Data Classifications: Data Types

Data Classification Grid Legend

1 - This service can only be used when care is taken to limit access to authorized individuals. Do not use features that allow any recipient of a link to view the data, as there is no way to ensure the bearer is the intended party. Do not use features that allow the entire Fordham.edu domain (including all students and alumni) to view the data.

2 - To protect this class of data, removable media or a mobile device must be used in conjunction with a sanctioned encryption product. For guidance, contact the University Information Security Office at infosec@fordham.edu.

3 - This service may be used with the approval of the identified data owner. Some data may be subject to regulation by Fordham's Information Risk Management Board (IRMB), and the use of these services must be vetted through the IRMB Risk Assessment process. For other questions, including identifying data ownership, contact the University Information Security Office at infosec@fordham.edu.

4 - Fordham Protected Data and Fordham Sensitive Data stored on these cloud services or emailed to non-Fordham recipients must be encrypted before transmission. To review your use of this technology for Fordham Protected Data and Fordham Sensitive Data, contact the University Information Security Office at infosec@fordham.edu.

5 - This service may be used with the approval of the identified data owner or by contacting the University Information Security Office at infosec@fordham.edu. Any communication beyond that must follow rule number 4.

6 - Limited use of Non-Fordham Provided services may be used for data protected under this class. Any communication beyond that is prohibited.

7 - To protect this class of data, videoconferencing may only be used if chat, recording, or transcript generation features are disabled.

 

Student Educational Records - FERPA

Description
The Family Educational Rights and Privacy Act (FERPA) protects the privacy of student educational records.
 
Examples
Athletics or department recruiting information
Class schedule
Degree information
Disciplinary records
Student transcripts
 
Special Case: Directory Information 
Student directory information may be published unless a student has requested non-disclosure from the University Registrar or Law School Registrar in writing within ten days after the first day of class each semester. In addition, the University, at its discretion, may provide the following directory information: student’s name, address, telephone number, Fordham email address, photograph, date and place of birth, major field of study, dates of attendance, grade level, enrollment status (e.g., undergraduate or graduate; full-time or part-time), participation in officially recognized activities and sports, weight and height of members of athletic teams, degrees, honors and awards received, the most recent educational agency or institution attended, and other similar information.
 
Links
http://www2.ed.gov/policy/gen/guid/fpco/ferpa/index.html
http://www.fordham.edu/info/21366/policies/2781/family_educational_rights_and_privacy_act_ferpa_policy
 
Permitted Services
  • Fordham Provided Services
    • Blackboard®
    • Devices on PCI-compliant network
    • EasyVista™
    • Equipment (desktop, laptop, tablet, smartphone)
    • File shares (S:\ drive) and managed servers
    • OnBase® by Hyland 
    • Panopto®
    • Qualtrics®
    • Zoom™
Services permitted with restrictions
  • Fordham Provided Services
    • Core Google™ Apps (Calendar, Classroom, Docs, Sheets, Sites, Groups, Chat/Meet, Jamboard) (1)
    • Gmail™ / Contacts account (5)
    • Google Drive (1)
    • MailChimp®, Acoustic Marketing Automation (Fordham Messaging Platform / FMP) (3)
    • Microsoft Azure™ Cloud Computing Platform (4)
    • Microsoft Office 365™ (1)
    • Microsoft OneDrive™ for Business (1)
    • Rackspace Technology™ Cloud Files (4)
    • Reclaim Hosting (1)
    • Removable media (USB thumb drive) (2)
  • Non-Fordham Provided Services
    • Personal desktops and laptops (6)
Prohibited-Services
  • Fordham Provided Services
    • Non-Core Google Apps (e.g., Photos, Maps, YouTube™)
    • Smartsheet™
    • Text Messaging
  • Non-Fordham Provided Services
    • Cloud storage services not covered by University agreements (e.g., Evernote®, Dropbox™, personal Google Drive, iCloud™, Amazon S3™, personal Microsoft Office 365, personal Microsoft OneDrive, personal Microsoft Azure, personal Smartsheet, and personal Reclaim Hosting services) 
    • Image storage services not covered by University agreements (e.g., Flickr®, Instagram™, SmugMug ®)
    • Personal equipment (tablet, smartphone, removable media / thumb drive)
    • Personal third-party email services (e.g., personal Gmail, Hotmail™, Yahoo ®)
    • Text Messaging
    • Third-party survey tools not covered by University agreements (e.g., SurveyMonkey ®, Constant Contact ®)
    • Third-party videoconferencing tools not covered by University agreements (e.g., personal Zoom, personal Microsoft Teams™, FaceTime ®, WhatsApp™)
 

