Table of Contents
Effective Date: January 30, 2014
Date Last Reviewed: January 30, 2014
Date Scheduled for Review: January 30, 2015
Issuing Authority: Chief Information Security Officer
Data classification is a method of assigning a level of sensitivity to data. The classification of the data determines the extent to which it needs to be controlled and secured. This policy defines the required data protection criteria based on its classification and sensitivity. The guiding principle is that a user must have an approved need to have access to data. Protected Data shall be classified as sensitive or confidential, as described in this policy.
Scope of this policy
This policy applies to all individuals who access, use, or control Temple University data including, but not limited to faculty, staff, students, researchers, those working on behalf of the University, and individuals authorized by affiliated institutions and organizations. This policy applies to all data regardless of storage medium or format. Additionally, it is understood that in the ordinary course of business faculty, staff, students, researchers and those working on behalf of the University may have access to unrestricted data and that those individuals will still exercise discretion in the handling of such data.
Data must be maintained in an appropriately secure, accurate, and reliable manner and be readily available for authorized use. Data security measures must be implemented commensurate with the classification of the data, which is based on its sensitivity, and the risks associated with improper disclosure. University assigned Data Stewards (as defined in the Temple University Data Standards Guides) are responsible for evaluating and assigning an appropriate data classification to data residing in their functional areas. All systems and storage, whether internal or outsourced, handling confidential or sensitive data must complete a security risk assessment. Systems which cannot meet minimum security standards will have to implement compensating controls and be granted a special waiver by the Chief Information Security Officer.
All members of the University community have a responsibility to protect the confidentiality, integrity, and availability of data generated, accessed, modified, transmitted, stored or used by the University, irrespective of the medium on which the data resides and regardless of format (e.g., in electronic, paper or other physical form). Data should not be collected or stored unless it is for bona fide business and/or legal requirements. University assigned Data Stewards are responsible for implementing appropriate managerial, operational, physical, and technical controls for access to, use of, transmission of, and disposal of University data in compliance with this policy. Data Stewards are responsible for submitting to a security risk assessment prior to any new application or system implementation or usage though the Information Technology Services Office of Information Security per the Technology Usage Policy: Section III Item c.)
Inappropriate handling could result in severe consequences, such as criminal or civil penalties, identity theft, financial loss, or invasion of privacy. Access is granted by the supervisor/manager and Data Steward approval process based on job needs and justification. An annual access audit will be completed and the data must remain within Temple locations, on Temple assets or with contracted vendors that have been approved through the Office of University Counsel and Information Technology Services Office of Information Security. Examples of confidential data include Health Information, Social Security Number and credit card information.
All data not defined as unrestricted or confidential. This data may be accessed by anyone employed or working under contract for the University, in the conduct of bona fide University business. Access is granted by the supervisor/manager and Data Steward approval process based on job needs and justification. However, because of legal, ethical, or other constraints access restrictions should be applied accordingly. Examples of Sensitive data include home or emergency contact information, compensation, and background check verification.
Information that is publicly available and generally the unauthorized disclosure, alteration or destruction of that data would result in little or no risk to the University and its affiliates. Examples of unrestricted data include press releases, course information, job descriptions and marketing materials intended for the general public.
Follow the Procedure for Reporting and Handling Security and Privacy Incidents if any confidential or sensitive data is or is suspected of being lost or disclosed to unauthorized parties, or if any unauthorized use of the University's information systems has or is suspected of having taken place.
Social Security Number Usage policy 04.75.11
Social Security Number Usage Procedures 04.75.12
Identity Theft Prevention Program 05.20.01
Credit Card Handling and Acceptance policy 05.20.17
Temple University Data Standards
Personally Identifiable Information Guidelines
Guidelines for Storing and Using Personally Identifiable Information in Non-Production Environments
Applicable Acts, Regulations, and Laws:
PA State Data Breach Notification Law: State Bill 712, 73 P.S. §§ 2301–2308, 2329
Gramm-Leach-Bliley Act (GLBA)
Family Educational Rights and Privacy Act (FERPA)
Health Insurance Portability and Accountability Act (HIPAA)
Payment Card Industry Data Security Standard (PCI DSS)