3.5 Data Classification and Control

The University recognizes that the value of its data and resources lie in their appropriate and widespread use. Pacific Lutheran University is committed to respect and protect the privacy of its students, employees, parents, alumni, friends and healthcare patients as well as to protect the confidentiality of information important to the University’s academic mission.

A data classification policy is necessary to provide a framework for securing data from risks including but not limited to, unauthorized destruction, modification, disclosure, access, inappropriate use and removal.

University employees with designated responsibility for electronic data (data stewards) must

  • classify data for which they are responsible as public, internal, or restricted
  • establish data access procedures commensurate with assigned categories
  • manage the data in a manner that controls access to it when in storage, during transmission, or while being processed in accordance with its classification

Vendors or consultants granted access to PLU data must comply with all classification and control policies associated with the data to which they have been granted access.

Pacific Lutheran University regards any violation of this policy as a serious offense. Violators of this policy are subject to disciplinary action, in addition to possible removal/suspension of PLU resources and system access privileges. Users of PLU resources and systems are subject to all applicable local, state, federal and international regulations. This policy does not preclude prosecution of criminal and civil cases under relevant local, state, federal and international laws and regulations.

3.5.1 Data Classifications

Public data are the least sensitive information and are acceptable for public consumption. Public data is readily available to (or shared with) persons both within and outside the university. Examples include (but are not limited to) unrestricted PLU Web pages and sites, news releases, general university publications, and directory information under Family Educational Rights and Privacy Act (FERPA) regulations and associated PLU policies.

Internal data are moderately sensitive information. All university data are considered internal unless classified otherwise. Internal data is created or gathered by the university in order to conduct university business, but due to its sensitive nature requires restricted access or distribution. The risk for harm to the university or an individual is low-to-medium. Such data is accessed by PLU employees only on a need-to-know basis for performing assigned duties; it is not normally available outside the university except upon authorization by a relevant university official. Examples of sensitive data include but are not limited to class rosters, employee home addresses or phone numbers, admission reports, passwords, and contractual agreements.

Restricted data are highly sensitive information for which an unauthorized disclosure may result in identity theft or university liability for costs or damages under laws, government regulations or contract. Restricted data is highly sensitive and requires very strict control due to the potential for great harm or loss that could occur to the university or to an individual if disclosed, altered, or destroyed. All medical and human resources-related information is strictly confidential. Other examples of confidential data include but are not limited to social security numbers, credit card numbers, bank account numbers, and student education records under Family Educational Rights and Privacy Act (FERPA) regulations and associated PLU policies.

3.5.2 Data Control

These data control policies apply to any system (electronic or print) that holds internal or restricted data, both on and off campus and even if not university-owned. A system is “holding” internal or restricted data when such data is stored locally in the system or when the system is regularly used to extract data for use on network volumes or file systems.

Data stewards and custodians are responsible for managing and using university information in ways that are consistent with the university’s privacy and security policies (2.0 Privacy and 3.0 Security).

All employees are expected to maintain confidentiality for the data and systems to which they have access.

PLU employees may release internal or restricted information only to (a) entities that have a legitimate business need and have signed a data sharing agreement approved by the Senior Vice President for Administrative Services , or (b) university employees with job responsibilities to perform assigned duties that require this data.

Representatives of the university must comply with all applicable laws and policies related to the handling or disclosure of data before distributing the data (e.g. educational records under FERPA, health records under HIPAA).

Any transfer of restricted data must be securely transported or transmitted. If the information is to be used by an external entity, there must be a prior documented commitment from that entity to comply with PLU policies and any security or data protection requirements assigned by the appropriate university representative.

Loss of, or unauthorized access to, restricted data must be addressed in accordance with the incident response and escalation procedures in 3.8, below.

3.5.3 Data Classification Guidelines

University data stewards, as defined in section 3.2.2, will be responsible for identifying all types of data handled by the university and classifying the sensitivity of the data. In determining the sensitivity of the data the requirements of local, state, federal and international laws must be considered.

Public: Considered the least sensitive information and are acceptable for public consumption. Requires no special protective measures. This includes, but is not limited to:

  • Name
  • Address
  • Phone Number
  • Publications for recruiting, marketing or informational purposes
    • Admission Viewbook
    • Course Catalog
    • ResoLute
  • PLU Website
  • Sports Rosters

Internal: Data which is considered moderately sensitive. All university data are considered internal unless classified otherwise. Subject to restrictions pertaining to access, storage, transmission and disposal. This includes, but is not limited to:

  • PLU ID Number
  • Academic Record – aggregated data, non-identifiable
  • Advising Records
  • Travel Authorization Information
  • Academic Dashboard Reports (that do not include Restricted data)

Restricted: Considered highly sensitive information for which an unauthorized disclosure may result in identity theft or university liability for costs or damages under local, state and federal laws, government regulations or contract (ie HIPAA, FERPA, Gramm-Leach-Bliley, etc). Subject to restrictions pertaining to access, storage, transmission and disposal (see PLU Data Handling Standards). This includes, but is not limited to:

  • SSN (Social Security Number)
  • Combination of Name, Birthdate and last four of SSN
  • Credit Card Information
  • Banking Information
  • Driver’s License and/or Other Government ID
  • Admission Application
  • Academic Record
    • Test Scores
    • Grades
    • Courses taken
  • Medical Records
  • Passwords or credentials that allow access to any data
  • PINs (Personal Identification Numbers)
  • Disability Services Records