Data Classification Policy

Tags data

Purpose

The purpose of this document is to educate the YCP community about the importance of data classification and to provide guidance for protecting the confidentiality of YCP data.   All members of the YCP community, including students, guests, retirees, faculty, staff and administrators, have a responsibility to protect College data by assigning it within its proper classification level as defined by this policy.  The classification of data determines the extent to which it needs to be controlled and secured.  This policy defines the required data classification level based on its criteria and relation to confidentiality.

Scope

The Data Classification Policy applies to all faculty, staff, students, organizations, third-party vendors, individuals, systems, and networks involved with the handling of YCP data.  Data within this policy is defined by all enterprise-level administrative data as well as user-developed data stores and systems that may access College data, regardless of the environment where the data resides.  These systems include all servers, desktops, laptops, USB devices, flash drives, smartphones, and any other mobile computing device.  The policy applies to all electronic and printed media.

Policy

All data owned, used, created, or maintained by YCP must be classified into one of the following three categories: Public, Internal, and Confidential.  The data classification standard will guide the YCP community in the security protections and access mechanics appropriate for data content.  Such categorization encourages the discussion and subsequent full understanding of the nature of the data being accessed, modified, disclosed, transmitted, or destroyed.

Classification Levels

Public
Public data is designed to be used widely outside of YCP and by parties that may have an interest or intent to communicate with YCP. Data are considered to be Public when their unauthorized disclosure, modification, or destruction would cause little or no harm to the College.

Examples of public data include:

  • Information made available on YCP websites, including course catalogs

  • Marketing products (brochures, pamphlets, newsletters)

  • Directory information as defined by FERPA

  • Posts made on official YCP social media accounts

Internal
Proprietary or private information is restricted to management or specific to an individual at YCP. Unauthorized access could damage or impede operational effectiveness of YCP or adversely affect individuals at YCP.  By default, institutional data that is not explicitly determined to be Public or Confidential should be treated as Internal.  Most administrative data will fall into this category.

Examples of Internal data include:

  • Internal policies and procedures

  • Personnel files, compensation information, birth dates, and personal contact information

  • Student and employee identification numbers

  • Non-public contracts

  • Non-public donor information 

  • All other non-public information not included in the Confidential category

Internal data requires a moderate level of protection from unauthorized disclosure, alteration, or destruction.  These protections include:

  • Storing and sharing it only on cloud-based information systems that are managed or contracted by the College, such as Google Drive

  • Not disclosing it to any parties outside the College without prior authorization from the department Vice President or data owner

  • Implement security best practices for information systems and databases that contain internal data

Confidential
Confidential information is for use only by select individuals within YCP. This information is distributed only on a need-to-know basis between YCP employees and authorized third parties. Confidential information must be protected at all times from unauthorized use, modification, or disclosure.  Unauthorized disclosure of confidential information can have a serious negative impact on YCP and may have severe legal or financial impacts.

Examples of Confidential data include:

  • Financial account information

  • Login credentials

  • Credit/debit card information

  • Driver’s license numbers

  • Human Resources information

  • Passport numbers

  • Protected health information

  • Protected data related to research

  • Social Security numbers

  • Student disciplinary or judicial action information

  • Campus safety investigation and driver records

  • Student records protected under FERPA

  • Employee Relations and Title IX investigative information

Confidential data must maintain the highest level of protection when being stored or transmitted.  These protections include those for Internal data plus:

  • Never sending it via email or text message

  • Using strong passwords and multi-factor authentication to protect it whenever possible

  • Protecting it with encryption when it is transmitted over public networks or the internet

  • Storing it only on College-owned devices

  • Keeping paper copies in locked desks, filing cabinets, and/or rooms

Data Provided to External Third Parties

No Confidential or Internal information may be provided outside of the College unless such sharing is required by law, to comply with a lawfully issued subpoena, or until a signed agreement is in place with the external party that includes appropriate terms and conditions to ensure that sensitive data will be adequately protected.  Confidential and Internal information provided to outside or “cloud” service providers must be protected by the third party at least at the level that it would be protected by the College and federal regulations.  For protected health information that is governed by HIPAA, a Business Associate Agreement is required.  Where education records are to be stored or shared with a third party, the third party must have a signed agreement with the College to perform contracted services that require access to educational records in order to be considered a “school official with legitimate educational interest” under FERPA.  Also, whenever credit or debit card information will be collected by a third party on behalf of the College, the third party must comply with the Payment Card Industry Data Security Standard at all times.  The Library and Technology Services (LTS) department must review the third-party service agreement prior to the contract being signed if the service involves Confidential Information.

Information Security Incident Reporting

Unauthorized use, disclosure, loss, or theft of Confidential or Internal information must be reported immediately to the LTS Help Desk at 717-815-1559 or by email to ltshelp@ycp.edu.

Enforcement

Users who violate this policy may be denied access to College computing resources and may be subject to other penalties and disciplinary action, including possible expulsion or dismissal. Alleged violations will be handled through the College disciplinary procedures applicable to the user. The College may suspend, block, or restrict access to an account, independent of such procedures, when it reasonably appears necessary to do so in order to protect the integrity, security, or functionality of the College or other computing resources or to protect the College from liability. The College may also refer suspected violations of applicable law to appropriate law enforcement agencies.

 

Print Article