Data Stewardship & Security: Data Categories/Classification Types
This document describes Wooster’s data classification types and provides examples of each. Our classification types are based on the three common classifications of data to reflect their sensitivity (from “low” to “high”) used by colleges and universities. The classifications help us know what data can be shared and how we need to protect the data. Among the considerations in colleges and universities adopting the three classifications are legal protections – statutes, regulations, laws – that stipulate what is protected and how we should protect it. For information that isn’t specifically covered by one or more regulations, institutions consider the effect that release of the information would have on the institution or individuals, for example “would it cause harm or embarrassment?”
The content of the data is what matters, not the format. The format determines how we store, process, and protect it.
Our three classification types are: public data, internal data, and protected data. Descriptions and representative, but not comprehensive, examples follow.
Public Data
“Public data” has the lowest level of sensitivity.
Public Data is any data we make available to anyone and everyone. It can be published or distributed knowing that there would be no harm to the College or our students, prospective students, employees, alumni, families, friends, donors, contactors/service providers or other constituency. It is not confidential.
Examples of Public Data include websites, press releases, official statements, publications, job postings, department faculty lists, published research, campus and student publications, campus addresses (of offices, not students), campus maps, IPEDS surveys, course descriptions, any data we are required to disclose per regulation or accreditor requirements.
Internal Data
“Internal data” has a moderate level of sensitivity.
This classification applies to information protected due to proprietary, ethical, or privacy considerations, even though there may not be a direct statutory, regulatory, or common-law basis for requiring this protection. Internal data is restricted to personnel designated by the College who have a legitimate business purpose for accessing such data.
Examples of Internal Data include Alumni/advancement data, contracts, purchasing data, course syllabi, electronic mail (that does not include protected data – see below), facilities systems & infrastructure details, financial information (other than that we are required to make available to the public or that includes protected data), institutional planning data, institutional survey data, investment data, library transactions.
Protected Data
“Protected data” has the highest level of sensitivity. It is data that often the subject of laws and regulations.
Protected Data is data that contains personally identifiable information concerning individuals. It is data that is regulated by local, state, federal, or international privacy regulations. This data is designated or described by any voluntary industry standards or best practices concerning the protection of personally identifiable information that Fordham chooses to follow. These regulations may include, but are not limited to:
- Family Educational Rights and Privacy Act (FERPA)
- Gramm-Leach-Bliley Act (GLBA)
- Health Insurance Portability and Accountability Act (HIPAA)
- Payment Card Industry Data Security Standards (PCI DSS)
- General Data Protection Regulation (GDPR)
- California Consumer Protection Act (CCPA)
- Other state or international privacy or cybersecurity regulations
Examples of Protected Data include 1099’s, bank account numbers, Colleague and campus ID number, credit/payment card data, date of birth, donor/prospect information, driver’s license numbers, employee and student home addresses or personal contact information, employee information, ethnicity/race, grades, graduating class and degree, human resource records, immigration status, maiden name, student transcripts, prospective student application or inquiry data, protected health information, social security number (SSN), student case management records, student conduct records, student financial information (student account, financial aid), student loan information, student record information, student transcripts, vendor employer identification numbers, W-2’s, wage/salary data.
Note: Any sharing or storage of Human Subject Research data is subject to the approval of the College’s Human Subjects Research Committee.
Updated: 06-11-2023