Data Classification Access and Information Protection Policy

Purpose: Data and information are important assets of Pittsburg State University (PSU) and must be protected from loss of integrity, confidentiality, or availability in compliance with university policy and guidelines, Board of Regents policy, and state and federal laws and regulations.

Applies to: This policy applies to all university colleges, departments, administrative units, and affiliated organizations. For the purposes of this policy, affiliated organization refers to any organization that uses university information technology resources to create, access, store, or manage University Data. For third-party vendors who create, store, or maintain University Data per a contractual agreement, the agreement should include language specifying how, and to what extent the vendor is to comply with this policy.

Statement:
All university data must be classified according to the PSU Data Classification Schema. It must be accessed with the appropriate level of permission according to PSU's Roles and Responsibilities, and protected according to PSU's Security Standards. This policy applies to electronic data in all formats and media.

Policy:

Data Classification Schema

Data and information assets are classified according to the risks associated with data being stored or processed. Data with the highest risk need the greatest level of protection to prevent compromise; data with lower risk require proportionately less protection. Three levels of data classification will be used to classify university data based on how the data are used, its sensitivity to unauthorized disclosure, and requirements imposed by external agencies. Unless otherwise indicated, non-public is the default classification for data.

Level I Public (Low Sensitivity)

Data which are of interest to the general public and for which there is no university business need or legal reason to limit access. Public data may be made available to the general public in printed or electronic format. Anyone in the general public may view these data using such public sources.

Examples of public data include but are not limited to:

• Campus directory data
• Course catalog
• PSU public web site
• Employee names
• Work addresses
• Work telephone numbers
• Press Releases

Level II Non-Public (Moderate Sensitivity)

Data held by the university for operational, educational, and/or other purposes, which are not appropriate and/or readily available for general public use. Non-public data will be available to authorized university employees for inquiry/download only in support of the performance of their assigned roles/duties. Non-public data may be released to individuals or groups outside of the university community only with approval from the appropriate Data Steward, Records Custodian, or as required by law.

Examples of non-public data include but are not limited to:

• Records subject to disclosure under law including university business transactions
• Employee records not deemed public or confidential
• Student educational records not deemed public or confidential
• Financial accounting data that does not contain confidential information

Level III Confidential (High Sensitivity)

Highly sensitive data intended for limited, specific use by a workgroup, department, or individuals with a legitimate need-to-know. Explicit authorization by the Data Steward is required for access because of legal, contractual, privacy, or other constraints.

Examples of confidential data include but are not limited to:

• Personal Identity Information (PII) - An individual's name (first name and last name, or first initial and last name) in combination with one or more of the following: a) social security number, b) driver's license number or state identification card number, or c) financial account number, or credit or debit card number, alone or in combination with any required security code, access code or password that would permit access to a consumer's financial account.
• Social security number
• Passport number
• Credit card number
• Certain personnel records
• Certain student records
• Certain student financial assistance records
• Research data
• Intellectual property

Roles and Responsibilities

Everyone (employees, temporary employees, student employees, volunteers) with any level of access to university data has the responsibility to protect that information from unauthorized access, modification, destruction, or disclosure, whether accidental or intentional. The following roles have specific responsibilities for protecting and managing university data.

Data Owner

The Data Owner is Pittsburg State University. PSU is the owner of all institutional data.

Chief Data Steward

Chief Data Stewards are designated university officials who are responsible for providing leadership to the Data Stewards within their division.

Data Steward

Data Stewards are individuals who are responsible for overseeing a collection (set) of university data under the direction of a Chief Data Steward. They are ultimately responsible for its proper handling and protection. Data Stewards are responsible for ensuring the proper classification of data, granting and managing data access permissions, making sure people in data-related roles are properly trained, and ensuring compliance with all relevant policies and security requirements.

Data Processor

Data processors are individuals with day-to-day responsibilities to enter, modify, delete, or disseminate data in their functional area at the direction of the responsible Data Steward. Data Processors are also accountable for the accuracy and timeliness of data assigned to them.

Data User

Data users are individuals who need and use university data as part of their assigned duties or in fulfillment of assigned roles or functions within the university community. Data Users are not authorized to enter, modify, or delete data.

Any suspected loss, unauthorized access, or exposure of university data classified as non-public or confidential must be immediately reported to the Information Security Officer, security@pittstate.edu or 620-235-4657.

Electronic Record Retention Schedule

Pittsburg State University follows the State of Kansas record retention schedules. Schedules are available at the following link under the heading "State General Schedule": State of Kansas Retention Schedule

State Resources in regard to record retention schedule language and definitions:

• Government Records Preservation Act
• State Records Management Manual
• Electronic Records Guidance

Legal Hold

Retention procedures will be suspended when a record is placed on legal hold. A legal hold requires preservation of appropriate records under special circumstances, such as litigation or government investigations.

Records Management

University data may reside in university records, be used to produce university records, or itself constitute university records. University records need to be managed in accordance with approved records retention and disposition schedules consistent with University Archives records management policies and guidelines. Laws of the State of Kansas require that university records not be discarded or destroyed in advance of the authorized disposition date.

Data Classification Committee

Members must include at a minimum:

• Information Security Officer
• General Counsel
• Internal Auditor
• University Archivist
• Director of Institutional Research and Planning

Responsibilities

• Ensure that confidential data is identified
• Review the confidential data report from the Data Stewards
• Approve variances in the classification of data

University Data

University data is information created, collected, maintained, transmitted, or recorded by or for the university to conduct university business. It includes data used for planning, managing, operating, controlling, or auditing university functions, operations, and mission.