Data Classification and Handling Policy
Data in the Moderate, High, and Restricted classifications are all considered “sensitive.” Sensitive college data should only be collected, stored, and shared when there is a specific business need and must be handled in a way that's consistent with its level of risk.
Restricted (sensitive)
Definition
- Access and use is subject to special regulatory requirements.
- Unauthorized access has significant legal or financial consequences and may result in mandatory notification, credit monitoring services, or other obligatory measures.
- Systems may be in place to log and audit access.
Examples
- Social security numbers, bank account numbers, passport, and visa numbers, Personally Identifiable Information, date of birth (Oregon ID Theft Act)
- Credit cardholder data (PCI)
- Financial aid "customer information" (GLBA)
Guidance
- Never store or transmit unless encrypted.
- May not be stored in Google or on personally-owned devices.
- No removable media (thumb drive, DVD, hard drive) unless the files are encrypted.
- Departments are responsible for developing policies, procedures, and training that ensures compliance by employees and volunteers who handle restricted data.
High (sensitive)
Definition
- Access and use is restricted by laws, regulations, contractual agreements, or college policy.
- Unauthorized access or use may have serious legal and financial consequences, as well as damage to reputation.
Examples
- Staff and faculty employment records
- Student transcripts
- Disciplinary records
- Personal health information
- IT security documentation
- Financial and health insurance accounts, and other personal information (OCIPA)
- Personal information (GDPR)
Guidance
- May be stored in the cloud if protected by contractual agreement (e.g., Crashplan, Google, Handshake).
- Do not store on personally-owned devices.
- No removable media (thumb drive, DVD, hard drive) unless the files are encrypted.
- Reed Google Drive is secure but Shared Drive or file encryption is required to prevent accidental oversharing.
Moderate (sensitive)
Definition
- Unauthorized access or use poses moderate risk of damage to the individual and/or the college.
Examples
- Reed ID
- Student education record, or directory information if student has opted out (FERPA)
- Letters of recommendation
- College correspondence
- Meeting minutes
- Unpublished research data
- Computer sales, bookstore, and food service transaction records (excluding payment data)
- Library borrowing history
- Donor data
- Maps of campus utilities and infrastructure
- Law enforcement records (ARMS data)
- Disability services data (AIM, etc.)
- Contracts not covered by special NDA provisions
Guidance
- Data should only be shared with individuals who have a specific business need.
- Can be transmitted via Gmail between Reed email addresses.
- Can be shared in Reed Google Drive (only share with specific individuals or defined teams).
- May publish to the web or store in Moodle, with authentication.
- May store on personally-owned devices if encrypted.
Low
Definition
- Access has low to no risk to individuals or the college.
Examples
- Published information and data
- Course syllabi
- Directory information
- Username
- Campus map
Guidance
- Information may be shared publicly though, in some cases, individuals may opt out.