Student Loan Application Information - GLBA

Description
Personal financial information held by or on behalf of financial institutions is protected by the Gramm-Leach-Bliley Act (GLBA).
 
Examples
Scholarship data
Federal work-study information
Student financial aid information
Student loan information
Student tuition payment history
 
Links
https://www.ftc.gov/business-guidance/privacy-security/gramm-leach-bliley-act
 
Permitted Services
  • Fordham Provided Services
    • File Shares (S:\ drive) and Managed Servers
    • OnBase® by Hyland
    • Qualtrics®
Services permitted with restrictions
  • Fordham Provided Services
    • Equipment (desktop, laptop, tablet, smartphone) (2)
    • Gmail™ / Contacts account (4)
    • Microsoft Azure™ Cloud Computing Platform (4)
    • Microsoft Office 365™ (1)
    • Microsoft OneDrive™ for Business (1)
    • Rackspace Technology Cloud Files (4)
    • Removable media (USB thumb drive) (2)
    • Zoom™ (7)
Prohibited Services
  • Fordham Provided Services
    • Blackboard®
    • Core Google™ Apps (Calendar, Classroom, Docs, Sheets, Sites, Groups, Chat/Meet, Jamboard)
    • Devices on PCI-compliant network
    • EasyVista™
    • Google Drive
    • MailChimp®, Acoustic Marketing Automation (Fordham Messaging Platform / FMP)
    • Non-Core Google Apps (e.g., Photos, Maps, YouTube™)
    • Panopto®
    • Reclaim Hosting
    • Smartsheet™
    • Text Messaging
  • Non-Fordham-Provided Services
    • Cloud storage services not covered by University agreements (e.g., Evernote®, Dropbox™, personal Google Drive, iCloud™, Amazon S3™, personal Office 365, personal Microsoft OneDrive, personal Microsoft Azure, personal Smartsheet, and personal Reclaim Hosting services)
    • Image storage services not covered by University agreements (e.g., Flickr®, Instagram™, SmugMug®)
    • Personal desktops and laptops
    • Personal equipment (tablet, smartphone, removable media/thumb drive)
    • Personal third-party email services (e.g., personal Gmail, Hotmail™, Yahoo®)
    • Text Messaging 
    • Third-party survey tools not covered by University agreements (e.g., SurveyMonkey®, Constant Contact®)
    • Third-party videoconferencing tools not covered by University agreements (e.g., personal Zoom, personal Microsoft Teams ™, FaceTime®, WhatsApp™)
 

Personally Identifiable Information - PII

Description
Personally Identifiable Information (PII) can potentially be used to uniquely identify an individual and is considered protected. Fordham University policies, contractual obligations, and federal and state regulations require PII data is accessed, shared, and stored with care. Access to personal information should be restricted to a need-to-know basis. 
 
