Data Classification and Protection Policy
The purpose of this policy is to establish a framework for classifying institutional data based on its level of sensitivity, value, and criticality to the University. Classification will aid in determining baseline security controls for the protection of data.
This IT policy, and all policies referenced herein, shall apply to all members of the University community, including faculty, students, administrative officials, staff, alumni, authorized guests, delegates, and independent contractors (the “User(s)” or “you”) who use, access, or otherwise employ, locally or remotely, the University’s IT Resources, whether individually controlled, shared, stand-alone, or networked.
- All University data must be classified into one of three sensitivity classifications after the creation or acceptance of ownership by the University: Fordham Protected Data, Fordham Sensitive Data, or Public Data.
- Data classification will aid in determining baseline security controls for the protection and use of data to ensure:
- The University’s statutory, regulatory, legal, contractual, and privacy obligations are met;
- The University’s proprietary data is kept protected as required;
- Data is appropriately available for internal decision making as required;
- Government and regulatory agency reporting is conducted per any legislative, regulatory, and legal requirements; and
- Appropriate data and information are shared with the necessary safeguards to third parties.
- If data is created jointly by more than one department, all involved departments must classify the data. If the departments are unable to agree on the classification, the data is classified as Fordham Sensitive data and remains designated as Fordham Sensitive data until the data owners reach an agreement to reclassify the data or until administrators (e.g., Data Standards Committee, area Vice Presidents) with authority adjusts the classification.
- Data owners must assess the level of risk according to the probability that harm will occur and the extent of that harm should the data be lost, stolen, or accessed by unauthorized parties.
- Departments are responsible for implementing appropriate managerial, operational, physical, and technical controls for access to, use of, transmission, and disposal of University data in compliance with this and related policies.
- Fordham Protected data requires the highest level of protection. All other data is classified as Fordham Sensitive data by default.
Data classification, in the context of information security, is the classification of data based on its level of sensitivity and the impact to the University should that data be disclosed, altered, or destroyed without authorization.
Fordham Protected data is any data that contains Personally Identifiable Information (PII) or Personal Data concerning any individual. Fordham Protected data includes data that is regulated by local, state, Federal, the European Union (EU), or other statutes/agreements. These regulations may include, but are not limited to:
- Family Educational Rights and Privacy Act (FERPA)
- Gramm-Leach-Bliley Act (GLBA)
- Health Insurance Portability and Accountability Act (HIPAA)
- Payment Card Industry Data Security Standards (PCI DSS)
- General Data Protection Regulation (GDPR)
- Stop Hacks and Improve Electronic Data Security Act (SHIELD Act)
Fordham Protected data also is designated or described by voluntary industry standards or best practices concerning the protection of such data that the University chooses to follow.
Fordham Sensitive data is based on departmental/internal standard operating procedures (e.g., budgets, payroll, or properties that Fordham may be interested in purchasing).
IT Resources include computing, networking, communications, application, telecommunications systems, infrastructure, hardware, software, data, databases, personnel, procedures, physical facilities, cloud-based vendors, Software as a Service (SaaS) vendors, and any related materials and services.
Personal Data is any information relating to a natural person (data subject) that can directly or indirectly identify that person. Examples include a name, an identification number, location data (e.g., mailing address or IP address), an online identifier (e.g., cookies), or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person. The GDPR does not apply to data rendered anonymous (individuals cannot be identified from the data) or pseudonymous (provided that the “key” that enables re‑identification of individuals is kept separate and secure).
Personally Identifiable Information (PII) is information about an individual maintained by an agency, including any information that can be used to distinguish or trace an individual's identity, such as name, social security number, date, and place of birth, mother's maiden name, any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information, driver’s license number or non-driver identification card number, account number, credit, or debit card number in combination with other identifiable data, biometric information such as a fingerprint, voice print, retina or iris image, or other unique physical representation or digital representation, and username or email address in combination with a password or security question.
Public data may be disclosed to any person regardless of their affiliation with the University. Data that does not contain PII or Personal Data concerning any individual is not Fordham Protected data or Fordham Sensitive data.
Related Policies and Procedures
- Data Classification Guidelines
- Data Standards Manual
- Family Educational Rights and Privacy Act (FERPA) Policy
- HIPAA (Health Insurance Portability and Accountability Act of 1996)
- Merchant Credit Card Acceptance Policy
- Third-Party Data Transfer Policy
|Responsible Person||Director, IT Risk and Data Integrity|
|Approval Date||June 12, 2019|
|1.1||01/15/2016||Supersedes January 1, 2012|
|1.2||06/12/2019||Policy statement update, definition changes|
|2.0||07/15/2020||Policy name change, policy statement update, purpose statement update, definition changes, added SHIELD Act|
|2.1||07/26/2021||Updated purpose statement|
Policy Disclaimer Statement
Deviations from policies, procedures, or guidelines published and approved by Information Security and Assurance (ISA) may only be done cooperatively between ISA and the requesting entity with sufficient time to allow for appropriate risk analysis, documentation, and possible presentation to authorized University representatives. Failure to adhere to ISA written policies may be met with University sanctions.