Data Classification
Last Revised: April 15, 2021
Approved by: Cabinet
Responsible Office: Library, Information and Technology Services
Responsible Senior Staff Member: Chief Information Officer
Drafted by:
Statement
The purpose of this policy is to define the classification requirements for all information assets and to ensure that data and other information assets are secured and handled according to its sensitivity and the impact that theft, corruption, loss or exposure would have on the College. This policy has been developed to assist Mount Holyoke College and provide direction to the College regarding identification, classification and handling of information assets.
Scope / Responsibilities
The scope of this policy includes all information assets governed by Mount Holyoke College and its affiliates. All personnel, volunteers, and third parties who have access to or utilize the College’s information assets, including data at rest (including printed form), in transit or in process shall be subject to these requirements.
Responsibilities:
- For enforcement of data classification: Reporting authority for Data Stewards
- For enforcement of data handling: Reporting authority for the Data Handler
- For oversight of policy: Chief Information Officer
- For procedures implementing this policy: Application and Data Standards Working Group
Policy
Mount Holyoke College has established the requirements enumerated below regarding the classification of data and information assets to protect the College’s information.
3.1 Data Stewardship
While the College owns the data and information assets, Data Stewards are identified as the individuals, roles, or committees primarily responsible for specific information assets. These entities are responsible for identifying the College’s information assets under their areas of supervision and for maintaining an accurate and complete inventory for data classification and handling purposes.
Data Stewards are accountable for ensuring that information assets receive an initial classification upon creation and a reclassification whenever reasonable. Reclassification of an information asset should be performed by the steward whenever the asset or its regulatory context is significantly modified.
3.2 Data Classification
The Data Stewards will classify information assets of the College into one of the following data classifications based on the sensitivity of the data, the degree to which it should be shared, and the impact that any loss, corruption, destruction or unauthorized disclosure might have for the College and its community members.
Mount Holyoke’s data classifications are as follows:
-
RESTRICTED - Information assets protected by state or federal law, contractual agreements and proprietary information whose loss, corruption or unauthorized disclosure can cause severe personal, financial or reputational harm to the College, College employees or the people we serve.
Examples include but are not limited to:
- personally identifiable information (PII) protected by Massachusetts 201 CMR 17 which defines personal information as first name (or first initial) and last name in combination with any one or more of the following:
- social security number
- banking information such as financial account number (bank, investment, 403B)
- payment card information, credit or debit card number
- identification documentation such as passport numbers, driver's license numbers or state-issued identification card numbers
- health information protected under HIPAA
- accessibility accommodation information
- student loan information protected by Gramm-Leach Bliley Act (GLBA)
- Information security data, including user and administrator passwords and other data associated with security-related incidents
- personally identifiable information (PII) protected by Massachusetts 201 CMR 17 which defines personal information as first name (or first initial) and last name in combination with any one or more of the following:
-
CONFIDENTIAL - Information assets protected by state or federal law, contractual agreements and proprietary information whose loss, corruption, or unauthorized disclosure can cause serious personal, financial or reputational harm to the College, College employees, or the people we serve.
Examples include but are not limited to:
- human subject data for research which is subject to the Common Rule
- alum and donor personal information (date of birth, mother’s maiden name, place of birth), financial information (financial assets) and fundraising information.
- all personally-identifiable student information that is not defined as Directory Information by the College’s FERPA statement including student judicial records, student academic/advising records, student account and financial aid records, and all other information covered by the Family Educational Rights and Privacy Act (FERPA)
- personnel records (employment and evaluation information, salary, benefits, etc.) and personally-identifiable information for staff (such as date of birth, place of birth, mother’s maiden name)
- sensitive personal information resulting from credit checks, criminal background checks (CORI/SORI reports).
- corporate records including Board of Trustee minutes, Board of Trustee votes and other confidential information dispersed at Board meetings and/or shared with Board members.
-
INTERNAL - Information assets whose loss, corruption, or unauthorized disclosure would not seriously impair business functions but are otherwise private within the College.
Examples include but are not limited to:
- information related to college operations, finances, contracts, legal matters, audits, or other activities that are not public in nature
- person directory for students, alums, or donors unless they have filed a request for privacy of this information. Examples include but are not limited to:
- for students: names, email addresses, home addresses, cell phone numbers and other information drawn from the list of student Directory Information defined within the College’s FERPA statement and their Chosen names.
