Data Classification Policy
February 28, 2022
The purpose of this policy is to define the categorization of data assets at St. George’s University, University Support Services (collectively, the Enterprise). This policy describes categories to which all of the Enterprise non-public information types (data) should be mapped to help the Enterprise protect data in a consistent and appropriate manner.
This policy applies to all Enterprise data. For the purposes of this policy, this includes electronic data either at rest or in transit. Additionally, this policy applies to any data that is hosted or accessed by third-party service providers.
- Personally Identifiable Information (PII):Information which can be used to distinguish or trace the identity of an individual (e.g., name, Social Security Number, biometric records, etc.) alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual. Linked data (such as an individual’s name in conjunction with their Social Security Number) can be more sensitive than an individual data point.
- Protected Health Information (PHI):Any individually identifiable health information transmitted or maintained in electronic media, or in any other form of medium.
- Payment Card Industry Data Security Standard (PCI-DSS): An information security standard for organizations that handle branded credit cards from the major card schemes
- General Data Protection Regulation (GDPR): A regulation in European Union (EU) law on data protection and privacy for all individuals within the EU and the European Economic Area (EEA)
- Gramm-Leach-Bliley Act (GLBA), (aka The Financial Modernization Act of 1999): A United States federal law that requires financial institutions to explain how they share and protect their customers’ private information.
- Family Educational Rights and Privacy Act of 1974 (FERPA): A federal law that protects the privacy of student education records. The law applies to all schools that receive funds under an applicable program of the U.S. Department of Education.
- Health Insurance Portability and Accountability Act of 1996 (HIPAA): United States legislation that provides data privacy and security provisions for safeguarding medical information.
Data may be classified as follows:
Sensitive: Any data where the unauthorized disclosure, alteration, loss, or destruction could result in a significant harm to the Enterprise. Data to be classified at this tier may include, but is not limited to, PHI, PII, and any data protected by federal, state or local laws and regulations or industry standards, such as PCI-DSS, GDPR, GLBA, FERPA, and HIPAA. Data should be classified as critical if loss of that data would:
- Cause personal or institutional financial loss or be a violation of a statute, act, or law
- Constitute a violation of confidentiality agreed to as a condition of possessing, producing, or transmitting data
- Require Enterprise to self-report to the government and/or provide public notice if the data is inappropriately accessed
- Cause significant reputational harm to the Enterprise
Confidential: Any data where the unauthorized disclosure, alteration, loss, or destruction would have an adverse impact on the Enterprise’s mission, safety, finances, or reputation to a lesser extent than data classified as Sensitive. Data to be classified at this tier may include, but is not limited to:
- Records disclosed to school officials with legitimate educational institutions that do not fall under FERPA or HIPAA
- Unpublished research data
- Unpublished Enterprise financial information that does not fall under GLBA, including strategic plans, real estate plans, or facility development plans
Internal: Any Enterprise intellectual property to which employees, faculty, staff, or students may have authorized access. Internal data includes, but is not limited to:
- Internal communications, such as emails, reports, and other documents
- Research information
- Documents including manuals, technical documents such as system configurations, any standards or procedures developed to guide the Enterprise’s decisions, or project plans that are strictly for the use of Enterprise personnel or its constituencies
Public: Any data where the unauthorized disclosure, alteration, loss, or destruction would have little to no adverse impact on the mission, safety, finances, or reputation of the Enterprise. Generally, public information is classified as low risk. Publicly accessible data includes:
- Enterprise financial statements and other reports filed with federal or state governments and available to the public
- Copyrighted materials that are publicly available