Data Classification Policy

I. Introduction:

The University provides access to its administrative and academic data in order to facilitate the business of the University. This access however must be accomplished in a manner that ensures the security, confidentiality, integrity and availability of the data. All users share in this responsibility. To help facilitate this purpose this policy describes several classifications or categories of data and then goes on to describe how each may be used and protected.

II. Applicability:

This policy applies to all University employees, students, alumni, contractors, affiliates etc. who have access to TCU Data.

III. Definitions:

  1. Legitimate Interest – A need for data which arises within the scope of university employment and/or in the performance of authorized duties.
  2. TCU Data Owner – An individual, department or their respective managers with the primary responsibility for collecting and maintaining the particular TCU data covered by this policy.
  3. TCU Data – Data, in electronic or paper form, which is used with regard to University business.

IV. Policy Statement:

General

TCU Data is critical to the University. The University therefore expects all users with access to its data to manage, access, and utilize this data in a manner that is consistent with the University’s need for security and continuity.

TCU Data Owners may classify their data into one of four data classes. They may also expand on the requirements of this policy.

All users are custodians of the data they have access to since they have the ability to redistribute or in some cases alter the data. Custodians are responsible for treating the data in the manner described in this policy.

Data Classifications

  1. Personal Data

Personal Data is data that is owned by an individual and is not TCU Data.

Examples are

  • Photos of friends and family members
  • Files related to non-TCU business
  • Music purchased with personal funds.
  1. Public Data

Public Data is TCU Data which if exposed would not harm the University or individuals. There is often a need to widely disseminate this data. No legal restrictions exist on the dissemination of the data.

Examples are

  • TCU press releases
  • Class schedules
  • Promotional or marketing information
  • Public event information
  1. Private Data

Private TCU data is TCU Data which if exposed would not significantly harm TCU or individuals but which is not intended for public release. This data is protected for proprietary, ethical or privacy reasons. This data must be restricted to users with a legitimate interest in the data.

Examples are

  • Institutional research findings
  • Employment data
  • Large numbers of email addresses
  1. Confidential Data

Confidential Data is TCU Data which if exposed could significantly harm an individual or the University. This data may also be protected due to legal, regulatory, contractual or University policy.

Examples are

  • Sensitive Personal Information (SPI)
  • Payroll data
  • FERPA, HIPAA, or GLB covered data
  • Credit card information

Requirements

Data is subject to the controls defined for each classification. Data should not be made generally available until the data has been classified.

  1. Personal Data

Personal Data restrictions and protections are determined by the owner. TCU takes no responsibility for Personal Data and users who store Personal Data on TCU-owned equipment do so at their own risk. Note that users will not necessarily have access to University property or any Personal Data stored on University Property after leaving the University.

If Personal Data contains Sensitive Personal Information (SPI) as defined in the TCU Sensitive Personal Information Policy it must be encrypted when stored on University resources.

  1. Public Data

There are no restrictions on accessing or disseminating Public Data.

  1. Private Data

Private TCU data must be protected to prevent loss, theft, unauthorized access, disclosure or destruction.

  • Some form of TCU-approved authentication and authorization is required in order to access this data. Examples of authentication are TCU username and password or source IP address. Examples of authorization are file permissions, PeopleSoft roles or firewall rules.
  • Authorization rules are determined by the TCU Data Owners.
  • Duplicate or parallel copies of Private TCU Data must be approved by the TCU Data Owners and similar controls must be in place on all copies.
  • Paper copies of Private TCU Data must be kept in a closed container (e.g. desk, closet, file cabinet) when not in use in order to prevent public disclosure.
  • Electronic copies of Private TCU Data must be stored or transmitted in a manner that secures them from general public access.
  • Private TCU Data may not be stored on personally-owned computing devices unless an exception is made e.g. Email.
  • Private TCU Data must be deleted or destroyed when no longer necessary.
  • If Private TCU data is shared with external parties then there must be TCU approved contract language detailing compliance with this policy.
  1. Confidential Data

Confidential TCU data must be protected in the same manner as Private Data along with the following additional requirements.

  • When stored in electronic form the data must be stored only on servers managed by Information Technology with appropriate data protection measures unless specifically approved.
  • When stored in paper format the data must be kept in locked containers or rooms with controlled access.
  • When the data is transmitted it must be in a secure and encrypted format.
  • Information Technology must be notified in a timely manner if Confidential Data is suspected of being lost or disclosed to unauthorized parties.
  • Confidential Data may not be stored on external or cloud-based sites or other destinations as described in the TCU Sensitive Personal Information Policy, TCU Credit Card Policy and other applicable policies.
  • When no longer necessary, Confidential Data must be securely destroyed according to TCU policies.
  • If Confidential Data is shared with external parties then there must be contract language detailing compliance with this policy.

V. Enforcement:

Misuse of University information will be regarded with utmost seriousness. Alleged violations of this policy will be pursued in accordance with the appropriate disciplinary procedures for faculty, staff and students, and when indicated, sanctions up to and including dismissal or expulsion will be imposed. Legal action may be pursued if the violation involves external parties.

VI. Related Policies and Resources:

VII. Policy Governance:

  • Policy Owner – TCU Information Technology – Information Security Services
  • Approved Chancellor’s Cabinet – April 2015