Data Classifications and Protection Requirements

Data Classifications

College Data is information generated by or for, owned by, or otherwise in the possession of CCS that is related to the College’s activities. College Data may exist in any format (i.e. electronic, paper) and includes, but is not limited to, all academic, administrative, and research data, as well as the computing infrastructure and program code that supports the business of CCS.

In order to effectively secure College Data, we must have a vocabulary that we can use to describe the data and quantify the amount of protection required. This policy defines four categories into which all College Data can be divided:

Public

Public data is information that may be disclosed to any person regardless of their affiliation with the College. The Public classification is not limited to data that is of public interest or intended to be distributed to the public; the classification applies to data that do not require any level of protection from disclosure. While it may be necessary to protect original (source) documents from unauthorized modification, Public data may be shared with a broad audience both within and outside the College community and no steps need be taken to prevent its distribution.

Examples of Public Data

  • Press releases
  • Directory information (not subject to a Family Educational Rights and Privacy Act (FERPA) block)
  • Course catalogs
  • Information a department would choose to post on its website is a good example of Public data
  • Other general information that is openly shared

Internal

Internal data is information that is potentially sensitive and is not intended to be shared with the public. Internal data generally should not be disclosed outside of the College without the permission of the person or group that created the data. It is the responsibility of the data owner to designate information as Internal where appropriate. If you have questions about whether information is internal or how to treat internal data, you should talk to your supervisor.

Examples of Internal Data

  • Some memos, correspondence, and meeting minutes
  • Contact lists that contain information that is not publicly available
  • Procedural documentation that should remain private

Confidential

Confidential data is information that, if made available to unauthorized parties, may adversely affect individuals or the business of CCS. This classification also includes data that the College is required to keep confidential, either by law (e.g., FERPA, GLBA, GDPR) or under a confidentiality agreement with a third party, such as a vendor. This information should be protected against unauthorized disclosure or modification.

Confidential data should be used only when necessary for business purposes and should be protected both when it is in use and when it is being stored or transported.

Any unauthorized disclosure or loss of confidential data must be immediately reported to the ITS Helpdesk (https://helpdesk.collegeforcreativestudies.edu, 313-664-7818) as well as the immediate supervisor or another available person in the chain of authority.

Examples of Confidential Data

  • Information covered by the Family Educational Rights and Privacy Act (FERPA), which requires protection of records for current and former students. This includes pictures of students kept for official purposes.
  • Personally identifiable information entrusted to our care that is not otherwise categorized as Restricted Use data, such as information regarding applicants, alumni, donors, potential donors, or parents of current or former students, and information covered by the European Union’s General Data Protection Regulation (GDPR).
  • The CCS ID Number, when stored with other identifiable information such as name or e-mail address.
  • Information covered by the Gramm-Leach-Bliley Act (GLBA), which requires protection of certain financial records.
  • Individual employment information, including salary, benefits and performance appraisals for current, former, and prospective employees.
  • Legally privileged information.
  • Information that is the subject of a confidentiality agreement.

Restricted

Restricted Use data includes any information that CCS has a contractual, legal, or regulatory obligation to safeguard in the most stringent manner. In some cases, unauthorized disclosure or loss of this data would require the College to notify the affected individual and state or federal authorities.

The College’s obligations will depend on the particular data and the relevant contract or laws. The End User Device Minimum Security Standards sets a baseline for all Restricted Use data.

Any unauthorized disclosure or loss of confidential data must be immediately reported to the ITS Helpdesk (https://helpdesk.collegeforcreativestudies.edu, 313-664-7818) as well as the immediate supervisor or another available person in the chain of authority.

Examples of Restricted Data

  • Personally identifiable health information that is not subject to HIPAA but used in research, such as Human Subjects Data.
  • Personally Identifiable Information (PII), including an individual’s name plus the individual’s Social Security Number, driver’s license number, or a financial account number.
  • Unencrypted data used to authenticate or authorize individuals to use electronic resources, such as passwords, keys, and other electronic tokens.
  • “Criminal Background Data” that might be collected as part of an application form or a background check.

