Data Classification Policy

Version 2.0, Updated July 31, 2025

Purpose 

This policy establishes a framework for classifying institutional data based on its sensitivity, value, and regulatory requirements within the Middlebury environment. The purpose of this classification is to ensure that all data is handled, stored, and protected appropriately throughout its lifecycle, minimizing risks of unauthorized access, use, disclosure, alteration, or destruction. By defining clear classification levels and associated handling requirements, this policy aims to safeguard institutional assets, protect the privacy of individuals, and ensure compliance with relevant laws and regulations. 

Scope 

This policy applies to all institutional data, regardless of its format (electronic, paper, verbal) or where it is stored (on-campus systems, cloud services, personal devices). It applies to all faculty, staff, students, contractors, volunteers, and any other individuals or entities who create, collect, access, use, transmit, or store institutional data on behalf of Middlebury. 

Definitions 

• Institutional Data: Any information created, collected, received, or maintained by or on behalf of Middlebury in the course of its operations.
• Personally Identifiable Information (PII): Information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other personal or identifying information that is linked or linkable to a specific individual.
• Protected Health Information (PHI): Individually identifiable health information transmitted or maintained by a covered entity or its business associates.
• Encryption: The process of converting information or data into an unrecognizable code to prevent unauthorized access.
• Access Controls: Security features that control how users and systems communicate with and use resources in a protected system.
• Data Lifecycle: The sequence of stages that data goes through, from its initial creation or capture, to its eventual archival or deletion. 

Data Classification Levels 

Data at Middlebury is classified into three primary categories based on its sensitivity and the potential impact of unauthorized disclosure, alteration, or destruction. 

Level 1: Public Data 

Definition: 

Public data is information that is intended for public consumption or is readily available to the general public. Its unauthorized disclosure would have little or no adverse impact on Middlebury, its operations, or individuals. 

Examples: 

• Middlebury websites and public announcements
• Course catalogs and academic calendars
• Public directories (e.g., faculty/staff contact information, if publicly listed)
• Marketing materials and press releases
• Publicly available research data (after appropriate review and release)
• Middlebury public policies and procedures, i.e., those that do not contain private or sensitive details. 

Appropriate Use and Handling: 

• Access: No restrictions on access.
• Storage: Can be stored on any Middlebury-approved system or publicly accessible platforms.
• Transmission: No specific encryption or secure transmission methods are required.
• Disposal: No specific disposal requirements beyond general good practice.
• Sharing: Can be freely shared with internal and external parties. 

Level 2: Sensitive Data 

Definition: 

Sensitive data is information that is not intended for public release, and whose unauthorized disclosure, alteration, or destruction could have a moderate adverse impact on Middlebury, its operations, or individuals. This data typically requires protection to ensure confidentiality, integrity, and availability.  

Examples: 

• Internal memos and operational documents
• Non-public financial data, e.g., payroll, departmental budgets, internal financial reports.
• Student admissions documentation, academic records, unofficial transcripts, etc., excluding data covered by FERPA and treated as Regulated Data.
• Employee contact information marked private or internal use only
• Proprietary research data and manuscripts, before public release.
• Internal IT system configurations and network diagrams
• Unpublished Middlebury policies and procedures
• Certain personally identifiable information (PII) not explicitly covered by specific regulations, but still requiring protection (e.g., internal email lists, Middlebury ID numbers, combinations of personally identifiable information types).
• Private Alumni and Donor information, including donation/giving history, unless specified as public.
• Strategic Information Unique to Middlebury 

Appropriate Use and Handling: 

• Access: Restricted to authorized individuals with a legitimate business need-to-know.
• Storage: Must be stored on secure, Middlebury-approved systems with appropriate access controls (e.g., password protection, multi-factor authentication). Cloud storage must be approved and configured for security.
• Transmission: Should be transmitted using secure methods (e.g., encrypted email, secure file transfer protocols).
• Disposal: Must be disposed of securely (e.g., shredding paper documents, secure wiping/destruction of electronic media) when no longer required, in accordance with retention schedules.
• Sharing: Sharing is restricted to authorized internal parties. External sharing requires explicit approval and appropriate data sharing agreements. 

