Any person who uses, stores or accesses data contained in the University’s technology systems has the responsibility to safeguard that data. Data classification is one method of determining the safeguard required for certain data and the appropriate University response to the unauthorized release of that data. Such safeguards and response plans are not only good stewardship for University data but are required by certain state and federal law and regulations.
This policy governs the privacy, security and integrity of University data stored on University IT systems and outlines the responsibilities of the individuals and organizational units that manage, use, access, store or transmit that data. This policy supplements but does not supersede the University’s Confidentiality Agreement (see, e.g., www.shu.edu/offices/policies-procedures/confidentiality-agreement.cfm)
Seton Hall University (SHU) IT Services maintains systems that store data essential to the performance of University business. All members of the community have a responsibility to protect University data from unauthorized access, use, storage, transmission, disclosure or destruction.
All University data is classified into four levels of security classification: Protected Data, Sensitive Data, Directory Data, and Public Data. For the purposes of this policy, and data not formally classified (Unclassified Data) will be considered Sensitive Data. For the purposes of the University’s Confidentiality Agreement, all data except Public Data is to be considered confidential.
Protected Data is data that (a) if compromised would expose members of the University and its community to a high risk of identity theft or financial fraud and (b) is protected by Federal or state law or regulations. Applicable law and regulatory requirements include (but are not limited to) the Family Educational Rights and Privacy Act (FERPA), the Fair and Accurate Credit Transactions Act (FACTA), the Health Insurance Portability and Accountability Act (HIPAA), and other applicable Federal and NJ State laws. Examples of Protected Data include:
- Social Security Number
- Driver’s License Number, Passport Number, or any State ID Number
- Credit Card Information (Number, expiration date, security code)
- Date of Birth
- Users’ Systems Passwords (Active Directory, Banner, Oracle, Cognos, Raiser Edge, etc.)
- Medical history
- Student and family financial history
- Student account balances
- Donor financial history
- Student Financial Aid history
- Student academic history, including student grades
Sensitive Data is data that, while not explicitly protected by federal or state law, is proprietary to the University and would, if released, expose the University and members of the community to a heightened risk of identity theft or financial fraud. Examples of Sensitive Data include:
- Employee salary or employment history
- Permanent or Local Address
- Department budgets
- Student registration Personal Identification Numbers
- Internal operating procedures and operational manuals
- Internal memoranda, emails, reports and other documents
- Technical documents such as system configurations and floor plans
Directory Data is data that is used for University communication or to link records between University systems or reports. Such director information is widely available to members of the University community, but nevertheless should be handled with care, since exposure could result in an increased risk of financial fraud or identity theft for the University and members of the community. Examples of Directory Data include:
- Users’ short names
- Campus wide IDs
- ID photos
- Class Rosters/Advisor Rosters
Public Data is data that the University may or must make available to the public with no legal or other restrictions, via its Web site or various reports, press releases, reports and the like. Examples of Public Data include:
- Information posted on the University’s Web site (www.shu.edu)
- The University phone directory
- The University’s annual financial
- The University Fact Book
- Data published in the Integrated Postsecondary Education Data System documents
- Copyrighted materials that are publicly available
The loss, unauthorized access to or disclosure of Protected Data must be reported to the appropriate University officials, including the management of the organizational unit in which the data breach was discovered, the University’s Chief Information Officer (CIO), the IT Security Analysts, and the Technology Service Desk, so that the appropriate response to the incident, including required notification of appropriate federal and state agencies, can be initiated.
The loss, unauthorized access to or disclosure of Sensitive Data should be reported to the management of the organizational unit in which the data breach was discovered for their appropriate response.
For the purposes of the University’s Confidentiality Agreement, all data except Public Data are considered confidential. The unauthorized access, disclosure or transmission of confidential information may result in disciplinary action by the University, including termination or expulsion, as outlined in the University’s Confidentiality Agreement and other relevant University policies.
University data are assets belonging to the University. Departments which collect, use, store and transmit University data should classify their data according to the level of risk associated with handling that data and implement appropriate safeguards to that data based on that risk. Data are generally stored in sets. The classification of a data set should be to the highest level of any data element in that set; for example, a report containing a combination of protected, sensitive directory and public data should be considered protected and provided with the safeguards appropriate for protected data. Individuals and departments must implement appropriate safeguards for accessing, transmitting and storing University data. Examples of appropriate safeguards for Protected and Sensitive Data include:
- The data must be protected to prevent loss, theft, and/or unauthorized access, disclosure, modification, and/or destruction.
- The data may only be accessed or disclosed if necessary for University business purposes and consistent with applicable University policies.
- The data must not be downloaded, stored or transmitted unless appropriately secured and/or encrypted.
- The data must not be posted on any website or shared file storage space unless University standard authentication methods are used.
- The data must be destroyed when no longer needed and in accordance with University policies.
Please consult with the University IT Services Client Solutions Group if you have any questions about the appropriate safeguards for University data; a consultation can be requested by calling the Technology Service Desk at 973-275-2222 or via email at firstname.lastname@example.org.
The Data Classification Policy was approved by the Banner and Administrative Computing Steering Committee on December 16, 2013.