Data Classification Standards

 

DRAFT

Public

Public data is information available for disclosure to any person, regardless of their affiliation with the College. The Public classification is not limited to data that is of public interest or intended for distribution to the public; the classification applies to data that do not require any level of protection from disclosure. While it may be necessary to protect original (source) documents from unauthorized modification, you may share Public data with a broad audience both within and outside the College community and no steps are required to prevent its distribution.

Examples of Public data include press releases, directory information (not subject to a FERPA block), course catalogs, application and request forms, and other general information approved for public distribution. The type of information a department would chose to post on its website is a good example of Public data.

Internal

Internal data is information that is potentially sensitive and not intended for the public. Do not disclose Internal Data generally outside of the College without the permission of the person or group that created the data. It is the responsibility of the data owner to designate information as Internal where appropriate. If you have questions about whether information is Internal or how to treat Internal Data, you should talk to your dean or department head.

Examples of Internal data include some memos, correspondence, and meeting minutes; contact lists that contain information that is not publicly available; and procedural documentation that should remain internal.

Confidential

Confidential data is information that, if made available to unauthorized parties, may adversely affect individuals or the business of Central Oregon Community College. This classification also includes data that the College is required to keep confidential, either by law (e.g., FERPA) or under a confidentiality agreement with a third party, such as a vendor. Protect this information against unauthorized disclosure or modification. Confidential Data should be used only when necessary for business purposes and should be protected both when it is in use and when it is being stored or transported.

It is the responsibility of the data owner to designate information as Confidential where appropriate. Individuals and departments that create or circulate Confidential Data should clearly designate the data by clearly marking both hard copies and electronic version of documents as Confidential. Those who receive data marked as Confidential should take appropriate steps to protect it.

Report any unauthorized disclosure or loss of Confidential Data to the appropriate dean or department head. The dean or department head should determine whether to report the unauthorized disclosure or loss of Confidential Data to the Information Services & Technology Incident Response Team (WDymond@COCC.edu or 541-383-7746) who in turn will contact the Chief Information Officer, as appropriate. Report unintentional modification of original (source) documents to the dean or department head.

Examples of Confidential data include:

  • Information covered by the Family Educational Rights and Privacy Act (FERPA), which requires protection of records for current and former students. This includes pictures of students kept for official purposes.
  • PII- Personally Identifiable Information entrusted to our care that is not Restricted Use data, such as information regarding applicants, alumni, donors, potential donors, or parents of current or former students.
  • Information covered by the Gramm-Leach-Bliley Act (GLB), which requires protection of certain financial records.
  • Individual employment information, including salary, benefits and performance appraisals for current, former, and prospective employees.
  • Legally privileged information.
  • Information that is the subject of a confidentiality agreement.

Restricted Use

Restricted Use data includes any information that COCC has a contractual, legal, or regulatory obligation to safeguard in the most stringent manner. In some cases,unauthorized disclosure or loss of this data would require the University to notify the affected individual and state or federal authorities. In some cases, modification of the data would require informing the affected individual. COCC's obligations will depend on the particular data and the relevant contract or laws. Restricted Use data includes:

  • Protected health information subject to the Health Insurance Portability and Accountability Act (HIPAA), which sets standards for protection of medical records and patient data.
  • Certain types of personal information, including an individuals name plus the individuals Social Security Number, drivers license number, or financial account number, covered under Oregon State law.
  • Financial account numbers covered by the Payment Card Industry Data Security Standard (PCI-DSS), which controls how credit card information is accepted, used, and stored.
  • Data controlled by U.S. Export Control Law such as the International Traffic in Arms Regulations (ITAR) or Export Administration Regulations (EAR). ITAR and EAR have additional requirements.
  • U.S. Government Classified Data (these may be subject to additional controls, contact COCC Information Security to discuss.)
  • Data used to authenticate or authorize individuals to use electronic resources, such as passwords, keys, and other electronic tokens.
  • Criminal Background Data that might be collected as part of an application form or a background check.

Use Restricted Use data only when no alternative exists; carefully protect Restricted Use data. It must be encrypted both in transit and when stored on a portable electronic device. In addition, protect original (source) documents from unauthorized modification.

Individuals and departments that create or circulate Restricted Use data should clearly designate the data by clearly marking both hard copies and electronic version of documents as Restricted Use. Those who receive data marked as Restricted Use should take appropriate steps to protect it.

Any unauthorized disclosure or loss of Restricted Use data must be reported to the COCC Information Security Administrator, WDymond@COCC.edu or 541-383-7746, which will report to the Chief Information Officer. Report Unintentional modification of original (source) documents the dean or department head and to the COCC Information Security Administrator.

Last Updated: 4.27.15 - wdymond

Page Steward: IT Information & Security