Data Classification Standard
Data classification is the process of organizing data into information security categories to support data security handling requirements.
Data classification, data privacy and protection standards at Towson University require that every employee takes appropriate measures to safeguard the confidentiality, integrity, availability and quality of data throughout its lifecycle, from creation to destruction.
Classifications of Data
TU categorizes data into three types to provide guidance on the proper handling of that data:
Level 1 - Public Data
Data intended for general public use. An example is information posted on TU's website (www.towson.edu).
Level 2 - Protected Data
Protected is the default classification of data at TU. Protected data is considered private and intended for internal use only. It includes all data which are not legally restricted, and which may be accessed by university employees in the performance of official university business. Examples include FERPA data, non-restricted data, personally identifiable information (PII), third-party contracts and TUID numbers.
Level 3 - Confidential Data
Confidential data is sensitive information for highly restricted use that needs to be carefully protected from unauthorized access (data as defined under HIPAA, PCI or other federal law). Examples include sensitive personal information (SPI), sensitive FERPA data, background checks for employment, sensitive business-related information, highly restricted research data and intellectual property.
Personally Identifiable Information (PII)
TU defines PII per Maryland Code under State Government Article §10-13A-01, is any information that, taken alone or in combination with other information, enables the identification of an individual. Examples Include:
- a full name
- geolocation data
- biometric information
Sensitive Personal Information (SPI)
SPI expands the PII definition to include any information with a high risk of harm to an individual or Towson University.
TU defines SPI, per Maryland Code under State Government Article §10-1301, as an individual’s first name or first initial and last name, personal mark, or unique biometric or genetic print or image, in combination with one or more of the following data elements:
- a social security number
- a driver’s license number, state identification card number, or other individual identification number issued by a unit
- a passport number or other identification number issued by the United States government.
- an individual taxpayer identification number
- a financial or other account number, a credit card number, or a debit card number that, in combination with any required security code, access code, or password, would permit access to an individual’s account
Sensitive FERPA data is SPI, and/or data that may be considered harmful to an individual or Towson University in the event of unauthorized access such as cumulative grade point averages.
Acronyms
- FERPA: The Family Educational Rights and Privacy Act
- HIPAA: Health Insurance Portability and Accountability Act
- PCI: Payment Card Industry
- PII: personally identifiable information
- SPI: sensitive personal information
- SOR: system of record
Support
Questions, comments or requests for exception to this standard should be directed to the Office of Technology Services (OTS) by submitting a TechHelp service request.
Related Resources
Release of Student Information Under FERPA
Data Use Standards