Data Classification Policy

This document defines the William & Mary data classification scheme and establishes rules and procedures for protecting sensitive and protected university data processed, received, sent or maintained by or on behalf of the university. 

This policy applies to all data owned or leased by William & Mary.

Definitions

Sensitive Data
Sensitive data is highly confidential or personal information protected by statutes, regulations, university policies or contractual language which, if exposed or breached, could result in legal damages, fines/penalties, identify theft and/or financial fraud. Data stewards may also designate data as sensitive if it requires the same level of protection. Data elements defined as sensitive include:

  • Social security numbers
  • Driver's license numbers
  • Credit/debit card numbers
  • Passport numbers
  • Federal ID numbers
  • Employee health records, protected by the Virginia Health Records Privacy Act
  • Financial data that informs the university’s end-of-year financial statements
  • System account credentials

Sensitive data does not include information in the William & Mary directory or data that is made public by the university.  Furthermore, the university has no obligation to protect an individual’s personal information if the personal information is provided to a third-party by another supplier without the involvement of the university.

Protected Data
Protected Data is information that is protected by statutes, regulations, university policies or contractual language but which does not carry the same level of risk as Sensitive Data.  By way of illustration only, some examples of Protected Data include:

  • Student educational records protected by the Family Educational Rights and Privacy Act (FERPA).  Under FERPA, education records are any documents, files, and/or other materials that contain information directly related to a student, are personally identifiable to that student, and are maintained by the university or a university agent. These records include but are not limited to grades, transcripts, class lists, student course schedules, contact and family information, student health records, student financial information (at the postsecondary level), and student discipline files. The information may be recorded in any way, including, but not limited to, handwriting, print, computer media, videotape, audiotape, film, microfilm, microfiche, and e-mail.

    FERPA designates several types of records that are exceptions to this definition, including law enforcement records and medical and treatment records.

    For more detailed information contact the University Registrar at [[ferpa]] or visit the webpage Student Records Privacy Policy and Notification of Rights under FERPA
  • Personal information or giving history collected from a donor, alumnus, or another individual
  • Employment or non-identifiable personnel data
  • Banner 93 numbers 
  • Performance evaluations

Public Data
Public data is information that may or must be open to the general public. It is defined as information with no existing local, national or international legal restrictions on access or usage. By way of illustration only, some examples of Public Data include:

  • Publicly posted press releases
  • Publicly posted schedules of classes.
  • Publicly posted interactive university maps, newsletters, newspapers, and magazines.
  • Public announcements, advertisements, directory information, and other freely available data on university websites.
Policy
Data Classification

Data processed, received, sent, or maintained by the university is classified into the following three categories:

  1. Sensitive
  2. Protected
  3. Public

Departments should carefully evaluate the appropriate data classification category for their information.

When provided in this policy, examples are illustrative only, and serve as identification of implementation practices rather than specific requirements.

Rules Governing Administration of Sensitive Data


Collecting Sensitive Data

There are laws governing university collection of sensitive data. The legal restrictions most commonly impacting the university are summarized below. For additional information, contact the Information Security Office.

  • Sensitive data may only be collected, maintained, used, or disseminated as necessary to accomplish a proper academic or business purpose of the university or as required by law.  
  • Units requesting or collecting sensitive data must communicate why the data is being collected, how it will be used, and, if applicable, any consequences of not providing it.
  • Individuals have the right to inspect and challenge, correct, or explain their personal information (as required by Section 2.2-3806 (A)).

Sending or Receiving Sensitive Data in Electronic or Physical Form
The following restrictions apply both to internal data transmissions (such as sharing files with another university employee) as well as transmissions to outside parties.

  • Sensitive data sent or received electronically must be secured using encryption technology, a secure web transfer, or the Secure File Transfer Protocol. Other acceptable methods include transferring files between network drives on the university's internal network or using the university's secure web file system. The university's email system is not designed to support the transmission of sensitive data securely. 
  • For any other release of sensitive data by the university to a third-party the sender must ensure that the third-party is aware of the confidentiality obligations applicable.
  •  Sensitive data sent in physical form, such as through the post office or interdepartmental mail, must be secured in a sealed envelope or similar method.
  • Faxing sensitive data is permitted provided that the recipient is notified in advance and is available to retrieve the fax immediately following transmission or able to secure it upon receipt (i.e., receiving a fax in an office that is only accessible by the recipient). Individuals receiving faxed documents with sensitive data are responsible for securing the document after receipt.
  • Routine exchange of sensitive data with a vendor or application hosting provider requires that the vendor or hosting provider undergo a security review, including a third-party assessment of the vendor’s security controls. The sender must also ensure that there are contractual requirements describing which party is responsible for securing sensitive data in transit, how the data will be secured, and any specific confidentiality obligations.

Storing Sensitive Data

  • Sensitive data should only be stored on university-administered servers or the university’s approved cloud storage systems.  If sensitive data must be stored on personal or college-owned devices, including but not limited to laptops, personal computers, CDs, flash or thumb drives, cell phones, or personal computing devices (i.e. smartphones, tablets, etc...), the data must be encrypted according to the university’s Data Encryption Standard and the device must be password protected.
  • Sensitive data that will be stored by a vendor or application hosting provider must be protected and secured to the same standards applied by the university.  Use of third-party vendors or application hosting vendors must adhere to the policy and procedures detailed in the university’s Application Hosting Policy.
  • Sensitive data saved in non-electronic form (i.e. paper or a whiteboard) must be protected from unauthorized access when left unattended and destroyed when it is no longer needed.  For example, papers with sensitive data cannot be left on an unattended desk but instead must be filed in a locked cabinet or a locked office.
Rules Governing Administration of Protected Data


Sending or Receiving Protected Data in Electronic or Physical Form
The following restrictions apply both to internal data transmissions (such as sharing files with another university employee) as well as transmissions to outside parties.

  • Protected data sent or received electronically can be transmitted using the university’s email system.  In addition, protected data can be transmitted using secure web transfer, or the Secure File Transfer Protocol. Other acceptable methods include transferring files between network drives on the university's internal network or using the university's secure web file system.   
  • For any other release of protected data by the university to a third-party the sender must ensure that the third-party is aware of the confidentiality obligations applicable.
  • Protected data sent in physical form, such as through the post office or interdepartmental mail, must be secured in a sealed envelope or similar method.
  • Faxing protected data is permitted provided that the recipient is notified in advance and is available to retrieve the fax immediately following transmission or able to secure it upon receipt (i.e., receiving a fax in an office that is only accessible by the recipient). Individuals receiving faxed documents with protected data are responsible for securing the document after receipt.
  • Routine exchange of protected data with a vendor or application hosting provider requires that the vendor or hosting provider undergo a security review and contractual requirements describing which party is responsible for securing protected data in transit and how the data will be secured, and any specific confidentiality obligations.

Storing Protected Data 

  • Protected data should only be stored on university-administered servers or the university’s approved cloud storage systems.  If protected data must be stored on personal or college-owned devices, including but not limited to laptops, personal computers, CDs, flash or thumb drives, cell phones, or personal computing devices (i.e. smartphones, tablets, etc...), the data must be encrypted according to the university’s Data Encryption Standard and the device must be password protected.
  • Protected data that will be stored by a vendor or application hosting provider must be protected and secured to the same standards applied by the university. 
Destruction of Electronic Media Containing Sensitive or Protected Data
Electronic media including computers, jump or flash drives, CD/DVDs or servers on which sensitive data has been stored must be disposed of according to the university's Standard for the Disposal of Electronic Data.

Authority and Implementation
This policy is approved by the Provost. The Information Technology department is charged with implementation of this policy.