More stringent requirements exist for some types of Restricted Use data. Individuals working with the following types of data must follow the College policies governing those types of data and consult with the Director of Information Technology Services to ensure they meet all of the requirements of their data type:

Resolving Conflicts between this Guideline and Other Regulations

Some data may be subject to specific protection requirements under a contract or grant, or according to any law or regulation not described here. In those circumstances, the most restrictive protection requirements should apply. If you have questions, please contact a member of the Committee.

Data Protection Requirements

This Guideline provides the requirements for handling and protecting information at each stage of its lifecycle from creation to destruction and the minimum-security standards required for any electronic device that may be used to access or store sensitive information owned or used by CCS. The data handling protections outlined here apply to all sensitive information, both physical and electronic, throughout all of CCS.

Sensitive information is College data that is classified as Internal, Confidential, or Restricted Use. See the Data Classifications section for definitions and examples of each of these classifications.

Public (non-sensitive) information does not require any level of protection from disclosure but appropriate precautions should be taken to protect original (source) documents from unauthorized modification.

Information Lifecycle

The information lifecycle is the progression of stages or states in which a piece of information may exist between its original creation and final destruction. These phases are: Collecting, Accessing, Sharing, Sending, Storing, Auditing, Incident Reporting and Destroying.

It is important to understand that Storing refers to a broad spectrum of activities including putting a file in a filing cabinet or on to a file server or entering information into a database or spreadsheet. The requirements for Storing information apply equally to the source and to any copies made. For example, when a file is downloaded or copied from a file server to a laptop computer for use offline, it is stored in that new location and all of the storing requirements must be followed.

Requirements for Protection

Each classification of data has different requirements for protection throughout the lifecycle of use. The requirements for each Internal Data, Confidential Data, & Restricted Use Data are detailed below.

Internal Data

CollectingNo restrictions.
AccessingAccess should be provided as required for business devices used to access sensitive (non-Public) information. Such access must meet End User Device Minimum Standards.
SharingShare with employees as needed. Share with vendors/third-parties as approved by department head.
SendingPaperSend in a manner that protects the information from incidental or casual reading.
ElectronicUse a method that requires recipient to authenticate prior to receipt, such as email, a web site that requires Web Login, or a file server that requires a password. Use secure email service for more private data.
StoringPaperKeep in non-public areas when not in use.
ElectronicDevices used to store sensitive (non-Public) information must meet End User Device Minimum Standards.
Electronic Media (CD, DVD, USB, etc.)Store media in a non-public location when not in use.
AuditingALLConduct a periodic review of where this data is located, who has access to it, the access control mechanisms, encryption protocols, and data destruction protocols.
Incident ReportingALLReport the loss of any Internal Data to your supervisor who will determine the requirements, if any, for further reporting.
DestroyingALLReview Record Retention Policy before disposing of records.
Paper & Disposable Electronic Media (CDs, DVDs)For Internal documents with sensitive content, shred materials before disposing of them.
Electronic Files (Data) Reusable Electronic Storage Devices (USB keys, disk drives)Use standard operating system utilities to delete files.
All Electronic Storage Media at End of Life, including Disk DrivesContact Information Technology Service for secure destruction of all physical electronic media. Do not dispose of in the trash, recycle, etc.

