Data Classification Policy
The purpose of the data classification policy is to define different classifications of data and to describe principles for access, use, and safeguards of data, based on classification.
The following guidelines apply to data either owned by Middlebury, or to data that the institution has an interest in protecting. The scope of this policy is not limited to the Middlebury network but to all data stored and used on any Middlebury campus, or by any Middlebury affiliate or partner, regardless of format.
In an effort to prevent unauthorized disclosure of data, the classification system in this policy articulates the appropriate use, modification and disclosure of data, including thresholds for breached data based on the type of data in question. Exposure of data below these thresholds, while a security incident and a concern, would not constitute a violation of this policy. Exposure above these limits would constitute a security breach, and would be considered a violation of this policy. For reference purposes, please note that Vermont Act 162 requires notification for breaches of personally identifiable information above 1,000 records.
This Policy applies to all individuals who access, use, or manage data owned by or protected by Middlebury College. This includes but is not limited to:
- Student Employees
- Agents of the College
- Parties affiliated with the College that have been granted access to College resources
All parties with access to data on the College network or other information stored by the College should be familiar with this policy. Information classified as Extremely Sensitive requires strict controls, will have limited access and disclosure, and may be subject to legal restrictions.
Data Stewards are responsible for the management of data. Each Data Set will have identified Data Stewards. Data Stewards are responsible for classifying the data and assigning the correct level of access to the data. Data stewards must ensure that the policy is enforced for their data set, and that the appropriate confidentiality, integrity and availability of the data are maintained.
Individuals with access to data have been granted a level of trust by the data stewards and as such are responsible for upholding the security and integrity of the data to which they have access, and should be aware of best practices in secure data management
Data Stewardship (please reference the Privacy section of Handbook)
The primary Data Stewards are department heads, or their designates, who have planning and policy level responsibility for data within their areas, and management responsibilities for defined segments of institutional data. Currently, most data stewardship responsibilities are provided by Functional Area Leads and members of the Data Integrity Group.
It is a Data Steward’s responsibility to:
- develop consistent data definitions
- develop and adhere to data standards created by the institution
- document the business rules of their area
- monitor the quality of the data input and output from the systems they use
- define security requirements
- work with other data stewards on integration requirements
- communicate critical uses of data on which other departments depend
As data are developed, Data Stewards assure that storage of, and access to, the data is appropriately managed. This includes the documentation and classification of all forms, views, reports and all other forms of access in which this data is made visible.
The data stewardship function shall have one or more Data Stewards assigned to each data set. These sets belong to major categories of institutional data, including:
- Financial data (institutional, student)
- Employment data (faculty, staff, student)
- Academic data (student, prospective student, faculty)
- Health data (student)
- Philanthropic data (alumni, donors)
Data is organized into three distinct classes: Extremely Sensitive, Internal, and Public, Each class of data has its own requirements with respect to safeguards and procedures in the event of inappropriate disclosure.
Extremely Sensitive Data
Extremely Sensitive Data is defined as all data that is regulated by law or, if disclosed in a breach, may result in reputational loss to the College or punitive action. Regular audits of access to extremely sensitive data should be conducted by the data stewards to ensure appropriate access. The threshold for exposure of this category of data is set at 250 records. This data classification includes Social Security numbers, financial account numbers, account and ID numbers (driver’s license numbers, personal ID numbers). In addition, Extremely Sensitive Data may include information which, when used in various combinations, can be associated with an individual:
- Date of Birth
- Home address
- Email or phone number
- Mother’s maiden name
- Vehicle license number
- Health information
- Employment history
- Class Schedules
- Academic Actions
- Grade Point Averages and Transcripts
- Passport Numbers
- Payment Card Data
When assessing data use, each data set will need to be analyzed to see if any given combination poses a risk.
Under regulatory standards, certain combinations of this information can constitute personal identifiable information, (PII). PII that is available to the public or that resides on test and development systems is still considered sensitive data in certain circumstances and should be treated as Extremely Sensitive Data.
Safeguards for Extremely Sensitive Data should include an approved enterprise storage location and regular monitoring and auditing of access to Extremely Sensitive Data. Additionally, access should be limited to only those who have a legitimate need to use Extremely Sensitive Data. Transmission of Extremely Sensitive Data outside of a Middlebury-approved enterprise storage location requires both encryption and verification of the identities of the recipient. Any Extremely Sensitive Data transmitted from the enterprise storage location should be done in such a way that it cannot be modified. Extremely Sensitive Data should not be stored unencrypted in cloud solutions, particularly those not contracted by the institution. Extremely Sensitive Data should have a retention timeline and should be destroyed when no longer in use and when legally permissible. Data Stewards will work with ITS to ensure that appropriate technologies are available to provide adequate safeguards for Extremely Sensitive Data while ensuring the availability for appropriate use.
Internal Data is data that, while not protected by state or federal law or regulatory standards, might impact Middlebury’s reputation or result in a civil action against the institution, should it be breached. Access to Internal Data should be limited to Data Stewards and only those members of the institution to whom Data Stewards have granted access. Regular audits of Internal Data should be conducted by the Data Stewards to ensure appropriate access. The exposure threshold for this classification of data is set at 750 records.
Examples of Internal Data include:
- Budget information
- Research and manuscripts
- Payroll and employment documentation
- Giving history
- Network Diagrams
- Strategic or differentiating documentation unique to Middlebury
Access to Internal Data should be needs based, with the needs assessed by the Data Stewards.
Public Data is considered to be any data that does not fall into the Extremely Sensitive Data or Internal Data classes. The disclosure of Public Data does not pose a risk to the institution. Public Data may be publicly accessible but does not require public access. There are no restrictions on the storage or distribution of Public Data.
Examples of Public Data include:
- Wiki pages
- Public web sites
- Marketing material
In order to protect sensitive data, designated ITS staff may use auditing technologies to scan institutional technology systems. These technologies may include automated programs and utilities that allow for programmatic inspection of data and access permissions. The results of these scans may be centrally correlated for analysis in a secure environment. These technologies are not to be used to read the full context of the data, but rather to match established patterns, such as SSNs, Payment Card data, etc.. Confidentiality of all information gathered as a result of auditing will be maintained at all times. Access to information obtained through auditing will be limited to designated staff.