all file types and devices which can help mitigate the risk of a data breach.  For example, Mac and PC laptop storage can be encrypted so it’s inaccessible without a password.  iPhones and tablets can (and should) be locked with passcodes.  Flash (thumb) drives can also be encrypted for secure travel.  Word documents and PDFs have the option to protect with passwords.

General guidelines and tools are available at:

http://oit.williams.edu/help-docs/security/file-encryption/