Examples
Driver’s license number
Emergency contacts 
Fordham University protects the confidentiality of certain personal data items associated with ANY individual, including but not limited to:
  • Financial account number (e.g., credit/debit card numbers, routing number)
  • Last name, first name, or initial associated with any one item listed above
  • Passport number
  • Social security number (SSN)
  • State-issued ID card number
For Employees, additional examples include:
  • Benefits information, workers’ compensation, disability claims
  • Performance reviews
  • Salary information
For Donors/Prospects, additional examples include:
  • Biographic or demographic data
  • Contact information
  • Gift data and gift planning information
Students, see FERPA – Student Educational Records
 
Permitted Services
  • Fordham Provided Services
    • Devices on PCI-compliant network
    • Equipment (desktop, laptop, tablet, smartphone)
    • File Shares (S:\ drive) and Managed Servers
    • OnBase® by Hyland
    • Qualtrics®
Services permitted with restrictions
  • Fordham Provided Services
    • Core Google™ Apps (Calendar, Classroom, Docs, Sheets, Sites, Groups, Chat/Meet, Jamboard) (1)
    • Gmail/Contacts account (4)
    • Google Drive (1)
    • Microsoft Azure™ Cloud Computing Platform (4)
    • Microsoft Office 365™ (1)
    • Microsoft OneDrive™ for Business (1)
    • Removable media (USB thumb drive) (2)
    • Rackspace Technology Cloud Files (4)
    • Smartsheet™ (1)
    • Zoom™ (7)
Prohibited Services
  • Fordham Provided Services
    • Blackboard®
    • EasyVista™
    • MailChimp®, Acoustic Marketing Automation (Fordham Messaging Platform / FMP)
    • Non-Core Google Apps (e.g., Photos, Maps, YouTube™)
    • Panopto®
    • Reclaim Hosting
    • Text Messaging
  • Non-Fordham Provided Services
    • Cloud storage services not covered by University agreements (e.g., Evernote®, Dropbox™, personal Google Drive, iCloud™, Amazon S3™, personal Office 365, personal Microsoft OneDrive, personal Microsoft Azure, personal Smartsheet, and personal Reclaim Hosting services)
    • Image storage services not covered by University agreements (e.g., Flickr®, Instagram™, SmugMug®)
    • Personal desktops and laptops
    • Personal equipment (tablet, smartphone, removable media/thumb drive)
    • Personal third-party email services (e.g., personal Gmail, Hotmail™, Yahoo®)
    • Text Messaging
    • Third-party survey tools not covered by University agreements (e.g., SurveyMonkey®, Constant Contact®)
    • Third-party videoconferencing tools not covered by University agreements (e.g., personal Zoom, personal Microsoft Teams™, FaceTime®, WhatsApp™)
 

Protected Health Information - PHI/HIPAA

Description
Protected Health Information (PHI) is defined by the Health Insurance Portability and Accountability Act (HIPAA). The HIPAA Privacy Rule establishes national standards to protect the privacy of personal health information. PHI covers identifiable health information related to an individual’s physical or mental health, provision of healthcare, or healthcare payments.
 
Note: Personal health data stored in student educational records are subject to FERPA and excluded from HIPAA provisions by statute.
 
Examples
Health status
Healthcare payment or insurance information
Healthcare treatment
Medical record number
 
Links
http://www.hhs.gov/hipaa/index.html
 
Permitted Services
  • Fordham Provided Services
    • OnBase® by Hyland
    • Qualtrics®
Services permitted with restrictions
  • Fordham Provided Services
    • Microsoft Azure™ Cloud Computing Platform (4)
    • Microsoft OneDrive™ for Business (1)
    • Microsoft Office 365™ (1)
    • Removable media (USB thumb drive) (2)
    • Zoom™ (using Fordham credentials) (7)
Prohibited Services
  • Fordham Provided Services
    • Blackboard®
    • Core Google™ Apps (Calendar, Classroom, Docs, Sheets, Sites, Groups, Chat/Meet, Jamboard)
    • Devices on PCI-compliant network
    • EasyVista™
    • File Shares (S:\ drive) and managed servers
    • Equipment (desktop, laptop, tablet, smartphone)
    • Gmail™ / Contacts account
    • Google Drive
    • MailChimp®, Acoustic Marketing Automation (Fordham Messaging Platform / FMP)
    • Non-Core Google Apps (e.g., Photos, Maps, YouTube™)
    • Panopto®
    • Rackspace Technology™ Cloud Files
    • Reclaim Hosting
  • Non-Fordham Provided Services
    • Cloud storage services not covered by University agreements (e.g., Evernote®, Dropbox™, personal Google Drive, iCloud™, Amazon S3™, personal Microsoft Office 365, personal Microsoft OneDrive, personal Microsoft Azure, personal Smartsheet, and personal Reclaim Hosting services)
    • Image storage services not covered by University agreements (e.g., Flickr®, Instagram™, SmugMug®)
    • Personal desktops and laptops
    • Personal equipment (tablet, smartphone, removable media/thumb drive)
    • Personal third-party email services (e.g., personal Gmail, Hotmail™, Yahoo®)
    • Text Messaging
    • Third-party survey tools not covered by University agreements (e.g., SurveyMonkey®, Constant Contact®)
    • Third-party video conferencing tools not covered by University agreements (e.g., personal Zoom, personal Microsoft Teams™, FaceTime®, WhatsApp™)
 