Level 3: Regulated Data 

Definition: 

Regulated data is information subject to specific legal, regulatory, or contractual obligations, whose unauthorized disclosure, alteration, or destruction would result in adverse impact, including significant financial penalties, legal liabilities, reputational damage, and harm to individuals. This data requires the highest level of protection. The examples below represent common regulated data types, but it is not meant to be an exhaustive list. Please reach out to Middlebury Information Security with any questions related to regulated data. Any use or storage of regulated data must be documented by the data steward.  It must include a plan for data lifecycle and retention and must be registered with the Middlebury Information Security Team. 

Examples: 

• Personally Identifiable Information (PII) covered by regulations:
• FERPA (Family Educational Rights and Privacy Act): Student education records (e.g., official transcripts, disciplinary records, financial aid information).
• Protected Health Information (PHI) related to student health services or employee health benefits.
• State Privacy Laws: Data covered by specific state privacy laws (e.g., CCPA/CPRA).
• Financial Data:
• Payment card information, for example, credit card numbers, expiration dates, CVV codes.
• Bank account numbers, routing numbers.
• Passwords and account credentials
• Social Security Numbers (SSN)
• Driver’s License Numbers, State ID Numbers, and Passports
• Biometric Data
• Criminal Background Information
• Export Control Information: Data subject to export control regulations.
• Contractual Data: Data subject to strict confidentiality clauses in contracts with external entities.
• Attorney-Client Privileged Data: Data subject to controls related to privileged attorney-client communications. 

Appropriate Use and Handling*: 

• Access: Highly restricted to specific authorized individuals with a documented, legitimate business need-to-know, and often requires specific training. Access must be regularly reviewed.
• Storage: Must be stored only on highly secure, Middlebury-approved systems designed for regulated data, with robust access controls, encryption at rest, and audit logging. No storage on personal devices or unapproved cloud services.
• Transmission: Must be transmitted using strong encryption. Transmission via unencrypted email is strictly prohibited.
• Disposal: Requires certified secure disposal methods (e.g., cryptographic erasure, physical destruction) with documentation, in accordance with legal and regulatory retention schedules.
• Sharing: Strictly prohibited unless explicitly required by law or contract, and only with appropriate data use agreements, security safeguards, and legal counsel for review. Sharing must be auditable.
• Data Minimization: Collect, use, and retain only the minimum amount of regulated data necessary for a specific, legitimate purpose.
• Incident Response: Any suspected or actual breach of regulated data must be reported immediately to infosec@middlebury.edu according to Middlebury’s incident response plan. 

* NOTE: Third-party providers of data may require security controls that exceed Middlebury’s standard practices. In such cases, you must consult with Information Security to develop and document an appropriate data management plan. 

Roles and Responsibilities 

• Data Owners: Senior Middlebury officials (e.g., Deans, Department Heads, Vice Presidents, etc.) responsible for specific datasets. Data Owners are accountable for classifying their data, ensuring compliance with this policy, and authorizing access.
• Data Stewards: Individuals designated by Data Owners to manage and oversee specific datasets, including implementing access controls, ensuring data quality, and monitoring compliance.
• Data Custodians: Middlebury staff, faculty, or service providers responsible for the secure storage, transmission, and processing of data, including implementing technical controls.
• All Middlebury Community Members: Responsible for understanding and adhering to this policy, properly handling data based on its classification, and reporting any suspected data security incidents. 

Policy Review 

This policy will be reviewed at least annually, or more frequently as necessitated by changes in laws, regulations, Middlebury operations, or technological advancements. 

Enforcement 

Violations of policy may result in disciplinary action as defined in the Middlebury Handbook. 

Support 

Questions about this policy and its application should be directed to the Vice President of IT and/or General Counsel.