Introduction
Indiana University of Pennsylvania produces, collects, and uses many different types of electronic and paper data records to fulfill its mission. Federal, state, and local law as well as various university policies mandate privacy and protection, as well as openness, of certain records.
Purpose
The purpose of data classification is to establish a framework for classifying university data records based on sensitivity, value, and criticality. Classifying university records is the initial step in determining security controls for the protection of data.
University data is defined as all data owned, collected, licensed, or otherwise in possession of IUP.
Scope
This policy applies to all individuals with access or authorization to produce, collect, or use IUP data. The data subjects are university records and not records created for personal use. Specifically, the guideline applies to those who are responsible for classifying and approving the use of IUP data.
Data Classification
Data classification, in the context of information security, is the classification of data based on its level of sensitivity and the impact to the university should that data be disclosed, altered, or destroyed without authorization. The classification of data helps determine what baseline security controls are appropriate for safeguarding that data. All institutional data should be classified into one of the three classifications level listed below:
Public Data
- Is data that is intended for public disclosure and controlled by the university.
- The loss of confidentiality, integrity, or availability of the data has no adverse impact on the university.
- Requires authentication to publish and modify.
- Examples: News releases, university catalog, university policies, event schedules, legally mandated disclosures, university directory information.
Private Data
- Is data not generally available to the public and limited to individuals with an IUP computing account.
- The loss of confidentiality, integrity, or availability of the data could have a mildly adverse impact on the university.
- Tightly controlled user and network access based on job responsibilities.
- Stored and transferred using encryption where feasible.
- Likely subject to Pennsylvania’s Right-To-Know Law with review for potential disclosure.
- Examples: Personnel records, Student records (non-FERPA), tactical plans, non-public reports,budget information, deliberations about business processes, non-public course data stored in Learning Management System, IT documentation, Email communications, ID numbers.
Restricted Data
- Restricted Data includes confidential or sensitive information.
- Is data required by law/regulation to be protected.
- The loss of the confidentiality, integrity, or availability of the data could have a significant adverse impact on the university.
- Highest level of controlled user and network security.
- Requires approval by leadership based on review of job responsibilities along with data use and requirements.
- Stored and transmitted using encryption.
- Not stored on shared or general-purpose storage including email.
- Not subject to Pennsylvania’s Right-to-Know Law pursuant to specific exemptions in the Law.
- Examples: Family Educational Rights and Privacy Act (FERPA) protected student records, Gramm-Leach Bliley Act (GLBA) protecting financial records, and medical records (HIPPA), SSN, payment card data, banking account numbers, passwords.
Guidelines
IUP employees will be informed of these data classifications in addition to FERPA and other related policies. The university will inventory and manage data use within the Restricted and Confidential or Sensitive data elements.
Lead data stewards or domain experts are leaders who oversee the lifecycle of university data and who will determine the data classifications for their respective department, area, or function. These selected and privileged individuals may also serve as “security officers” to grant access to Restricted Data. At the current juncture, the University Reporting Team and Banner Security Officers will serve as the data stewards until a formal structure is implemented.
Institutional Research is the lead in managing data classification in relation to IUP requirements locally and within the Pennsylvania State System of Higher Education.
Classification should be revisited on a periodic basis or when new technologies or systems are implemented. This activity again should be led by Institutional Research and data stewards or domain experts.
Definitions and Supporting Documentation
- Confidential or Sensitive Data is typically classified as Restricted data based on the classification policy.
- Data Steward is a senior-level employee of the university who oversees the lifecycle of one or more sets of institutional data.
- Institutional/University Data is defined as all data owned, collected, licensed, or otherwise in possession of IUP.
- Non-Public Information is defined as any information classified as Private or Restricted data based on the classification policy.
Resources
Computer Account Retention Policy
FAQ
What is PII?
Personal Identifiable Information (PII) is information that, when used alone or with other relevant data, can identify an individual.
What is a Data Breach?
A data breach is an unauthorized access and retrieval of sensitive information by an individual, group, or software system. A data breach is any instance when unauthorized access is gained to private or restricted information. The data ends up being used without the knowledge of the user or owner for the intended purpose.
What is the Breach of Personal Information Act?
For meeting security breach notification requirements, as defined by the Commonwealth of Pennsylvania is a person’s first name or first initial and last name in combination with one or more following data elements:
- Social security number
- State-issued driver’s license number
- State-issued identification card number
- Financial account number in combination with security with a security code, access code, or password
- Medical and/or health insurance information
- Username or email address in combination with password or security question
If my personal information is breached, will I be notified?
The Commonwealth’s breach notification law currently permits email notice if a prior business relationship exists and a valid email address for the individual requiring notification is available, electronic notice will also be allowed if the notice directs the person whose personal information has been materially compromised by a breach of the security of the system to promptly change the person’s password and security question or answer, as applicable, or to take other steps appropriate to protect the person’s online account to the extent the entity has sufficient contact information for the person.
How soon after a breach will an individual be notified?
The Breach Personal Information Act requires state agencies such as IUP to notify the individual(s) and the Pennsylvania Office of the Attorney General within seven business days following the discovery of the breach.
Where can I review the Breach of Personal Information Notification Act?
Follow this link to review the Breach of Personal Information Notification Act.
Am I permitted to store private or restricted university data using Apple iCloud, Google Cloud or another provider?
IUP's prescribed cloud storage vendor is Microsoft, which has a contract with IUP/PASSHE. Tools such as Teams, OneDrive, and Sharepoint are examples. Users must assume IUP does not have a contract for other cloud storage products such as Apple iCloud or Google Cloud. Users can submit an ihelp ticket if they are uncertain of cloud storage product use.