Credit Card/PCI

Description
Payment Card Industry (PCI) information relates to credit card, debit card, and other payment card data involved in accepting payment. PCI data security standards apply to all entities storing, processing, or transmitting cardholder data. Fordham University uses a secure network and adheres to strict procedures to protect payment data. University transactions where payment is accepted must not be processed on departmental or personal devices.
 
Examples
Authentication or security code
Cardholder name
Credit or debit card account number 
Expiration date
 
Links
Fordham's Merchant Credit Card Acceptance Policy
PCI Security Standards - Maintaining Payment Security
 
Permitted Services
  • Fordham Provided Services
    • Devices on PCI-compliant network
Services permitted with restrictions
  • None
Prohibited Services
  • Fordham Provided Services
    • Blackboard®
    • Core Google™ Apps (Calendar, Classroom, Docs, Sheets, Sites, Groups, Chat/Meet, Jamboard)
    • EasyVista™
    • Equipment (desktop, laptop, tablet, smartphone)
    • File Shares (S:\ drive) and managed servers
    • Gmail™ / Contacts account
    • Google Drive
    • OnBase® by Hyland
    • MailChimp®, Acoustic Marketing Automation (Fordham Messaging Platform / FMP
    • Microsoft Azure™ Cloud Computing Platform (4)
    • Microsoft Office 365™ (1) 
    • Microsoft OneDrive™ for Business (1) 
    • Non-Core Google Apps (e.g., Photos, Maps, YouTube)
    • Panopto®
    • Qualtrics®
    • Rackspace Technology™ Cloud Files
    • Reclaim Hosting
    • Removable media (USB thumb drive)
    • Smartsheet™
    • Text Messaging
    • Zoom™
  • Non-Fordham Provided Services
    • Cloud storage services not covered by University agreements (e.g., Evernote®, Dropbox™, personal Google Drive, iCloud™, Amazon S3™, personal Office 365, personal Microsoft OneDrive, personal Microsoft Azure, personal Smartsheet, and personal Reclaim Hosting services)
    • Image storage services not covered by University agreements (e.g., Flickr®, Instagram™, SmugMug®)
    • Personal desktops and laptops
    • Personal equipment (tablet, smartphone, removable media/thumb drive)
    • Personal third-party email services (e.g., personal Gmail, Hotmail™, Yahoo®)
    • Text Messaging
    • Third-party survey tools not covered by University agreements (e.g., SurveyMonkey®, Constant Contact®)
    • Third-party videoconferencing tools not covered by University agreements (e.g., personal Zoom, personal Microsoft Teams™, FaceTime®, WhatsApp™)
 

Attorney-Client Privileged Information

Description
Communication made in confidence between a client and an attorney to seek or obtain professional legal advice is considered Fordham Protected Data.
 
