Computing & Information Services

Data Classification and Handling Guidelines

Data in the Moderate, High, and Restricted classifications are all considered “sensitive.”

Restricted Sensitive

Definition

  • Access and use is subject to special regulatory requirements.
  • Unauthorized access has significant legal or financial consequences and may result in mandatory notification, credit monitoring services, or other obligatory measures.
  • Systems may be in place to log and audit access.

Examples

  • Social security numbers, bank account numbers, passport, and visa numbers, Personally Identifiable Information, date of birth (Oregon ID Theft Act)
  • Credit cardholder data (PCI)
  • Financial aid "customer information" (GLBA)
  • Personal information (GDPR)

Guidance (minimum requirements)

  • Never store or transmit unless encrypted.
  • May not be stored in Google or on personally-owned devices.
  • No removable media (thumb drive, DVD, hard drive) unless the files are encrypted.
  • Departments are responsible for developing policies, procedures, and training that ensures compliance by employees and volunteers who handle restricted data.

High Sensitive

Definition

  • Access and use is restricted by laws, regulations, contractual agreements, or college policy.
  • Unauthorized access or use may have serious legal and financial consequences, as well as damage to reputation.

Examples

  • Staff and faculty employment records
  • Student transcripts
  • Disciplinary records
  • Personal health information
  • IT security documentation

Guidance

  • May be stored in the cloud if protected by contractual agreement (e.g., Crashplan, Google, Handshake).
  • Do not transmit unless encrypted and do not store on personally-owned devices.
  • No removable media (thumb drive, DVD, hard drive) unless the files are encrypted.
  • Reed Google Drive is secure but Shared Drive or file encryption is required to prevent accidental oversharing.

Moderate Sensitive

Definition

  • Unauthorized access or use poses moderate risk of damage to the individual and/or the college.

Examples

  • Reed ID
  • Student education record, or directory information if student has opted out (FERPA)
  • Letters of recommendation
  • College correspondence
  • Meeting minutes
  • Unpublished research data
  • Computer sales and bookstore records (excluding payment data)
  • Library borrowing history
  • Donor data
  • Maps of campus utilities and infrastructure
  • Law enforcement records (ARMS data)
  • Disability services data (AIM, etc.)
  • Contracts not covered by special NDA provisions

Guidance

  • Data should only be shared with individuals who have a specific business need.
  • Can be transmitted via Gmail between Reed email addresses.
  • Can be shared in Reed Google Drive (only share with specific individuals or defined teams).
  • May publish to the web or store in Moodle, with authentication.
  • May store on personally-owned devices if encrypted.

Low

Definition

  • Access has low to no risk to individuals or the college.

Examples

  • Published information and data
  • Course syllabi
  • Directory information
  • Username
  • Campus map

Guidance

  • Information may be shared publicly though, in some cases, individuals may opt out.