Confidential Data

CollectingReduce or eliminate collection where not required for business function. Collection of some types of Confidential data about individuals may require the approval of the appropriate Data Owner(s).
AccessingAccess to some Confidential data requires approval of a Data Owner on a per-individual basis. See the list of the Data Owners above. Devices used to access sensitive (non-Public) information must meet End User Device Minimum Standards. Ensure protocols are in place to immediately remove access upon change in employment status of any individual with access.
SharingIf you are uncertain if a piece of Confidential information should be shared, escalate the request to an appropriate supervisor or Data Owner. For types of data that are governed by a Data Owner, this information may be shared only for business purposes and only as approved by the appropriate Data Owner except where the information is being given to approved custodians of that type of data. Information concerning a small number of individuals may be shared internally without Owner review if the recipient of the data has a need-to-know and is entrusted with the same type of information for their job function. Note: Non-disclosure language or a confidentiality agreement may be appropriate. For example:
* Grades need to be communicated to the Registrar’s office
* Faculty may consult with other faculty about a student’s performance, as appropriate.
* Sharing information with vendors and third-parties requires Data Owner approval
For types of data that are not governed by a Data Owner, the information may be shared internally on a need-to-know basis
Information may be shared with the subject of the record or with another party with the subject’s approval, as appropriate.
Printing, Copying, & ScanningPrinters often store the printed document on a local hard drive, potentially allowing unauthorized access to the information. Avoid printing Confidential data unnecessarily.
SendingPaperAddress to the specific intended party and send in sealed security envelopes. Mark with “For intended recipient only”. Outside the College, paper should be sent via certified mail or with an authorized courier.
ElectronicParticularly sensitive data or large volumes of confidential data should be encrypted during transmission. Don not email confidential data – provide a secure link instead. If confidential information is to be stored on removable media (CD/DVD/USB/External HD) or in the cloud, see the section below regarding the proper storage.
FaxFax machines often store the faxed messages in memory, potentially allowing unauthorized access. Consider alternatives to faxing Confidential data where possible. If a fax must be used, consider taking reasonable steps to protect the data, including the use of a cover sheet stating that the fax is Confidential and to be read only by the named recipient. Also consider coordinating with the intended recipient so he or she is on hand to directly receive the fax before you begin to send.
Smart Phones and tablet devices (such as iPads)The use of smart phones to access Confidential data, such as through email, puts that data at higher risk of unintended disclosure Individuals accessing Confidential Data via such a device must comply with the standards set forth in End User Device Minimum Standards
StoringPaperShould be stored in physically secure areas that are accessible only by authorized individuals. The number of copies should be kept to a minimum.
ElectronicParticularly sensitive data or large volumes of confidential data should be encrypted during transmission. Don not email confidential data – provide a secure link instead. If confidential information is to be stored on removable media (CD/DVD/USB/External HD) or in the cloud, see the section below regarding the proper storage.
Electronic Media (CD, DVD, USB, etc.)Encryption of stored data is recommended. Store media in a secure location when not in use. Media should be erased or destroyed as soon as it is no longer needed.
AuditingALLEach unit or department should conduct periodic reviews of where Confidential data is located, who has access to it, the access control mechanisms, encryption protocols, and data destruction protocols. Verify that procedures for removing access are documented and accurate.
Incident ReportingALLAny unauthorized disclosure or loss of Confidential data must be immediately reported to the ITS Helpdesk (https://helpdesk.collegeforcreativestudies.edu, 313-664-7818) as well as the immediate supervisor or other available person in chain of authority.
DestroyingALLReview Record Retention Policy and the information in this destruction section before disposing of records. Do not destroy records that are the subject of a litigation hold or that must be retained pursuant to the College record retention policy.
Paper & Disposable Electronic Media (CDs, DVDs)Dispose of paper media via College approved shred boxes. Contact Information Technology Service for secure destruction of all physical electronic media. Do not dispose of in the trash, recycle, etc.
Electronic Files (Data) Reusable Electronic Storage Devices (USB keys, disk drives)Contact Information Technology Service for secure destruction of all physical electronic media. Do not dispose of in the trash, recycle, etc.
All Electronic Storage Media at End of Life, including Disk Drives
Device End of Lease or End of Life (Printers, Copiers, Multi-function office machines)Devices such as these often contain hard drives which must be properly erased, or “wiped”, prior to leaving CCS control (returned to the vendor, sent to surplus, donated, disposed of, etc.). For information on how to properly wipe the drive, contact Information Technology Services.