Examples
Communication related to a lawsuit
Communication related to a vendor contract dispute
 
Permitted Services
  • Fordham Provided Services
    • File shares (S:\ drive) and Managed Servers
    • Equipment (desktop, laptop, tablet, smartphone)
    • OnBase® by Hyland
Services permitted with restrictions
  • Fordham Provided Services
    • Gmail™ / Contacts account (5)
    • Google™ Drive (1)
    • Core Google Apps (Calendar, Classroom, Docs, Sheets, Sites, Groups, Chat/Meet, Jamboard) (1)
    • Microsoft Azure™ Cloud Computing Platform (4)
    • Microsoft Office 365™(1)
    • Microsoft OneDrive™ for Business (1)
    • Rackspace Technology Cloud Files (4)
    • Removable media (USB thumb drive) (2)
Prohibited Services
  • Fordham Provided Services
    • Blackboard®
    • Devices on PCI-compliant network
    • EasyVista™
    • MailChimp®, Acoustic Marketing Automation (Fordham Messaging Platform / FMP)
    • Non-core Google Apps (e.g., Photos, Maps, YouTube™)
    • Panopto®
    • Qualtrics®
    • Reclaim Hosting
    • Smartsheet™
    • Text Messaging
  • Non-Fordham Provided Services
    • Cloud storage services not covered by University agreements (e.g., Evernote®, Dropbox™, personal Google Drive, iCloud™, Amazon S3™, personal Office 365, personal Microsoft OneDrive, personal Microsoft Azure, personal Smartsheet, and personal Reclaim Hosting services)
    • Image storage services not covered by University agreements (e.g., Flickr®, Instagram™, SmugMug®)
    • Personal desktops and laptops
    • Personal equipment (tablet, smartphone, removable media/thumb drive)
    • Personal third-party email services (e.g., personal Gmail, Hotmail™, Yahoo®)
    • Text Messaging
    • Third-party survey tools not covered by University agreements (e.g., SurveyMonkey®, Constant Contact®)
    • Third-party videoconferencing tools not covered by University agreements (e.g., personal Zoom™, personal Microsoft Teams™, FaceTime®, WhatsApp™)
 

Fordham Protected Data

Description
Fordham Protected Data is data that contains personally identifiable information concerning individuals. It is data that contains personally identifiable information regulated by local, state, or federal privacy regulations. In addition, this data is designated or described by any voluntary industry standards or best practices concerning the protection of personally identifiable information that Fordham chooses to follow. These regulations may include, but are not limited to:
  • Family Educational Rights and Privacy Act (FERPA)
  • Gramm-Leach-Bliley Act (GLBA)
  • Health Insurance Portability and Accountability Act (HIPAA)
  • Payment Card Industry Data Security Standards (PCI DSS)
  • General Data Protection Regulation (GDPR)
  • Stop Hacks and Improve Electronic Data Security Act (SHIELD Act)
 
Links
Data Classification and Protection Policy
 
Examples
Credit card data
Health status
Social security number (SSN)
Student transcripts
Student loan information
 

Fordham Sensitive Data

Description
Data owners (originating or maintaining custody of the data) can classify data elements as sensitive based on their internal standard operating procedures. Unauthorized disclosure of sensitive data may adversely affect Fordham University’s reputation, resources, services, or community members. Therefore, Fordham Sensitive is the default data classification and should be assumed when no information indicates the data should be classified as Fordham Protected or Public.
 
Links
Data Classification and Protection Policy
 
Examples
Annual budget information
Employee compensation
Fordham University investment data
 
