Data Classifications and Protection Requirements

Policy Table of Contents

Data Classifications
- Public
  - Examples of Public Data
- Internal
  - Examples of Internal Data
Confidential
- - Examples of Confidential Data
- Restricted
  - Examples of Restricted Data
Resolving Conflicts between this Guideline and Other Regulations
Data Protection Requirements
Restricted Use Data
Exceptions

Data Classifications

College Data is information generated by or for, owned by, or otherwise in the possession of CCS that is related to the College’s activities. College Data may exist in any format (i.e. electronic, paper) and includes, but is not limited to, all academic, administrative, and research data, as well as the computing infrastructure and program code that supports the business of CCS.

In order to effectively secure College Data, we must have a vocabulary that we can use to describe the data and quantify the amount of protection required. This policy defines four categories into which all College Data can be divided:

Public

Public data is information that may be disclosed to any person regardless of their affiliation with the College. The Public classification is not limited to data that is of public interest or intended to be distributed to the public; the classification applies to data that do not require any level of protection from disclosure. While it may be necessary to protect original (source) documents from unauthorized modification, Public data may be shared with a broad audience both within and outside the College community and no steps need be taken to prevent its distribution.

Examples of Public Data

Press releases
Directory information (not subject to a Family Educational Rights and Privacy Act (FERPA) block)
Course catalogs
Information a department would choose to post on its website is a good example of Public data
Other general information that is openly shared

Internal

Internal data is information that is potentially sensitive and is not intended to be shared with the public. Internal data generally should not be disclosed outside of the College without the permission of the person or group that created the data. It is the responsibility of the data owner to designate information as Internal where appropriate. If you have questions about whether information is internal or how to treat internal data, you should talk to your supervisor.

Examples of Internal Data

Some memos, correspondence, and meeting minutes
Contact lists that contain information that is not publicly available
Procedural documentation that should remain private

Confidential

Confidential data is information that, if made available to unauthorized parties, may adversely affect individuals or the business of CCS. This classification also includes data that the College is required to keep confidential, either by law (e.g., FERPA, GLBA, GDPR) or under a confidentiality agreement with a third party, such as a vendor. This information should be protected against unauthorized disclosure or modification.

Confidential data should be used only when necessary for business purposes and should be protected both when it is in use and when it is being stored or transported.

Any unauthorized disclosure or loss of confidential data must be immediately reported to the ITS Helpdesk (https://helpdesk.collegeforcreativestudies.edu, 313-664-7818) as well as the immediate supervisor or another available person in the chain of authority.

Examples of Confidential Data

Information covered by the Family Educational Rights and Privacy Act (FERPA), which requires protection of records for current and former students. This includes pictures of students kept for official purposes.
Personally identifiable information entrusted to our care that is not otherwise categorized as Restricted Use data, such as information regarding applicants, alumni, donors, potential donors, or parents of current or former students, and information covered by the European Union’s General Data Protection Regulation (GDPR).
The CCS ID Number, when stored with other identifiable information such as name or e-mail address.
Information covered by the Gramm-Leach-Bliley Act (GLBA), which requires protection of certain financial records.
Individual employment information, including salary, benefits and performance appraisals for current, former, and prospective employees.
Legally privileged information.
Information that is the subject of a confidentiality agreement.

Restricted

Restricted Use data includes any information that CCS has a contractual, legal, or regulatory obligation to safeguard in the most stringent manner. In some cases, unauthorized disclosure or loss of this data would require the College to notify the affected individual and state or federal authorities.

The College’s obligations will depend on the particular data and the relevant contract or laws. The End User Device Minimum Security Standards sets a baseline for all Restricted Use data.

Examples of Restricted Data

Personally identifiable health information that is not subject to HIPAA but used in research, such as Human Subjects Data.
Personally Identifiable Information (PII), including an individual’s name plus the individual’s Social Security Number, driver’s license number, or a financial account number.
Unencrypted data used to authenticate or authorize individuals to use electronic resources, such as passwords, keys, and other electronic tokens.
“Criminal Background Data” that might be collected as part of an application form or a background check.

