Data Classification Policy
1.0 Overview
Champlain College takes seriously its commitment to respect and protect the privacy of its students, alumni, applicants, faculty and staff, as well as to protect the confidentiality of information important to the College’s academic mission. For that reason, Champlain College has classified its information assets into the categories of Restricted, Confidential and Unrestricted. Data classification provides a vital step in integrating security into the College’s business. It establishes an operating foundation that makes it easy for all Champlain constituents to understand the use and governance of the various types of data available at the institution and establish appropriate safeguards. These safeguards include compliance with the Data Security Policy which establishes required security controls based on the classification level.
2.0 Scope
Protecting Champlain College’s Information assets is the responsibility of every member of the Champlain community. This document applies to, and must be read by, all members of the Champlain College community.
Specific users bound by this policy include:
- Faculty, including full-time, part-time and retired faculty members
- Staff, including full-time, part-time and temporary workers
- Student workers that have access to any of the sensitive data listed in the policy
- Members of 3rd-party organizations given access to Champlain systems, such as vendors, contractors or consultants
These users will be required to annually certify that they have read, understood and agreed to follow this policy.
3.0 Data Classifications
Classification | Restricted Data | Confidential Data | Unrestricted Data |
Level | 3 | 2 | 1 |
Description | Restricted data is defined as data that is required by law to be protected by specific technical security controls or data, if disclosed, may have serious adverse effects on the College’s reputation, resources, services, or individuals. Restricted data requires the highest level of security. | Confidential data is data that the College desires to keep private, due to contract obligations, regulatory requirements or because unauthorized disclosure may have adverse effects on the College’s reputation, resources, services, or individuals. | Information is considered Unrestricted if it is not classified as Restricted or Confidential. |
Data Type Examples | Personally Identifiable Information (PII*)
Payment Card Industry (PCI*) data
Personal Health Information (PHI*) data
|
|
|
Student Education Records – Classification | Student Conduct and Disciplinary Records, including Academic Probation and/or Suspension Student Health and Disability Records Student financial information |
|
Note: Student work maintained by faculty or the college must be kept private unless it is intended for public display or disclosure |
4.0 Definitions
- Payment Card Industry Data Security Standards (PCI DSS) are the practices used by the credit card industry to protect cardholder data. The PCI DSS comprise a security program for systems that process, store or have access to cardholder data, such as credit card numbers and security codes. The most recent version of the PCI DSS is available at: pcisecuritystandards.org.
- Protected Health Information (PHI) Any information processed, transmitted or stored by the College (or by a business associate) that relates to the past, present or future physical or mental health or condition of an individual, or the provision of health care to an individual; or to the past, present or future payment for health care and (a) identifies the individual or (b) where there is a reasonable basis to believe that the information can be used to identify the individual.
- Student Education Records are those that are required to be maintained as non-public by the Family Educational Rights and Privacy Act (FERPA). Education Records are records that are directly related to a student and that are maintained by the College. Applications for student admission are not considered to be Education Records unless and until the student attends Champlain College.
- Restricted Student Education Records include:
- Student personal and family financial information
- Student health/disability records
- Academic probation and/or suspension records
- Student conduct (including disciplinary actions)
- Confidential Student Education Records include:
- Student transcripts (official and unofficial)
- Grades (course and assignment)
- Faculty-to-Student assignment and course academic feedback recorded in College information systems
- Class lists
- Individual student course schedules
- Directory information (per FERPA definition) maintained by the Office of the Registrar and requested to be kept confidential by the student
- Confidential Student Education Records include:
- Academic advising notes recorded in College information systems
- Disclosure of Student Work Submissions:
- Student work maintained by faculty or the college must be kept private unless:
- Syllabus and/or assignment guidelines clearly indicate it is intended for public display or disclosure; or
- Student signs a waiver allowing for public display or disclosure
- NOTE: Faculty may use personal devices that are protected by passwords, anti-malware software, and other recommended security measures for storing and processing ungraded student work submissions. Due care should be exercised in handling work of a sensitive nature.
- Student work maintained by faculty or the college must be kept private unless:
- Restricted Student Education Records include:
- Personally Identifiable Information (PII) PII includes (a) any information about an individual that can be used to distinguish or trace an individual’s identity, such as an individual’s name in combination with date and place of birth, mother’s maiden name or biometric records; (b) information such as medical, educational, financial and employment information of an individual, which if lost, compromised or disclosed without authorization, could result in harm to that individual; or (c) information that is protected by federal, state or local laws and regulation or industry standards. See Champlain College Personally Identifiable Information Policy for additional information.
Examples include an individual’s name and any one of the following:
- Social Security number
- Date of birth
- Mother’s maiden name
- Financial account number, or credit or debit card number
- Account passwords or PIN numbers for a financial account
- Driver’s license number
- Passport number
5.0 Data Stewards
Data Stewards as listed by job title in 5.1 and 5.2, represent Data Governance in their functional areas and provide feedback on specific processes or procedures including Data Classification. Inquiries related to classification and other Data Governance questions can be sent to jira+dg@champlain.edu.
5.1 Restricted Data Stewards
The Data Stewards for all data classified as Level Three Restricted Data are as follows: the President, the Vice President of Finance, and the Provost.
5.2 Confidential Data Stewards
Data Type | Steward |
Donor contact information and nonpublic gift amounts | Vice President of Advancement |
Admission applications and financial aid awards | Vice President of Enrollment |
Restricted Research Data | Provost |
Non-public policies and policy manuals | Chief Information Officer |
Champlain internal memos and email, and non-public reports, budgets, plans and financial information, vendor information, student accounts information, tax reporting and banking | Vice President of Finance |
Colleague/Datatel ID numbers | Chief Information Officer |
Contracts and privileged attorney-client communications | Contract & Risk Management Director |
Payroll and employment documentation | Assistant Vice President, People |
Network Diagrams and documentation | Chief Information Officer |
6.0 Privacy Statement
Members of the Champlain College community have reasonable expectations of privacy in their use of information resources. In accordance with Section 6 of the Acceptable Use Policy, systems operators, supervisors, and other College officials may access information resources to locate business information, maintain the system and network, comply with legal requirements, or administer this or other College policies and procedures.
7.0 Violations
Any individual found to be in violation of this policy shall be subject to the relevant Champlain College disciplinary procedure. Individuals are also subject to federal, state and local laws governing many interactions that occur on the Internet. These policies and laws are subject to change as state and federal laws develop and change.
7.1 Policy Subject to Change
This policy is subject to change. You will be notified of any changes to the policy. You agree to abide by the policy as updated from time to time.