Restricted Use Data

CollectingEliminate collection whenever possible. Collection of Restricted Use data about individuals must be approved by and provided to the appropriate Data Owner. See the list of the Data Owners above.
AccessingAccess to Restricted Use data requires approval of a Data Owner. Avoid accessing or using Restricted Use data whenever possible, and do so from as few different devices as possible. Devices used to access Restricted Use information must meet end user device minimum standards for Restricted Use information. The custodian of the system or information must immediately remove access from any person that no longer requires that access as part of their job function.
SharingIf you are uncertain if a piece of Restricted Use information should be shared, escalate the request to an appropriate supervisor or Data Owner. This information may be shared only for need-to-know business purposes and only as approved by the appropriate Data Owner, except where the information is being given to approved custodians of that type of data. Information concerning a small number of individuals may be shared internally without Owner review if the recipient of the data has a need-to-know and is entrusted with the same type of information for their job function. Note: Non-disclosure and other types of agreements (business associate agreements) may be necessary. Such agreements or agreement forms must be approved by the Vice President for Administration and Finance or the Vice President for Enrollment and Student Services. Sharing information with vendors and third-parties requires approval by the Vice President for Administration and Finance or the Vice President for Enrollment and Student Services and/or the Director of Information Technology Services.
Information may be shared with the subject of the record or with another party with the subject’s approval, as appropriate.
Printing, Copying, & ScanningPrinters often store the printed document on a local hard drive, potentially allowing unauthorized access to the information. Avoid printing Restricted Use data unnecessarily.
SendingPaperAddress to the specific intended party and send in sealed security envelopes. Mark with “For intended recipient only”. Outside the College, paper must be sent via certified mail or with an authorized courier.
ElectronicData is required to be encrypted during transmission. If Restricted Use data must be placed on removable media (CD/DVD/USB/External HD) or in the cloud, it must be properly protected. See the section below regarding proper storage. If Restricted Use data must not be sent via email – use a secure link instead. Compensating controls must be formally documented and an exception approved by Information Security where this is not technically possible.
FaxFax machines often store the faxed messages in memory, potentially allowing unauthorized access. Avoid faxing Restricted Use data where possible. If a fax must be used, include a cover sheet stating that the fax is Restricted Use and to be read only by the named recipient. Also, coordinate with the intended recipient so he or she is on hand to directly receive the fax before you begin to send.
Smart Phones and tablet devices (such as iPads)The use of smart phones to access Restricted Use data is strongly discouraged. For example, do not check your secure email from your smart phone. Individuals that must use such a device to access Restricted Use data must comply with the standards set forth in End User Device Minimum Standards.
StoringPaperKeep in locked filing cabinets in physically secure areas that are accessible only by authorized individuals. Keep the number of copies of the data to a minimum.
ElectronicEncryption of stored data is required. Devices used to store sensitive (non-Public) information must meet End User Device Minimum Standards. Cloud services may not be used to process or store Restricted Use data unless they have been approved for such use by Director of Information Technology Services and the appropriate Data Owner.
Electronic Media (CD, DVD, USB, etc.)Encryption of stored data is required. Store media in a secure location when not in use. Media should be inventoried upon creation and destroyed as soon as it is no longer needed.
AuditingALLEach unit or department must conduct periodic reviews of where Restricted Use data is located, who has access to it, the access control mechanisms, encryption protocols, and data destruction protocols. Verify that procedures for removing access are documented and accurate.
Incident ReportingALLAny unauthorized disclosure or loss of Restricted data must be immediately reported to the ITS Helpdesk (https://helpdesk.collegeforcreativestudies.edu, 313-664-7818) as well as the immediate supervisor or other available person in chain of authority.
DestroyingALLReview Record Retention Policy and the information in this destruction section before disposing of records. Do not destroy records that are the subject of a litigation hold or that must be retained pursuant to the College Record Retention Policy.
Paper & Disposable Electronic Media (CDs, DVDs)Dispose of paper media via College approved shred boxes. Contact Information Technology Service for secure destruction of all physical electronic media. Do not dispose of in the trash, recycle, etc.
Electronic Files (Data) Reusable Electronic Storage Devices (USB keys, disk drives)Contact Information Technology Service for secure destruction of all physical electronic media. Do not dispose of in the trash, recycle, etc.
All Electronic Storage Media at End of Life, including Disk Drives
Device End of Lease or End of Life (Printers, Copiers, Multi-function office machines)Devices such as these often contain hard drives which must be properly erased, or “wiped”, prior to leaving CCS control (returned to the vendor, sent to surplus, donated, disposed of, etc.). For information on how to properly wipe the drive, contact Information Technology Services.

Exceptions

CCS ITS is authorized to grant exceptions to the requirements set forth in this document. Any exception granted will require a thorough review of the situation and will be based on the implementation of appropriate compensating controls.

EFFECTIVE DATE
June 22, 2019

LAST UPDATED DATE
September 21, 2020

APPROVING OFFICE
Administration and Finance