Data Classification (Policy 89)

1. Policy Statement 

   Data security is among the most critical activities required to ensure operational continuity, maintain the trust and confidence placed in the University, and meet the University’s legal obligations to maintain the confidentiality of certain data. In turn, ensuring adequate and appropriate confidentiality, integrity, and availability of University data is enabled by an established data classification policy. A data classification policy permits the University to calibrate its data use protections according to the sensitivity of the data at issue. It also permits the University the ability to balance its duty of permitting public inspection of certain information pursuant to the Illinois Freedom of Information Act with confidentiality concerns.   

2. Purpose

   This policy serves to establish Governors State University’s data classifications. It does not define rules governing the storage, processing, sharing, transmission, disposal, or other handling of data. 

3. Scope

   This policy applies to all data for which the University is responsible.

4. Policy
   1. Statement of Policy:
      1. It is the University’s policy to comply with all legal obligations to maintain the confidentiality of certain University Data, while also permitting the reasonable access to and use of data for University business and compliance with laws such as FOIA. In furtherance of its policy, the University hereby adopts a Data Classification system.  
      2. While this policy provides examples of Data that meets each Data Classification, it is the responsibility of each University Department to classify Data it regularly stores, processes, or transmits and to ensure that employees within such Department are trained on such Data Classifications and any changes thereto. The exemplar lists contained in this Policy are not intended to be exhaustive. In 
         no event shall any Department classify data in a less restrictive manner than required by this policy absent written approval from the University’s Legal, Compliance, or Information Security Offices. 
      3. Access to or use of Data for a particular purpose (e.g., disclosure of student records pursuant to a FERPA waiver) shall not necessarily change the Data Classification of said Data; only where Data becomes public due to no fault of the University or its employees or agents would disclosure constitute cause for a change in Data Classification.  
      4. In the event that the categorization suggested by this policy conflicts with categorization suggested by another policy, law, contract, or other guidance, the data custodian should err on the side of the more restrictive classification until the data custodian can seek additional guidance for the data custodian’s supervisor or University’s Legal, Compliance, or Information Security Offices. 
      5. Failure to classify Data appropriately (or seek guidance in doing so before using or disclosing such Data), and failure to observe Data Classifications, may result in corrective action up to and including termination of employment. 
   2. University Data Classifications: The University has adopted a three-tiered Data Classification system, which is outlined below from most to least restrictive. 

      1. Restricted 

         The “Restricted” data classification refers to University Data which could result in serious or potentially irreparable harm to the University or its constituents, including but not limited to its students, alumni, applicants, trustees, employees, and contractual partners, if accessed, disclosed or used in an unauthorized manner. Inappropriate handling of this data could result in criminal or civil penalties to or liabilities of the University, loss of federal or state funding to the University, reputational damage to the University, identity theft, financial loss, or invasion of privacy of the person whose data is at issue (such as a student or employee). The University also may classify certain Data as “Restricted” due to legal, ethical, or contractual obligations, even though such Data does not have the foregoing characteristics. Restricted Data is distinguishable from the other Data Classifications set forth herein because it is kept on a “need to know” basis, even internally. 

         Examples of Restricted Data include, but are not limited to: 

