”TigerData Classification

Policy Title

Data Classification

1. Purpose

Clemson University is committed to protecting the privacy of its students, alumni, faculty, and staff while protecting the confidentiality, integrity, and availability of information important to the University’s mission. To meet that commitment, the University has developed this policy which will be used to categorize University information and determine what security controls are required for related systems and applications.

2. Roles & Responsibilities

For functional areas with a Data Trustee assigned, data classification is the responsibility of the Data Trustee. Data Stewards appointed by the Data Trustee will create an inventory of data under their purview and will ensure relevant information security policies and procedures are followed to protect the confidentiality and integrity of the data. If a system or application handles data of multiple classifications, it should be protected according to the higher classification. For areas without an appointed Data Trustee, classification and compliance with policies and procedures will be the responsibility of the data owner. This includes owners of shared drives, databases, and applications that collect or process data.

Data Trustee: Officer-level individual with oversight responsibility for University data related to the functional area.

Data Steward: Individuals (assigned by Data Trustee) who are responsible for the accuracy, privacy and security of the data.

3. Definitions

The University, in alignment with the State of South Carolina, has adopted four data classification categories: Restricted, Confidential, Internal Use, and Public. These classifications are defined below.

Restricted

  1. The information is highly sensitive and is to be kept protected as a matter of law, regulation, contractual obligation.
  2. A breach of confidentiality, integrity, or availability could have a significant adverse impact on the University’s mission, safety, finances, or reputation.
  3. The University is subject to statutory or regulatory penalties or notification provisions in the event of any unauthorized access or disclosure.

Confidential

  1. The information is sensitive and is to be kept protected as a matter of University policy, procedures or contractual obligation.
  2. A breach of confidentiality, integrity, or availability could have an adverse impact on the University’s mission, safety, finances, or reputation.

Internal Use

  1. The data is not Confidential or Restricted, but not generally available to the public.
  2. A breach of confidentiality, integrity, or availability could have minimal adverse impact on the University’s mission, safety, finances, or reputation.
  3. The information pertains to or is used in the daily operations of the University.

Public

  1. Data is developed and intended for public disclosure.

4. Data Elements

The Example Data Elements table contains a list of commonly used data types. This list is not all inclusive but does provide guidance on how to classify data.

Example Data Elements
Public
Internal Use
Confidential
Restricted
  • Public facing websites
  • Policies and procedures designed for public use
  • Publicly available campus maps
  • Published research data
  • University contact information not designated by the owner as private
  • Non-public University policies
  • Training materials
  • Unpublished research data (at data owner’s discretion)
  • Non-public contracts
  • University internal memos, emails, reports, and budgets
  • Donor contact and non-public gift information
  • Engineering, design, and operational information regarding University infrastructure
  • HR records
  • Birth date, addresses, personal contacts and other Personally Identifiable Information (PII)
  • Survey or assessment data collected which includes identifiers
  • FERPA protected data
  • Driver’s License numbers
  • Controlled Unclassified Information (CUI)
  • Protected Health Information (PHI) governed by HIPAA
  • Export-controlled data governed by ITAR/EAR
  • Federal tax info received or derived from the IRS
  • Individual financial information subject to Gramm-Leach-Bliley Act (e.g. Financial Aid)
  • Social Security Numbers/ Employee Identification Number
  • Debit or credit card numbers
  • Bank accounts or information with personal identification numbers (PINS)
  • Passport and Visa numbers

 

For some data elements, the context will affect the classification. A name, photo and birthdate are Personally Identifiable Information (PII) and are Confidential but may be included in a University newsletter (with approval from the individual) and be considered Public in that context. Other records containing the same data will still be considered Confidential.

As data ages, the classification may also change. For example, University budgets may be classified as Internal Use, but become Public once published.

5. Data Classification Support

Questions regarding Data Classification, Data Trustees and Data Stewards can be directed to ithelp@clemson.edu.

 

Responsible Division

CCIT

Reviewed Date

November 1, 2018