Data Classification | St. George's University

Data Classification Policy

August 3, 2018

Purpose

The purpose of this policy is to define the risk-based approach for the categorization of data assets at St. George’s University, University Support Services, and any other operating units of Medforth Global Healthcare Education Group LP identified by management (collectively, the Enterprise). This policy describes categories to which all of the Enterprise data types should be mapped to help the Enterprise protect data in a consistent and appropriate manner.

Scope

This policy applies to all Enterprise data. For the purposes of this policy, this includes electronic or printed data, and data either at rest or in transit.  Additionallythis policy applies to any data that is hosted or accessed by third-party service providers.

Objective

Enterprise is committed to maintaining a secure information technology environment. In order to determine the safeguards required for different data types, it is necessary to determine the level of risk associated with the data. Data classification assigns these risk levels, and defines the extent to which technical, administrative, and physical controls must be applied to protect the data from theft, unauthorized access, alteration, disclosure, and/or misuse.

Definitions

  • Personally Identifiable Information (PII): Information which can be used to distinguish or trace the identity of an individual (e.g., name, Social Security Number, biometric records, etc.) alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual. Linked data (such as an individual’s name in conjunction with their Social Security Number) can be more sensitive than an individual data point.
  • Protected Health Information (PHI): Any individually identifiable health information transmitted or maintained in electronic media, or in any other form of medium.
  • Payment Card Industry Data Security Standard (PCI-DSS): An information security standard for organizations that handle branded credit cards from the major card schemes
  • General Data Protection Regulation (GDPR): A regulation in European Union (EU) law on data protection and privacy for all individuals within the EU and the European Economic Area (EEA)
  • Gramm-Leach-Bliley Act (GLBA), (aka The Financial Modernization Act of 1999): A United States federal law that requires financial institutions to explain how they share and protect their customers’ private information.
  • Family Educational Rights and Privacy Act of 1974 (FERPA): A federal law that protects the privacy of student education records. The law applies to all schools that receive funds under an applicable program of the U.S. Department of Education.
  • Health Insurance Portability and Accountability Act of 1996 (HIPAA): United States legislation that provides data privacy and security provisions for safeguarding medical information.

Roles and Responsibilities

  • Data Steward: An individual who has direct responsibility to ensure that a data domain is classified appropriately. The Data Steward collaborates with institutional Security, Privacy, and Compliance personnel.
  • Data Custodian: Data Custodian is the person(s) responsible for, or the person(s) with administrative control over, granting access to an organization’s documents or electronic files while protecting the data as defined by the organization’s security policy or its standard Information Technology (IT) practices.
  • System Owner: System Owner is the business unit responsible for the overall procurement, development, integration, modification, operation, maintenance, and retirement of an information system.

Policy Statement

Data may be classified as:

Critical Risk/Sensitive: Any data where the unauthorized disclosure, alteration, loss, or destruction could result in a significant harm to the Enterprise. Data to be classified at this tier may include, but is not limited to, PHI, PII, and any data protected by federal, state or local laws and regulations or industry standards, such as PCI-DSS, GDPR, GLBA, FERPA, and HIPAA. Data should be classified as critical if loss of that data would:

  • Cause personal or institutional financial loss or be a violation of a statute, act, or law
  • Constitute a violation of confidentiality agreed to as a condition of possessing, producing, or transmitting data
  • Require Enterprise to self-report to the government and/or provide public notice if the data is inappropriately accessed
  • Cause significant reputational harm to the Enterprise

High Risk/Confidential: Any data where the unauthorized disclosure, alteration, loss, or destruction would have an adverse impact on the Enterprise’s mission, safety, finances, or reputation to a lesser extent than data classified as Sensitive. Data to be classified at this tier may include, but is not limited to:

  • Records disclosed to school officials with legitimate educational institutions that do not fall under FERPA or HIPAA
  • Unpublished research data
  • Unpublished Enterprise financial information that does not fall under GLBA, including strategic plans, real estate plans, or facility development plans

Moderate Risk/Internal: Any Enterprise intellectual property to which employees, faculty, staff, or students may have authorized access. Internal data includes, but is not limited to:

  • Internal communications, such as emails, reports, and other documents
  • Research information
  • Documents including manuals, technical documents such as system configurations, any standards or procedures developed to guide the Enterprise’s decisions, or project plans that are strictly for the use of Enterprise personnel or its constituencies

Low Risk/Public: Any data where the unauthorized disclosure, alteration, loss, or destruction would have little to no adverse impact on the mission, safety, finances, or reputation of the Enterprise. Generally, public information is classified as low risk. Publicly accessible data includes:

  • Enterprise financial statements and other reports filed with federal or state governments and available to the public
  • Copyrighted materials that are publicly available

Related Documents