- for alums and donors: name, business name, business address, home address, MHC email cell phone numbers, business phone numbers, home phone numbers, occupations and titles
- person directory information for faculty and staff, including home address, cell phone, home phone, home fax and personal email
- building plans and other infrastructure diagrams and data
- data related to research that is not subject to the Common Rule
-
PUBLIC - Information assets intended for general use and whose loss, corruption, or unauthorized disclosure (general or to individuals beyond the College) would not impair College business functions.
Examples include but are not limited to:
- public website content, including faculty and staff lists that identify names, titles, department, email address, office location and/or office phone number
- publically released press statements
- course catalog and schedule
- student information designated as student Directory Information by the College within its FERPA statement and which the College chooses to release
- public financial statements
- promotional information
- aggregate statistics about students, faculty, staff, alums and College operations that are non-personally-identifiable and intended for release beyond the College community
- public events calendar
3.3 Data Handling
Information assets shall be handled according to their prescribed classification, including access controls, labeling, retention policies and destruction methods. Specific methods and guidelines are described in the Data Classification and Handling Procedures. For questions or help identifying appropriate handling procedures please contact the Help Desk (helpdesk@mtholyoke.edu).
3.4 Inventory & Re-Classification
Data Stewards must review and update the data classification of every information asset of the College at least once per year. On an ongoing basis, classification or reclassification of data assets should also be considered whenever any data asset is added, modified, retired or destroyed.
3.5 Classification Inheritance
Assets, logical or physical, that “contain” a data asset may inherit classification from the data asset(s) contained therein. In these cases, the inherited classification shall be the highest classification of all contained data assets.
Policy Violations
Violations of college policies are adjudicated according to procedures outlined in Faculty Legislation, the Student Handbook, and the Staff Handbook, with disciplinary consequences imposed by the adjudicating authority up to and including dismissal. Some offenses are punishable under state and federal laws.
Exceptions
Exceptions to this policy must be approved in advance by the Chief Information Officer, at the request of the responsible data asset owner. Approved exceptions must be reviewed and re-approved by the Data Stewards annually.
Related Information
Related Mount Holyoke College policies:
- Acceptable Use Policy
- Information Security Policy
- Records Retention Policy
References
- Federal Information Processing Standard Publication 199 (FIPS-199)
- NIST Special Publication 800-53 r4
- Family Educational Rights and Privacy Act (FERPA)
- Gramm-Leach-Bliley Act (GLBA)
- EU General Data Protection Regulation (GDPR)
- Payment Card Industry Data Security Standard (PCI DSS)
- Federal Information Security Management Act (FISMA)
- Health Insurance Portability and Accountability Act (HIPAA)
- Massachusetts CMR 201 17 - Standards for the Protection of Personal Information of MA residents
- Federal Policy for the Protection of Human Subjects (Common Rule)
Procedures
- Data Classification and Handling Procedures (TBD)
- Data Asset Inventory Audit Procedure (TBD)
Definitions
These definitions apply to terms as they are used in this policy.
| Term | Definition |
|---|---|
| Affiliate | Affiliates of Mount Holyoke College currently include Willits Hallowell Center, Inc. and Mount Holyoke College Alumnae Association. |
| Code of Conduct | All Mount Holyoke College Community members are expected to abide by the shared Code of Ethical Conduct. |
| College, ‘the College’ or ‘Mount Holyoke College’ | This term is inclusive of Mount Holyoke College and its Affiliates as an institution. |
| Data Handler | Individuals whose job responsibilities include access to, manipulation of, or other use of data or information of any format. |
| Data Steward | Individuals, roles, or committees primarily responsible for information assets. |
| Faculty Legislation | An electronic version of current Faculty Legislation can be found online. |
| Information Asset | Individual data fields, documents, or combination thereof related to the college, college operations, persons (ie faculty, staff, student, alums, donors, etc.) and systems, software, services. |
| Staff Handbook | The staff handbook provides employees and their supervisors with clear, concise and accessible information concerning policies, procedures, and benefits, and to provide a framework within which essential teamwork and collaborative enterprise can occur. |
| Student Handbook | The Student Handbook serves as a guidepost for all students — new and returning — regarding important aspects of the community and what makes Mount Holyoke unique. |