More stringent requirements exist for some types of Restricted Use data. Individuals working with the following types of data must follow the College policies governing those types of data and consult with the Director of Information Technology Services to ensure they meet all of the requirements of their data type:

Resolving Conflicts between this Guideline and Other Regulations

Some data may be subject to specific protection requirements under a contract or grant, or according to any law or regulation not described here. In those circumstances, the most restrictive protection requirements should apply. If you have questions, please contact a member of the Committee.

Data Protection Requirements

This Guideline provides the requirements for handling and protecting information at each stage of its lifecycle from creation to destruction and the minimum-security standards required for any electronic device that may be used to access or store sensitive information owned or used by CCS. The data handling protections outlined here apply to all sensitive information, both physical and electronic, throughout all of CCS.

Sensitive information is College data that is classified as Internal, Confidential, or Restricted Use. See the Data Classifications section for definitions and examples of each of these classifications.

Public (non-sensitive) information does not require any level of protection from disclosure but appropriate precautions should be taken to protect original (source) documents from unauthorized modification.

Information Lifecycle

The information lifecycle is the progression of stages or states in which a piece of information may exist between its original creation and final destruction. These phases are: Collecting, Accessing, Sharing, Sending, Storing, Auditing, Incident Reporting and Destroying.

It is important to understand that Storing refers to a broad spectrum of activities including putting a file in a filing cabinet or on to a file server or entering information into a database or spreadsheet. The requirements for Storing information apply equally to the source and to any copies made. For example, when a file is downloaded or copied from a file server to a laptop computer for use offline, it is stored in that new location and all of the storing requirements must be followed.

Requirements for Protection

Each classification of data has different requirements for protection throughout the lifecycle of use. The requirements for each Internal Data, Confidential Data, & Restricted Use Data are detailed below.

Internal Data

Collecting	No restrictions.
Accessing	Access should be provided as required for business devices used to access sensitive (non-Public) information. Such access must meet End User Device Minimum Standards.
Sharing	Share with employees as needed. Share with vendors/third-parties as approved by department head.
Sending	Paper	Send in a manner that protects the information from incidental or casual reading.
Sending	Electronic	Use a method that requires recipient to authenticate prior to receipt, such as email, a web site that requires Web Login, or a file server that requires a password. Use secure email service for more private data.
Storing	Paper	Keep in non-public areas when not in use.
	Electronic	Devices used to store sensitive (non-Public) information must meet End User Device Minimum Standards.
	Electronic Media (CD, DVD, USB, etc.)	Store media in a non-public location when not in use.
Auditing	ALL	Conduct a periodic review of where this data is located, who has access to it, the access control mechanisms, encryption protocols, and data destruction protocols.
Incident Reporting	ALL	Report the loss of any Internal Data to your supervisor who will determine the requirements, if any, for further reporting.
Destroying	ALL	Review Record Retention Policy before disposing of records.
	Paper & Disposable Electronic Media (CDs, DVDs)	For Internal documents with sensitive content, shred materials before disposing of them.
	Electronic Files (Data) Reusable Electronic Storage Devices (USB keys, disk drives)	Use standard operating system utilities to delete files.
	All Electronic Storage Media at End of Life, including Disk Drives	Contact Information Technology Service for secure destruction of all physical electronic media. Do not dispose of in the trash, recycle, etc.

