Data Classification Standard
Classifications of Data
Brandeis University is committed to protecting the privacy of our community. This requires the utmost attention to ensuring the security (and thus confidentiality) of the information collected and maintained by the University. However, in order to minimize the bureaucratic burden on those who work with University Data, the following classifications have been created. These reflect the regulatory and practical security obligations implicit in the data. The greater the risk to individuals and the institution, in the case of an unintended disclosure of information, the more rigorous the security and privacy controls will be for said data. All data will be reviewed on a periodic basis by the Council of Data Trustees and classified according to its use, risk, and importance. All University data types will be classified into one of the following classes.
Information that if disclosed or modified without authorization would have severe adverse effect on the operations, assets, or reputation of the University, or the University's obligations concerning information privacy. In general information in the Regulated Data class is subject to extensive, specific security and privacy regulations.
Regulated Data includes data that is protected by the following international, federal or state laws or regulations: 201 CMR 17.00 (Massachusetts Regulations), 16 CFR 313 (Privacy of Consumer Financial Information), the Federal Gramm-Leach-Bliley Act, Health Insurance Portability and Accountability Act of 1996 (HIPAA), the FTC’s Red Flag Rules, and General Data Protection Regulation (GDPR, International Regulations). Information protected by these laws includes, but is not limited to, PI, NFI and PHI.
Information that if disclosed or modified without authorization would have serious adverse effect on the operations, assets, or reputation of the University, or the University's obligations concerning information privacy.
Restricted data includes data protected by the Family Educational Rights and Privacy Act (FERPA), referred to as student education records. This data also includes, but is not limited to, research data on human subjects, University financial and investment records, charitable gifts and associated donor records, or information related to legal or disciplinary matters. Credentials such as passwords or passphrases are included in this class.
Information that if disclosed or modified without authorization would have moderate adverse effect on the operations, assets, or reputation of the University, or the University's obligations concerning information privacy. This class of data also includes data the University has chosen to treat confidentially for University business.
Information that poses little or no risk to individuals and to the University. The data is accessible without limitation to anyone regardless of institutional affiliation. It may be freely used, reused, and reattributed.
As defined by Massachusetts law (201 CMR 17.00), the legal first name and legal last name or first initial and legal last name of a person in combination with any one or more of the following:
- Social Security number;
- Driver’s license number or state-issued identification card number; or
- Financial account number (e.g. bank account) or credit or debit card number that would permit access to a person’s financial account, with or without any required security code, access code, personal identification number, or password.
For the purposes of this Policy, PI also includes passport number, alien registration number or other government-issued identification number.
The GLB Act (FTC 16 CFR Part 313) requires the protection of “customer information”, which applies to any record containing nonpublic financial information (“NFI”) about a student or other third party who has a relationship with Brandeis University, whether in paper, electronic or other form, which is handled or maintained by or on behalf of Brandeis University. For these purposes, NFI shall include any information:
- A student or other third party provides in order to obtain a financial product or service from Brandeis University;
- About a student or other third party resulting from any transaction with Brandeis University involving a financial product or service; or
- Otherwise obtained about a student or other third party in connection with providing a financial product or service to that person.
Defined by the Health Insurance Portability and Accountability Act (HIPAA). PHI is individually identifiable health information that relates to the:
- Past, present, or future physical or mental health or condition of an individual.
- Provision of health care to the individual by a covered entity (for example, hospital or doctor).
- Past, present, or future payment for the provision of health care to the individual.
“PI”, “NFI” or “PHI” shall not include information that is lawfully obtained from publicly available information, or from federal, state or local government records lawfully made available to the general public (the policy requirements).
Information collected, created, or maintained by Brandeis University in the course of any of its academic, administrative, or research activities. Note that this does not define “ownership”; information collected and maintained by the University is, in many cases, owned by individuals or other organizations
- Written Information Security Policy (WISP)
- Data Governance Policy
Information Technology Services