Data Classification | Policies

TC Web Authentication
Welcome!Log In

Data Classification

Provides guidance for classification of College data based on the sensitivity of the data and the risk to the College if data is compromised.

Owner: Information Technology

Purpose

The first step in establishing the safeguards that are required for particular types of data, as defined in the Information Security Charter, is to determine the level of sensitivity applicable to particular data. Data classification is a method of assigning such levels and thereby determining the extent to which the data needs to be controlled and secured.

 

Scope

This policy applies to all students, staff, faculty members, officers, employees, and affiliates of Teachers College, Columbia University, including extended learning sites, guests, tenants, visitors, contractors, consultants, vendors, individuals authorized by affiliated institutions and organizations, and all others granted use of and/or access to Teachers College, Columbia University technology resources and data.

 

Policy

 1. General Statement

 Data security measures must be implemented commensurate with the sensitivity of the data and the risk to the College if data is compromised.  It is the responsibility of the applicable Data Stewards to evaluate and classify, with support from the CISO, the data for which they are responsible according to the classification system adopted by the College and described below.  If data of more than one level of sensitivity exists in the same System or Endpoint, such data shall be classified at the highest level of sensitivity.

 

2. Specific Requirements

2.1. Data Classification 

 The College has adopted the following four classifications of data:

 2.1.1. Sensitive Data: Any Personally Identifiable Information (PII) or information protected by federal, state, or local laws and regulations or industry standards, such as HIPAA, HITECH, the New York State Information Security Breach and Notification Act, The New York State SHIELD act, similar state laws and PCI-DSS. This category also includes privileged information, such as communications and related documents (a) reflecting communications between psychologists, counselors, and similar professionals and their patients or clients; and (b) subject to the attorney-client privilege and work-product protection.

 

For purposes of this Policy and the other Information Security Policies, Regulated and PII data include, but are not limited to: 

    • Personally Identifiable Information (PII)
    • Protected Health Information (PHI)
    • Research Health Information (RHI)

2.1.2. Confidential Data: Information that is protected as confidential by law or by contract and any other information that is considered by the College appropriate for confidential treatment.  

 

For purposes of this Policy and the other Information Security Policies, Confidential Data include, but are not limited to:

 

    • Student education records that are directly related to prior, current and prospective College students and maintained by Teachers College or an entity acting on Teachers College’s behalf. (The College’s FERPA policy specifies the covered records and important exceptions.) Student Records and Family Education Rights and Privacy Act (FERPA) Statement
    • Human resources information, such as salary and employee benefits information
    • Non-public personal and financial data about donors
    • Information received under grants and contracts subject to confidentiality requirements
    • Law enforcement or court records and confidential investigation records
    • Citizen or immigrations status
    • Unpublished research data
    • Unpublished College financial information, strategic plans and real estate or facility development plans
    • Information on facilities security systems or system configurations related to information security
    • Nonpublic intellectual property, including invention disclosures and patent applications
    • Applicant financial information.

 2.1.3. Internal Data: Any information that is proprietary or produced only for use by members of the College community who have a legitimate purpose to access such data.

 

For purposes of this Policy and the other Information Security Policies, Internal Data include, but are not limited to:

 

    • Internal operating procedures and operational manuals
    • Internal memoranda, emails, reports and other documents
    • Technical documents such as system configurations and floor plans.

 

2.1.4. Public Data: Any information that may or must be made available to the general public, with no legal restrictions on its access or use.

 

For purposes of this Policy and other Information Security Policies, Public Data include, but are not limited to, data which was intended to be widely available and was not made public through a violation of policy, contract or law. Examples include:

 

    • General access data on www.tc.columbia.edu
    • College financial statements and other reports filed with federal or state governments that are generally available to the public
    • Student information intended for the public, such as the lists of degrees recipients.

 

 

3. Related Policies

The Information Security Policies referred to in this Policy can be found in the Information Security Charter.



 4. Enforcement

 Violations of the Information Security Policies may result in corrective actions which may include: (a) the immediate suspension of computer accounts and network access and (b) mandatory attendance at additional training as a condition of continued use of computer accounts and network access. Subject to the College’s other rules of conduct and disciplinary procedures, significant violations may also result in (a) a letter to the individual’s personnel or student file; (b) administrative leave without pay; (c) other sanctions, up to and including termination or non-renewal of employment, faculty appointment or student status. Violations of the Information Security Policies may also result in civil or criminal liability under state, federal or international laws.

 

To protect Teachers College from legal and financial penalties, and loss of reputation that result from the exposure of confidential/sensitive data (e.g. protected health information (PHI), social security numbers (SSNs), credit card numbers, driver license numbers, passport and visa numbers), TC will implement Data Loss Prevention (DLP) solutions to safeguard data and prevent the unencrypted transmission of sensitive information. DLP enables an organization to reduce the risk of unintentional disclosure of sensitive data by identifying, monitoring and protecting confidential data while in use, in motion and at rest. 

 

 5. Definitions

 

Personally Identifiable Information (PII): Any information about an individual that (a) can be used to distinguish or trace an individual’s identity, such as name, date and place of birth, mother’s maiden name, or biometric records; (b) is linked or linkable to an individual, such as medical, educational, financial, and employment information, which if lost, compromised, or disclosed without authorization, could result in harm to that individual; and (c) is protected by federal, state or local laws and regulation or industry standards.

 

Examples of PII include, but are not limited to, any information concerning a person that can be used to identify such person, such as name, number, personal mark or other identifier, in combination with any one or more of the following:

 

  • Social security number
  • Driver’s license number or non-driver identification card number
  • Account number, credit or debit card number, in combination with any required security code, access code or password that would permit access to an individual’s financial account
  • Email address with password (in certain narrow instances)
  • Electronic Protected Health Information
  • College Financial Data on Backend Systems
  • Biometric information, such as a fingerprint, voice print, retina or iris image, or other unique physical or digital representation used to authenticate or ascertain an individual's identity. 

 

Protected Health Information (PHI): Individually Identifiable Health Information that is transmitted or maintained by that is used, maintained, stored, or transmitted by a HIPAA-covered entity.

 

Research Health Information (RHI): Individually Identifiable Health Information that (a) is created or received in connection with research that does not involve a Covered Transaction; or (b) although previously considered Protected Health Information, has been received in connection with research pursuant to a valid HIPAA authorization or IRB waiver of HIPAA authorization. The College’s Office of the General Counsel is responsible for determining whether particular information created, received, maintained, processed or transmitted by Teacher’s College constitutes PHI. 

 

See the Definitions section of the Information Security Charter.

 

Responsible Office: Teachers College Information Technology

Effective Date: February 1, 2021

Last Updated: January 15, 2021

Back to skip to quick links