Confidential Data

Collecting	Reduce or eliminate collection where not required for business function. Collection of some types of Confidential data about individuals may require the approval of the appropriate Data Owner(s).
Accessing	Access to some Confidential data requires approval of a Data Owner on a per-individual basis. See the list of the Data Owners above. Devices used to access sensitive (non-Public) information must meet End User Device Minimum Standards. Ensure protocols are in place to immediately remove access upon change in employment status of any individual with access.
Sharing	If you are uncertain if a piece of Confidential information should be shared, escalate the request to an appropriate supervisor or Data Owner. For types of data that are governed by a Data Owner, this information may be shared only for business purposes and only as approved by the appropriate Data Owner except where the information is being given to approved custodians of that type of data. Information concerning a small number of individuals may be shared internally without Owner review if the recipient of the data has a need-to-know and is entrusted with the same type of information for their job function. Note: Non-disclosure language or a confidentiality agreement may be appropriate. For example: * Grades need to be communicated to the Registrar’s office * Faculty may consult with other faculty about a student’s performance, as appropriate. * Sharing information with vendors and third-parties requires Data Owner approval For types of data that are not governed by a Data Owner, the information may be shared internally on a need-to-know basis Information may be shared with the subject of the record or with another party with the subject’s approval, as appropriate.
Printing, Copying, & Scanning	Printers often store the printed document on a local hard drive, potentially allowing unauthorized access to the information. Avoid printing Confidential data unnecessarily.
Sending	Paper	Address to the specific intended party and send in sealed security envelopes. Mark with “For intended recipient only”. Outside the College, paper should be sent via certified mail or with an authorized courier.
	Electronic	Particularly sensitive data or large volumes of confidential data should be encrypted during transmission. Don not email confidential data – provide a secure link instead. If confidential information is to be stored on removable media (CD/DVD/USB/External HD) or in the cloud, see the section below regarding the proper storage.
	Fax	Fax machines often store the faxed messages in memory, potentially allowing unauthorized access. Consider alternatives to faxing Confidential data where possible. If a fax must be used, consider taking reasonable steps to protect the data, including the use of a cover sheet stating that the fax is Confidential and to be read only by the named recipient. Also consider coordinating with the intended recipient so he or she is on hand to directly receive the fax before you begin to send.
	Smart Phones and tablet devices (such as iPads)	The use of smart phones to access Confidential data, such as through email, puts that data at higher risk of unintended disclosure Individuals accessing Confidential Data via such a device must comply with the standards set forth in End User Device Minimum Standards
Storing	Paper	Should be stored in physically secure areas that are accessible only by authorized individuals. The number of copies should be kept to a minimum.
	Electronic	Particularly sensitive data or large volumes of confidential data should be encrypted during transmission. Don not email confidential data – provide a secure link instead. If confidential information is to be stored on removable media (CD/DVD/USB/External HD) or in the cloud, see the section below regarding the proper storage.
	Electronic Media (CD, DVD, USB, etc.)	Encryption of stored data is recommended. Store media in a secure location when not in use. Media should be erased or destroyed as soon as it is no longer needed.
Auditing	ALL	Each unit or department should conduct periodic reviews of where Confidential data is located, who has access to it, the access control mechanisms, encryption protocols, and data destruction protocols. Verify that procedures for removing access are documented and accurate.
Incident Reporting	ALL	Any unauthorized disclosure or loss of Confidential data must be immediately reported to the ITS Helpdesk (https://helpdesk.collegeforcreativestudies.edu, 313-664-7818) as well as the immediate supervisor or other available person in chain of authority.
Destroying	ALL	Review Record Retention Policy and the information in this destruction section before disposing of records. Do not destroy records that are the subject of a litigation hold or that must be retained pursuant to the College record retention policy.
	Paper & Disposable Electronic Media (CDs, DVDs)	Dispose of paper media via College approved shred boxes. Contact Information Technology Service for secure destruction of all physical electronic media. Do not dispose of in the trash, recycle, etc.
	Electronic Files (Data) Reusable Electronic Storage Devices (USB keys, disk drives)	Contact Information Technology Service for secure destruction of all physical electronic media. Do not dispose of in the trash, recycle, etc.
	All Electronic Storage Media at End of Life, including Disk Drives
	Device End of Lease or End of Life (Printers, Copiers, Multi-function office machines)	Devices such as these often contain hard drives which must be properly erased, or “wiped”, prior to leaving CCS control (returned to the vendor, sent to surplus, donated, disposed of, etc.). For information on how to properly wipe the drive, contact Information Technology Services.

