°Ä²Ê¿ª½±

Policy Type

Administrative 

Effective Date

May 2021

Last Revised 

August 2022

Review Date

August 2022

Owner

Chief Information Security Officer

Contact Name

Blake Penn

Contact Title

Chief Information Security Officer

Contact Email

bpenn@colgate.edu

Reason for Policy

The °Ä²Ê¿ª½± Data Categorization Policy provides guidance for the organization of University data. Organizing University data into sensitivity categories allows the University to better protect the confidentiality, integrity, availability, and privacy of University data. These guidelines are also critical in ensuring compliance to data privacy and security laws and regulations including, but not limited to, the New York Stop Hacks and Improve Electronic Data Security (SHIELD) Act, the Family Educational Rights & Privacy Act (FERPA) , the European Union's General Data Protection Regulation (GDPR), the Payment Card Industry Data Security Standard (PCI DSS), the FTC's Safeguards Rule under the Gramm-Leach-Bliley Act (GLBA), and Health Insurance Portability and Accountability Act of 1996 (HIPAA).

Policy Statement 

University data should be organized into categories that are defined as described in this section. 

  • Public: This information is targeted for general public use. Examples may include internet website content and press releases. This could include directory information.  
  • Protected: Information not generally available to parties outside the University community. This information is considered private and should be protected in accordance with the current University Data Protection Guidelines (currently under development) which are based on the concept of least privilege. Examples may include data that if compromised could lead to financial fraud and/or violate laws and regulations 
  • Regulated: In addition to organizing data into public or private categories, laws and regulations that apply to specific data should be identified and documented and this regulated data should be protected in accordance with the rules and safeguards that are specified in these laws and regulations in addition to the appropriate University guidelines.

Scope

This policy applies to all University data regardless of where the data exists and whether the data exists on University resources or not. 

Guidance

As members of the °Ä²Ê¿ª½± community we often manage University data in the course of our job duties. Because of this we often serve as data custodians to this data.

University data can be categorized into either public or private categories. Public data is data that does not require specific protection and is designed for general public use such as data published on public web sites or paper handouts or bulletin board announcements. Private data is all data that is not designed for public consumption and is reserved for the internal business purposes of the University including, but not limited to, administration, instruction, and research. Private data should be protected in accordance with the °Ä²Ê¿ª½± Data Protection Standards.

A key responsibility of data custodians is to protect the data under their custodianship (see related documents). In order to do this properly, data custodians need to understand the types of data under their custodianship and need to categorize this data into the proper categories so that this data can be managed and protected in accordance with its import and sensitivity. 

In addition to being public or private, some University data is subject to data protection regulations that protect the security and/or privacy of that data. Data custodians should understand which regulations apply to the data under their custodianship and ensure that the protections specified in those regulations are met.     

Related Documents

°Ä²Ê¿ª½± Data Protection Standards

Document Retention & Destruction Policy

Stewardship and Custodianship of Email