You are here

Classification and Handling of Protected Data

Effective Dates and Issuing Authority

Effective Date:                             January 30, 2014

Date Last Reviewed:                   January 30, 2014

Date Scheduled for Review:       January 30, 2015

Issuing Authority:                     Chief Information Security Officer

Policy

Policy Statement

Data classification is a method of assigning a level of sensitivity to data. The classification of the data determines the extent to which it needs to be controlled and secured. This policy defines the required data protection criteria based on its classification and sensitivity. The guiding principle is that a user must have an approved need to have access to data. Protected Data shall be classified as sensitive or confidential, as described in this policy.

Scope of this policy

This policy applies to all individuals who access, use, or control Temple University data including, but not limited to faculty, staff, students, researchers, those working on behalf of the University, and individuals authorized by affiliated institutions and organizations. This policy applies to all data regardless of storage medium or format.  Additionally, it is understood that in the ordinary course of business faculty, staff, students, researchers and those working on behalf of the University may have access to unrestricted data and that those individuals will still exercise discretion in the handling of such data. 

Policy

Data must be maintained in an appropriately secure, accurate, and reliable manner and be readily available for authorized use. Data security measures must be implemented commensurate with the classification of the data, which is based on its sensitivity, and the risks associated with improper disclosure.  University assigned Data Stewards (as defined in the Temple University Data Standards Guides) are responsible for evaluating and assigning an appropriate data classification to data residing in their functional areas.  All systems and storage, whether internal or outsourced, handling confidential or sensitive data must complete a security risk assessment.  Systems which cannot meet minimum security standards will have to implement compensating controls and be granted a special waiver by the Chief Information Security Officer.

All members of the University community have a responsibility to protect the confidentiality, integrity, and availability of data generated, accessed, modified, transmitted, stored or used by the University, irrespective of the medium on which the data resides and regardless of format (e.g., in electronic, paper or other physical form). Data should not be collected or stored unless it is for bona fide business and/or legal requirements. University assigned Data Stewards are responsible for implementing appropriate managerial, operational, physical, and technical controls for access to, use of, transmission of, and disposal of University data in compliance with this policy. Data Stewards are responsible for submitting to a security risk assessment prior to any new application or system implementation or usage though the Computer Services Office of Information Security per the Technology Usage Policy: Section III Item c.)

Data Classification

  • Confidential

Inappropriate handling could result in severe consequences, such as criminal or civil penalties, identity theft, financial loss, or invasion of privacy.  Access is granted by the supervisor/manager and Data Steward approval process based on job needs and justification.  An annual access audit will be completed and the data must remain within Temple locations, on Temple assets or with contracted vendors that have been approved through the Office of University Counsel and Computer Services Office of Information Security. Examples of confidential data include Health Information, Social Security Number and credit card information. 

  • Sensitive

All data not defined as unrestricted or confidential.  This data may be accessed by anyone employed or working under contract for the University, in the conduct of bona fide University business. Access is granted by the supervisor/manager and Data Steward approval process based on job needs and justification.  However, because of legal, ethical, or other constraints access restrictions should be applied accordingly. Examples of Sensitive data include home or emergency contact information, compensation, and background check verification.  

  • Unrestricted

Information that is publicly available and generally the unauthorized disclosure, alteration or destruction of that data would result in little or no risk to the University and its affiliates. Examples of unrestricted data include press releases, course information, job descriptions and marketing materials intended for the general public.

Follow the Procedure for Reporting and Handling Security and Privacy Incidents if any confidential or sensitive data is or is suspected of being lost or disclosed to unauthorized parties, or if any unauthorized use of the University's information systems has or is suspected of having taken place.

 

Cross References to Related Policies

Social Security Number Usage policy 04.75.11
http://policies.temple.edu/getdoc.asp?policy_no=04.75.11

Social Security Number Usage Procedures 04.75.12
http://policies.temple.edu/getdoc.asp?policy_no=04.75.12

Identity Theft Prevention Program 05.20.01
http://policies.temple.edu/getdoc.asp?policy_no=05.20.01

Credit Card Handling and Acceptance policy 05.20.17
http://policies.temple.edu/getdoc.asp?policy_no=05.20.17

Temple University Data Standards
https://tuportal3.temple.edu/apps/global/help/resources/Data%20Standards%20Document.pdf

Personally Identifiable Information Guidelines
https://computerservices.temple.edu/personally-identifiable-information-guidelines

Guidelines for Storing and Using Personally Identifiable Information in Non-Production Environments
https://computerservices.temple.edu/guidelines-storing-and-using-personally-identifiable-information-non-production-environments

Applicable Acts, Regulations, and Laws:

PA State Data Breach Notification Law: State Bill 712, 73 P.S. §§ 2301–2308, 2329

http://www.legis.state.pa.us/CFDOCS/Legis/PN/Public/btCheck.cfm?txtType=PDF&sessYr=2005&sessInd=0&billBody=S&billTyp=B&billNbr=0712&pn=1410

Gramm-Leach-Bliley Act (GLBA)
http://business.ftc.gov/privacy-and-security/gramm-leach-bliley-act

Family Educational Rights and Privacy Act (FERPA)
http://www.ed.gov/policy/gen/guid/fpco/ferpa/index.html

Health Insurance Portability and Accountability Act (HIPAA)
http://www.cms.gov/hipaageninfo

Payment Card Industry Data Security Standard (PCI DSS)
https://www.pcisecuritystandards.org/tech/