         1. “education records” as that term is defined by the federal Family Education Rights and Privacy Act (FERPA). (20 U.S.C. § 1232g; 34 CFR Part 99), relating to current or former students or alumni, unless such information is subject to disclosure pursuant to a legal exemption, including but not limited to where express, written consent has been obtained prior to disclosure. If subject to a legal exemption, an education record may be disclosed only consistent with the requirements of such legal exemption; an education record does not otherwise become public because disclosure was permitted pursuant to an exemption. Personnel records relating to any prospective, current, or former employee or employment applicant;
         2.  Background checks, including credit check results and criminal record check results; 
         3. Applications, or data submitted in support thereof, for accommodations for persons with disabilities; 
         4. Applications, or data submitted in support thereof, for leave under the Family and Medical Leave Act (FMLA) (29 U.S.C. §§ 2601 et seq) or similar law, including but not limited to genetic information submitted in support thereof; 
         5. Individuals’ personal health information in which the individual has a reasonable expectation of privacy; 
         6. Data that would permit access to University accounts, including but not limited to investment and banking accounts, such as bank statements, account numbers, and account passwords, in combination or isolation; 
         7. Data relating to the University’s emergency response planning, including response plans; 
         8. Data relating to the University’s data security plans, including but not limited to network and system diagrams and configurations; 
         9. Data subject to the attorney-client privilege and/or attorney work product doctrine, including but not limited to confidential communications by and between and attorney and client (or representatives of the client) for the purpose of obtaining or providing legal advice; 
         10. Government classified information; 
         11. Information designated “controlled unclassified information” within the meaning of the National Institute of Standards and Technology, Publication 800-171, V.2, as it may be revised from time to time; 
         12. Board of Trustee documents, including meeting minutes, reflecting discussions occurring during closed sessions for so long as they are deemed confidential by the Board of Trustees; 
         13. With the exception of information that is otherwise public by lawful means, “personal information” as that term is defined by the Illinois Personal Information Protection Act (PIPA), (815 ILCS 530/1 et seq.), meaning: 
             1. the first name or initial coupled with the last name of any person, including students, alumni, or employees, in combination with one or more the following data elements: 
                1. Social Security number; 
                2. Driver’s license number or State identification card number; 
                3. Account number or credit or debit card number; 
                4. Medical information;
                5. Health insurance information; 
                6. Unique biometric data generated from measurements or technical analysis of a person for purposes of authenticating the person, such as a fingerprint, retina or iris image; 
             2. A user name or email address combined with a password or security question and answer, which together would permit access to an online account; 
             3. An account number or credit or debit card number in combination with any required security code, access code, or password that would permit access to an individual’s financial account; and 
         14. Information requiring such treatment pursuant to a Non-Disclosure Agreement (NDA).

      2. Internal-Only

         Internal-Only data is that which could result in harm to the University or its constituents, including but not limited to its students, alumni, applicants, trustees, employees, and contractual partners, if accessed, disclosed or used in an unauthorized manner. Internal-Only Data is distinguishable from the other Data Classifications set forth herein because it is intended to be used solely by University personnel or authorized University agents but is not kept on a “need to know” basis only. 

         Inappropriate handling of Internal-Only Data could result in reputational damage for the University, as well as loss of competitive advantage and higher costs for University business processes. Even some data that eventually becomes part of the public record may be classified as Internal-Only for interim purposes, such as while certain negotiations are ongoing. Typically, Internal-Only Data is that which is not intended to be shared with persons or entities outside the University or its authorized agents, such as accountants and attorneys.

         Examples of Internal-Only Data include, but are not limited to: 

         1. Unpublished Research Data; 
         2. Intellectual Property not intended to become public, such as software code; 
         3. Preliminary drafts, notes, recommendations, memorandum and other records in which opinions are expressed, or policies or actions are formulated; 
         4. Certain communication, correspondence, memos, meeting minutes, or processes and procedures; 
         5. Other data not listed by any other restricted classification that is exempted from disclosure under FOIA, 5 ILCS 140/7-7.5; 
         6. Vendor taxpayer identification numbers. 

      3. Public Data classified as Public is information that may be disclosed to any parties regardless of their affiliation with the University and without restriction. Individuals should not assume that data obtained from University systems is public unless expressly designated as such or obviously intended as such. For example, interim drafts of policies, procedures, reports, findings, resolutions, minutes, and other types of communications may not be intended for public inspection or distribution and may be exempted from public disclosure. When in doubt, an individual should assume information is not public unless and until the user has obtained clarifying guidance from a supervisor or the University’s FOIA Officer. 

         Examples of Public data include, but are not limited to, final and published versions of: 

         1. Press releases; 
         2. Course catalogs; 
         3. Marketing materials; and 
         4. Information posted to the University’s publicly-accessible website, including but not limited to published policies, consumer disclosures, and job postings.
   3. Other Data Classifications
      1. Gramm-Leach-Bliley Act Customer Information
         1. Information obtained by Governors State University as a result of providing a financial service such as when the University administers or aids in the administration of Title IV programs; makes institutional loans or scholarship; or certifies a private education loan on behalf of a student. Customer information is limited to financial information connected to student and parent finances such as student and parent loans, bank account information and income tax information for financial aid packages.

5. Credit and Source 

Developed internally.