Data Classification Policy

Purpose
The purpose of the data classification policy is to define different classifications of data and to describe principles for access, use, and safeguards of data, based on classification.

Scope
The following guidelines apply to data either owned by Middlebury, or to data that the institution has an interest in protecting. The scope of this policy is not limited to the Middlebury network but to all data stored and used on any Middlebury campus, or by any Middlebury affiliate or partner, regardless of format.

In an effort to prevent unauthorized disclosure of data, the classification system in this policy articulates the appropriate use, modification and disclosure of data, including thresholds for breached data based on the type of data in question. Exposure of data below these thresholds, while a security incident and a concern, would not constitute a violation of this policy. Exposure above these limits would constitute a security breach, and would be considered a violation of this policy. For reference purposes, please note that Vermont Act 162 requires notification for breaches of personally identifiable information (PII) above 1,000 records.

Policy

Access
This Policy applies to all individuals who access, use, or manage data owned by or protected by Middlebury College. This includes but is not limited to:

  • Faculty
  • Staff
  • Student Employees
  • Agents of the College
  • Parties affiliated with the College that have been granted access to College resources

All parties with access to data on the College network or other information stored by the College should be familiar with this policy. Information classified as Extremely Sensitive requires strict controls, will have limited access and disclosure, and may be subject to legal restrictions.

Responsibilities
Data Stewards are responsible for the management of data. Each Data Set will have identified Data Stewards. Data Stewards are responsible for classifying the data and assigning the correct level of access to the data. Data stewards must ensure that the policy is enforced for their data set, and that the appropriate confidentiality, integrity and availability of the data are maintained.

Individuals with access to data have been granted a level of trust by the data stewards and as such are responsible for upholding the security and integrity of the data to which they have access, and should be aware of best practices in secure data management

Data Stewardship (please reference the Privacy section of Handbook)
The primary Data Stewards are department heads, or their designates, who have planning and policy level responsibility for data within their areas, and management responsibilities for defined segments of institutional data. Currently, most data stewardship responsibilities are provided by Functional Area Leads and members of the Data Integrity Group.

It is a Data Steward’s responsibility to:

  • develop consistent data definitions
  • develop and adhere to data standards created by the institution
  • document the business rules of their area
  • monitor the quality of the data input and output from the systems they use
  • define security requirements
  • work with other data stewards on integration requirements
  • communicate critical uses of data on which other departments depend

As data are developed, Data Stewards assure that storage of, and access to, the data is appropriately managed. This includes the documentation and classification of all forms, views, reports and all other forms of access in which this data is made visible.

The data stewardship function shall have one or more Data Stewards assigned to each data set. These sets belong to major categories of institutional data, including:

  • Financial data (institutional, student)
  • Employment data (faculty, staff, student)
  • Academic data (student, prospective student, faculty)
  • Health data (student)
  • Philanthropic data (alumni, donors)


Data Classification
Data is organized into three distinct classes: Restricted Data, Internal Data, and Public Data. Each class of data has its own requirements with respect to safeguards and procedures in the event of inappropriate disclosure.

1. Restricted Data
Restricted Data is defined as data that is regulated by law or contract or, if exposed to unauthorized parties, could result in reputational loss to the College or punitive action. Regular audits of access to Restricted Data should be conducted by the data stewards to ensure appropriate access controls exist. The threshold for exposure of this category of data is set at 250 records.

Regulated Data Elements

  • Social Security Number (PII)
  • Driver's License ID Number (PII)
  • Passport ID Number (PII)
  • Tax ID Number (PII)
  • Health Information (HIPAA)
  • Class Schedules (FERPA)
  • Academic Actions (FERPA)
  • Grades and Transcripts (FERPA)
  • Payment Card Data (PCI)

Other data elements that can be associated with an individual (PII), particularly when used in various combinations with regulated data elements, may be treated as Restricted Data, depending on the usage. When assessing data, each data set must be analyzed to determine if any given combination poses a risk.

Examples of Associated (PII) Data Elements

  • Name
  • Date of Birth
  • Home Address
  • Email Address
  • Telephone Number
  • Mother’s Maiden Name
  • Employment History

Safeguards for Restricted Data should include an approved enterprise storage location and regular monitoring and auditing of access to Restricted Data. Additionally, access should be limited to only those who have a legitimate need to use Restricted Data. Transmission of Restricted Data outside of a Middlebury-approved enterprise storage location requires both encryption and verification of the identities of the recipient. Any Restricted Data transmitted from the enterprise storage location should be done in such a way that it cannot be modified. Restricted Data should not be stored unencrypted in cloud solutions, particularly those not contracted by the institution. Restricted Data should have a retention timeline and should be destroyed when no longer in use and when legally permissible. Data Stewards will work with ITS to ensure that appropriate technologies are available to provide adequate safeguards for Restricted Data while ensuring the availability for appropriate use.

2. Internal Data
Internal Data is data that, while not protected by state or federal law or regulatory standards, might impact Middlebury’s reputation or result in a civil action against the institution, should it be breached. Access to Internal Data should be limited to Data Stewards and only those members of the institution to whom Data Stewards have granted access. Regular audits of Internal Data should be conducted by the Data Stewards to ensure appropriate access. The exposure threshold for this classification of data is set at 750 records.

Examples of Internal Data include:

  • Account Credentials
  • Budget Information
  • Research and Manuscripts
  • Payroll and Employment Documentation
  • Donation/Giving History
  • Systems & Network Diagrams
  • Strategic Information Unique to Middlebury


Access to Internal Data should be needs based, with the needs assessed by the Data Stewards.

3. Public Data
Public Data is considered to be any data that does not fall into the Extremely Sensitive Data or Internal Data classes. The disclosure of Public Data does not pose a risk to the institution. Public Data may be publicly accessible but does not require public access. There are no restrictions on the storage or distribution of Public Data.

Examples of Public Data include:

  • Public Web Sites
  • Marketing Materials
  • Business Addresses


Auditing

In order to protect sensitive data, designated ITS staff may use auditing technologies to scan institutional technology systems. These technologies may include  programs and utilities that allow for programmatic inspection of data and access permissions. The results of these scans may be centrally correlated for analysis in a secure environment. These technologies are not to be used to read the full context of the data, but rather to match established patterns, such as SSNs, Payment Card Data, etc.. Confidentiality of all information gathered as a result of auditing will be maintained at all times. Access to information obtained through auditing will be limited to designated staff.