Public data is information available for disclosure to any person, regardless of their
affiliation with the College. The Public classification is not limited to data that
is of public interest or intended for distribution to the public; the classification
applies to data that do not require any level of protection from disclosure. While
it may be necessary to protect original (source) documents from unauthorized modification,
you may share Public data with a broad audience both within and outside the College
community and no steps are required to prevent its distribution.
Examples of Public data include press releases, directory information (not subject
to a FERPA block), course catalogs, application and request forms, and other general
information approved for public distribution. The type of information a department
would chose to post on its website is a good example of Public data.
Internal data is information that is potentially sensitive and not intended for the
public. Do not disclose Internal Data generally outside of the College without the
permission of the person or group that created the data. It is the responsibility
of the data owner to designate information as Internal where appropriate. If you have
questions about whether information is Internal or how to treat Internal Data, you
should talk to your dean or department head.
Examples of Internal data include some memos, correspondence, and meeting minutes;
contact lists that contain information that is not publicly available; and procedural
documentation that should remain internal.
Confidential data is information that, if made available to unauthorized parties,
may adversely affect individuals or the business of Central Oregon Community College.
This classification also includes data that the College is required to keep confidential,
either by law (e.g., FERPA) or under a confidentiality agreement with a third party,
such as a vendor. Protect this information against unauthorized disclosure or modification.
Confidential Data should be used only when necessary for business purposes and should
be protected both when it is in use and when it is being stored or transported.
It is the responsibility of the data owner to designate information as Confidential
where appropriate. Individuals and departments that create or circulate Confidential
Data should clearly designate the data by clearly marking both hard copies and electronic
version of documents as Confidential. Those who receive data marked as Confidential
should take appropriate steps to protect it.
Report any unauthorized disclosure or loss of Confidential Data to the appropriate
dean or department head. The dean or department head should determine whether to report
the unauthorized disclosure or loss of Confidential Data to the Information Services
& Technology Incident Response Team (lboehme@COCC.edu or 541-383-7746) who in turn will contact the Chief Information Officer, as appropriate.
Report unintentional modification of original (source) documents to the dean or department
Examples of Confidential data include:
- Information covered by the Family Educational Rights and Privacy Act (FERPA), which
requires protection of records for current and former students. This includes pictures
of students kept for official purposes.
- PII- Personally Identifiable Information entrusted to our care that is not Restricted
Use data, such as information regarding applicants, alumni, donors, potential donors,
or parents of current or former students.
- Information covered by the Gramm-Leach-Bliley Act (GLB), which requires protection
of certain financial records.
- Individual employment information, including salary, benefits and performance appraisals
for current, former, and prospective employees.
- Legally privileged information.
- Information that is the subject of a confidentiality agreement.
Restricted Use data includes any information that COCC has a contractual, legal, or
regulatory obligation to safeguard in the most stringent manner. In some cases,unauthorized
disclosure or loss of this data would require the University to notify the affected
individual and state or federal authorities. In some cases, modification of the data
would require informing the affected individual. COCC's obligations will depend on
the particular data and the relevant contract or laws. Restricted Use data includes:
- Protected health information subject to the Health Insurance Portability and Accountability
Act (HIPAA), which sets standards for protection of medical records and patient data.
- Certain types of personal information, including an individuals name plus the individuals
Social Security Number, drivers license number, or financial account number, covered
under Oregon State law.
- Financial account numbers covered by the Payment Card Industry Data Security Standard
(PCI-DSS), which controls how credit card information is accepted, used, and stored.
- Data controlled by U.S. Export Control Law such as the International Traffic in Arms
Regulations (ITAR) or Export Administration Regulations (EAR). ITAR and EAR have additional
- U.S. Government Classified Data (these may be subject to additional controls, contact
COCC Information Security to discuss.)
- Data used to authenticate or authorize individuals to use electronic resources, such
as passwords, keys, and other electronic tokens.
- Criminal Background Data that might be collected as part of an application form or
a background check.
Use Restricted Use data only when no alternative exists; carefully protect Restricted
Use data. It must be encrypted both in transit and when stored on a portable electronic
device. In addition, protect original (source) documents from unauthorized modification.
Individuals and departments that create or circulate Restricted Use data should clearly
designate the data by clearly marking both hard copies and electronic version of documents
as Restricted Use. Those who receive data marked as Restricted Use should take appropriate
steps to protect it.
Any unauthorized disclosure or loss of Restricted Use data must be reported to the
COCC Information Security Administrator, lboehme@COCC.edu or 541-383-7400, which will
report to the Chief Information Officer. Report Unintentional modification of original
(source) documents the dean or department head and to the COCC Information Security