Permitted Services
  • Fordham Provided Services
    • Blackboard®
    • Devices on PCI-compliant network
    • Equipment (desktop, laptop, tablet, smartphone)
    • File Shares (S:\ drive) and Managed Servers
    • OnBase® by Hyland
    • Qualtrics®
Services permitted with restrictions
  • Fordham Provided Services
    • Core Google™ Apps (Calendar, Classroom, Docs, Sheets, Sites, Groups, Chat/Meet, Jamboard) (1)
    • Gmail™ / Contacts account (5)
    • Google Drive (1)
    • MailChimp®, Acoustic Marketing Automation (Fordham Messaging Platform / FMP) (3)
    • Microsoft Azure™ Cloud Computing Platform (4)
    • Microsoft Office 365™ (1)
    • Microsoft OneDrive™ for Business (1)
    • Provided removable media (USB thumb drive) (2)
    • Rackspace Technology Cloud Files (4)
    • Smartsheet™ (1)
    • Zoom™ (7)
Prohibited Services
  • Fordham Provided Services
    • EasyVista™
    • Non-core Google Apps (e.g., Photos, Maps, YouTube™)
    • Panopto®
    • Reclaim Hosting
    • Text Messaging
  • Non-Fordham Provided Services
    • Cloud storage services not covered by University agreements (e.g., Evernote®, Dropbox™, personal Google Drive, iCloud™, Amazon S3™, personal Microsoft Office 365™, personal Microsoft OneDrive™, personal Microsoft Azure™, personal Smartsheet, and personal Reclaim Hosting services)
    • Image storage services not covered by University agreements (e.g., Flickr®, Instagram™, SmugMug®)
    • Personal desktops and laptops
    • Personal equipment (tablet, smartphone, removable media / thumb drive)
    • Personal third-party email services (e.g., personal Gmail, Hotmail™, Yahoo®)
    • Text Messaging
    • Third-party survey tools not covered by University agreements (e.g., SurveyMonkey®, Constant Contact®)
    • Third-party videoconferencing tools not covered by University agreements (e.g., personal Zoom, personal Microsoft Teams™, FaceTime®, WhatsApp™)
 

Public Data

Description
Public Data is any data that Fordham intends to make available to the public. For department-specific data, this classification comes from the department originating or maintaining custody of the data. If data is created by more than one department, all involved departments will jointly classify the data. Data that does not contain personally identifiable information (PII) and is not Fordham Protected Data or Fordham Sensitive data is classified as Public Data.
 
Links
Data Classification and Protection Policy
 
Examples
Department faculty lists
Fordham website
Job postings 
Press releases
Published research
University addresses and campus map
 
Permitted Services
  • Fordham Provided Services
    • Blackboard®
    • Core Google™ Apps (Calendar, Classroom, Docs, Sheets, Sites, Groups, Chat/Meet, Jamboard)
    • Devices on PCI-compliant network
    • EasyVista™
    • Equipment (desktop, laptop, tablet, smartphone)
    • File Shares (S:\ drive) and Managed Servers
    • Gmail™/ Contacts account
    • Google Drive
    • MailChimp®, Acoustic Marketing Automation (Fordham Messaging Platform / FMP) 
    • Microsoft Azure™ Cloud Computing Platform (4)
    • Microsoft Office 365™ (1)
    • Microsoft OneDrive™ for Business (1)
    • Non-Core Google Apps (e.g., Photos, Maps, YouTube™) 
    • OnBase® by Hyland 
    • Provided removable media (USB thumb drive)
    • Qualtrics® 
    • Rackspace Technology™ Cloud Files 
    • Reclaim Hosting
    • Smartsheet™
    • Text Messaging
  • Non-Fordham Provided Services
    • Cloud storage services not covered by University agreements (e.g., Evernote®, Dropbox™, personal Google Drive, iCloud™, Amazon S3™, personal Microsoft Office 365, personal Microsoft OneDrive, personal Microsoft Azure, personal Smartsheet, and personal Reclaim Hosting services)
    • Image storage services not covered by University agreements (e.g., Flickr®, Instagram™, SmugMug®)
    • Personal desktops and laptops
    • Personal equipment (tablet, smartphone, removable media/thumb drive)
    • Personal third-party email services (e.g., personal Gmail, Hotmail™, Yahoo®)
    • Text Messaging
    • Third-party survey tools not covered by University agreements (e.g., SurveyMonkey®, Constant Contact®)
    • Third-party videoconferencing tools not covered by University agreements (e.g., personal Zoom™, personal Microsoft Teams™, Facetime®, WhatsApp™)
Services permitted with restrictions
  • None
Prohibited Services
  • None

 Need Help?


Walk-In Centers

McGinley 229 | RH
Lowenstein SL19A | LC

View Our Walk-In Hours