Data Classification Policy

Purpose

The purpose of this policy is to provide the basis for protecting the confidentiality of Coppin State University data at rest and in transit both electronic and manual records. This standard exists in addition to all other university policies and federal and state regulations governing the protection of the university's data. This policy covers all university records, regardless of media form that are made or received in connection with the transaction of university business.

Policy

All CSU data, maintained on premises, in the cloud or hosted by third party systems, shall be assigned to one of the classifications listed below. Information shall be classified using the most secure classification level of an individual information component when existing within aggregated information.

It is the responsibility of the Data Owner to assign the Data Classification to each data element maintained by their area.

Data Owner: The employee or designee responsible for determining user access approval to a specific population of data and assigning Data Classification to Data originating from or residing in their respective business units.

Restricted (Category I): Highly sensitive information requiring maximum security - Not Permitted for AI use

Examples:

• Personally Identifiable Information (See Appendix A)
• Passwords and encryption keys
• Patient Health Information (PHI) under HIPAA
• Credit card information (PCI-DSS regulated data)
• Legal documents under attorney-client privilege
• Trade secrets or proprietary business formulas

Data in Category I must be secured (i.e., encrypted) in storage and in transit.

Confidential Sensitive/Category II: Sensitive information requiring strong protection - Not permitted for AI use

Examples:

• Employee performance evaluations
• Internal financial statements
• Contracts and vendor agreements
• Drafts of legal policies or regulatory compliance documents
• Research data with proprietary or sensitive results not yet published

Data in Category II must be secured (encrypted) in storage and in transit.

Private (Category III): Non-sensitive information; internal, non-sensitive information but not available to the public - Proceed with caution, having evaluated the risks

Examples:

• Internal memos or team discussions that do not disclose sensitive information
• Internal newsletters or updates about upcoming company events
• Employee directory information (names, titles, and work emails)
• General meeting minutes without sensitive topics discussed
• Preliminary reports or drafts of non-sensitive documents

Public (Open/Category IV): Information cleared for public release - AI Permitted with compliance to ethical standards.

Examples:

• Published press releases
• Marketing materials and brochures
• Publicly posted job descriptions
• Academic research published in open-access journals
• Information on the organization's public-facing website

Procedure

It is Coppin State University policy to provide an appropriate level of access to all electronic data dependent upon role for both employees and vendors. Access privileges shall be assigned upon hire in accordance with an employee’s or vendors defined role.

Access controls shall be established to ensure access to the systems, and information is limited to approved individuals, and access limited only to information needed to perform their business roles. Any additional employee access must be requested in writing and approved by the employee’s supervisor and the data owner.

Refer to the Cloud Oversight and Governance procedure for information on third party vendor requirements.

Appendix A: Information Classification

Educational Records: Educational Records as defined and when protected by 20 U.S.C § 1232g; 34 CFR Part 99 (FERPA), in the authoritative system of record for student grades. 

Protected Health Information: Any Protected Health Information (PHI) as the term is defined in 45 CFR 160.103 (HIPAA).

Personally Identifiable Information: Any information that, taken alone or in combination with other information, enables the identification of an individual, including:

• a full name;
• a Social Security number;
• a driver's license number, state identification card number, or other individual identification number;
• a passport number;
• biometric information including an individual's physiological, biological, or behavioral characteristics, including an individual's deoxyribonucleic acid (DNA), that can be used, singly or in combination with each other or with other identifying data, to establish individual identity;
• geolocation data;
• Internet or other electronic network activity information, including browsing history, search history, and information regarding an individual's interaction with an Internet website, application, or advertisement; and
• a financial or other account number, a credit card number, or a debit card number that, in combination with any required security code, access code, or password, would permit access to an individual's account.
• “Personally identifiable information” does not include data rendered anonymous through the use of techniques, including obfuscation, delegation and redaction, and encryption, so that the individual is no longer identifiable.

Confidential Information: Personally Identifiable Information that would pose a reasonable risk of harm to the data subject if accessed or acquired by an unauthorized party.