Data Classification Policy

Title: St. Olaf College Data Classification Policy
Effective Date: 4-01-2011
Issuing Authority: Office of the Vice President & Chief Financial Officer and Information Technology
Program Coordinators: Controller and Director of Information Technology
Last Updated: 04-14-2016

Purpose of Policy

Information and information systems are critical college resources and assets. St. Olaf College has adopted these information and computing policy statements to safeguard the college’s investments and to comply with various regulations. Stewardship of information resources includes three elements.

Confidentiality: Private information should not be disclosed.
Integrity: Changes to important data should be controlled.
Availability: Data and services that are unavailable are also information security issues.

Classifying data as high, medium, or low risk helps to focus our attention where it is most needed.

Policy

The data and information maintained by the college must be handled and managed in accordance with state or federal mandates. All employees are expected to know and adhere to this policy and related policies referenced within this policy. Violations of these policies can lead to revocation of system privileges and/or disciplinary action including termination of employment.

The use of any St. Olaf College data and information, in any format, for anything beyond the operation of the college is strictly forbidden. Unacceptable uses includes sharing the data with groups, organizations, or activities that are not college-sponsored or college-approved, use of data for personal gain, use of data to satisfy personal curiosity, removing data or reports from the campus except in the required performance of college duties, or use by individuals outside of their normal job responsibilities.

Types of Data:

St. Olaf classifies data into three categories:

High Risk:

Data are classified as high risk if:

  1. The college is required to report unauthorized disclosure to the government or affected individuals. See Minnesota 325E.61 below.
  2. Loss of confidentiality, integrity, or availability of the data would have a high impact on college’s finances, reputation, human health and safety, or critical services.
  3. Specific information security controls are required by law or regulation.

Data elements in this group include: social security numbers, credit card numbers, medical information, bank account numbers, passwords, driver’s license information, ACH (automated clearing house) numbers, tax return information, credit rating, loan payment history, and passport information.

Medium Risk:

Medium risk data require information security controls, but do not meet the strict requirements of High Risk classification. This data may include, but are not limited to: personnel promotion and review materials, individual employees’ salaries, employee ID numbers, student ID numbers, date and/or location of birth, grades and coursework.

Low Risk:

Data that are primarily intended to be public or that would have minimal impact if disclosed, altered, or lost. Examples include copies of student directory information and most academic research. Note that even public, low risk data need to be protected from unauthorized alteration or deletion.

See the table at the end of this policy for additional information.

Procedures

St. Olaf College uses access controls and other security measures to protect the confidentiality, integrity, and availability of the college’s data and information. Data and information can be stored and transmitted in a variety of ways, including but not limited to files stored on computers, mobile devices, servers, portable electronic storage devices, paper files, audio or video files, telephone calls, and verbal communications. The college is the owner of all administrative data, although the individual units or departments may have stewardship responsibilities for portions of that data.

Electronic high or medium risk data must follow the policy and procedures for Securing Campus Data and other applicable policies. Whenever possible, paper files should never contain high risk data such as social security numbers. When it is absolutely necessary, the paper files must be attended or kept in a secured, locked area. High risk data should not be taken off campus, but if necessary, it should be never be left unattended and unlocked.

Notifications for Breach of Security:

Minnesota’s Security Breach law (Statute: § 325E.61) requires that “Any person or business that conducts business in [Minnesota] and that owns or licenses data that includes personal information, shall disclose any breach of the security of the system following discovery or notification of the breach in the security of the data to any resident of this state whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. The disclosure must be made in the most expedient time possible and without unreasonable delay . . . .”

The law defines “personal information” as:

“an individual’s first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements is not encrypted:

  1. Social Security number;
  2. driver’s license number or Minnesota identification card number; or
  3. account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account.”

If you believe personal information or any other type of high risk data may have been breached at St. Olaf, the following incident response steps should immediately be taken:

  1. The individual who discovers the breach should immediately notify the Public Safety Office.
  2. The Public Safety Office will contact the VP of Finance & CFO and if electronic information or devices are involved, the Director of Information Technologies (IT) will also be notified.
  3. The Public Safety Office, VP of Finance & CFO, and Director of IT will determine if a breach of security of data has occurred, and the appropriate action to take.

The Public Safety Office, VP of Finance & CFO, Director of IT, and Director of Marketing and Communications may utilize guidance for dealing with a data breach and sample notification letter formats that can be found on the Federal Trade Commission website.

High Risk Data includes, but is not limited to:

FERPA GLBA HIPAA PCI DSS FACTA
Social Security Numbers X X X
Bank Account Numbers X X
Credit Card Numbers

X

X

X

Account Balances (Loans, Student/Bank Account)

X

X

Loan Payment Histories

X

X

Credit Ratings

X

X

Driver’s License Information

X

X

ACH (Automated Clearing House) Numbers

X

X

Tax Return Information

X

X

Passport

X

X

Real Estate Values

X

X

Health Plan Premiums

X

Health Plan Eligibility

X

Health Plan Claims Benefits

X

Health Plan Enrollment/Disenrollment

X

Health Plan Payments/Remittance

X

Health Plan Claims and Status

X

Individually Identifiable Health Information

X

Health Referral Certification and Authorization

X

First Report of Injury

X

 

Medium Risk Data includes, but is not limited to:

FERPA GLBA HIPAA PCI DSS FACTA
Student ID Numbers

X

Grades

X

Courses Taken

X

Class Schedule

X

Test Scores

X

Advising Records

X

Educational Services Received

X

Student Disciplinary Actions

X

Salary and Benefits
Promotion and Review Materials
Employee ID Numbers

St. Olaf Policies for High Risk Data:

Securing Campus Data
Office Responsible: Information Technology
Program Coordinator: Roberta Lembke
Summary: St. Olaf guidance for protecting electronic information

Gramm-Leach-Bliley Act (GLBA)
Office Responsible: Office of the Vice President & Chief Financial Officer
Program Coordinator: Nate Engle
Summary: To protect consumer information from threats in security and data integrity.

Family Educational Rights and Privacy Act (FERPA)
Office Responsible: Registrar’s Office
Program Coordinator: Steve McKelvey
Summary: Educational Institutions must grant and protect certain rights relating to educational records.

Health Insurance Portability and Accountability Act (HIPAA)
Office Responsible: Human Resources Office
Program Coordinator: Michael Goodson
Summary: To protect the privacy of personal health information

Payment Card Industry Data Security Standards (PCI DSS)
Office Responsible: Office of the Vice President & Chief Financial Officer
Program Coordinator: Nate Engle
Summary: Anyone who processes credit card payments must follow laws set by credit card companies.

Fair and Accurate Credit Transactions Act (FACTA)/Red Flag Rules
Office Responsible: Office of the Vice President & Chief Financial Officer
Program Coordinator: Nate Engle
Summary: We must be able to detect red flags for identity theft in instances where we issue credit.

Copyright Laws
Office Responsible: Dean of College
Program Coordinator: Marci Sortor
Summary: All employees of the College are expected to follow laws that protect copyrights.