Restricted Use Data

Collecting	Eliminate collection whenever possible. Collection of Restricted Use data about individuals must be approved by and provided to the appropriate Data Owner. See the list of the Data Owners above.
Accessing	Access to Restricted Use data requires approval of a Data Owner. Avoid accessing or using Restricted Use data whenever possible, and do so from as few different devices as possible. Devices used to access Restricted Use information must meet end user device minimum standards for Restricted Use information. The custodian of the system or information must immediately remove access from any person that no longer requires that access as part of their job function.
Sharing	If you are uncertain if a piece of Restricted Use information should be shared, escalate the request to an appropriate supervisor or Data Owner. This information may be shared only for need-to-know business purposes and only as approved by the appropriate Data Owner, except where the information is being given to approved custodians of that type of data. Information concerning a small number of individuals may be shared internally without Owner review if the recipient of the data has a need-to-know and is entrusted with the same type of information for their job function. Note: Sharing student or employee information with third-party vendors requires review and approval by the Chief Information Officer to ensure that the vendor has the proper terms of use, privacy, and security measures in place. Once approved by the Chief Information Officer, the appropriate College representative may sign the vendor agreement. Information may be shared with the subject of the record or with another party with the subject’s approval, as appropriate.
Printing, Copying, & Scanning	Printers often store the printed document on a local hard drive, potentially allowing unauthorized access to the information. Avoid printing Restricted Use data unnecessarily.
Sending	Paper	Address to the specific intended party and send in sealed security envelopes. Mark with “For intended recipient only”. Outside the College, paper must be sent via certified mail or with an authorized courier.
	Electronic	Data is required to be encrypted during transmission. If Restricted Use data must be placed on removable media (CD/DVD/USB/External HD) or in the cloud, it must be properly protected. See the section below regarding proper storage. If Restricted Use data must not be sent via email – use a secure link instead. Compensating controls must be formally documented and an exception approved by Information Security where this is not technically possible.
	Fax	Fax machines often store the faxed messages in memory, potentially allowing unauthorized access. Avoid faxing Restricted Use data where possible. If a fax must be used, include a cover sheet stating that the fax is Restricted Use and to be read only by the named recipient. Also, coordinate with the intended recipient so he or she is on hand to directly receive the fax before you begin to send.
	Smart Phones and tablet devices (such as iPads)	The use of smart phones to access Restricted Use data is strongly discouraged. For example, do not check your secure email from your smart phone. Individuals that must use such a device to access Restricted Use data must comply with the standards set forth in End User Device Minimum Standards.
Storing	Paper	Keep in locked filing cabinets in physically secure areas that are accessible only by authorized individuals. Keep the number of copies of the data to a minimum.
	Electronic	Encryption of stored data is required. Devices used to store sensitive (non-Public) information must meet End User Device Minimum Standards. Cloud services may not be used to process or store Restricted Use data unless they have been approved for such use by Director of Information Technology Services and the appropriate Data Owner.
	Electronic Media (CD, DVD, USB, etc.)	Encryption of stored data is required. Store media in a secure location when not in use. Media should be inventoried upon creation and destroyed as soon as it is no longer needed.
Auditing	ALL	Each unit or department must conduct periodic reviews of where Restricted Use data is located, who has access to it, the access control mechanisms, encryption protocols, and data destruction protocols. Verify that procedures for removing access are documented and accurate.
Incident Reporting	ALL	Any unauthorized disclosure or loss of Restricted data must be immediately reported to the ITS Helpdesk (https://helpdesk.collegeforcreativestudies.edu, 313-664-7818) as well as the immediate supervisor or other available person in chain of authority.
Destroying	ALL	Review Record Retention Policy and the information in this destruction section before disposing of records. Do not destroy records that are the subject of a litigation hold or that must be retained pursuant to the College Record Retention Policy.
	Paper & Disposable Electronic Media (CDs, DVDs)	Dispose of paper media via College approved shred boxes. Contact Information Technology Service for secure destruction of all physical electronic media. Do not dispose of in the trash, recycle, etc.
	Electronic Files (Data) Reusable Electronic Storage Devices (USB keys, disk drives)	Contact Information Technology Service for secure destruction of all physical electronic media. Do not dispose of in the trash, recycle, etc.
	All Electronic Storage Media at End of Life, including Disk Drives
	Device End of Lease or End of Life (Printers, Copiers, Multi-function office machines)	Devices such as these often contain hard drives which must be properly erased, or “wiped”, prior to leaving CCS control (returned to the vendor, sent to surplus, donated, disposed of, etc.). For information on how to properly wipe the drive, contact Information Technology Services.

Exceptions

CCS ITS is authorized to grant exceptions to the requirements set forth in this document. Any exception granted will require a thorough review of the situation and will be based on the implementation of appropriate compensating controls.