Menu
Security & Policy HomePolicy & InformationData Classification

Classification of Data

For the purposes of this document, data will be divided into three levels based upon the sensitivity of the data. Sensitivity is based not only on any liability to the University should this data be inadvertently released, but also on the potential damage to the reputation of the University.

Confidential Data (highest level of sensitivity)

Description:  Data at the Confidential level must be protected due to legal requirements, contractual requirements, or University policy. Data of this type includes, but is not limited to, student records (FERPA), financial records (GLBA), health care records (HIPAA), employment records, legal records, and certain business records (see below for additional examples).

Access:  Only those individuals who have been approved for access, may have signed non-disclosure agreements, and have a need to know will have access to this type of information. External release of this type of information is only through executive management or through subpoena or warrant. Unauthorized release of this type of data could result in termination from University employment.

Electronic Storage and Transmission: Any storage of this type of information in a cloud environment must adhere to the Lehigh University Cloud Computing Policy (ACIS Policy #11). Any computers containing this type of data must be encrypted utilizing whole-disk encryption as should any system with web access to this type of data as cache files may be present. Any of this type of data stored on flash drives, cell phones, or any other external form of storage (including backups), must be in an encrypted form. Confidential data should not be sent by email unless it is sent as an encrypted attachment or your email is encrypted using public-key cryptography. While Lehigh-hosted email and Lehigh Google email are encrypted in transit using SSL connections, this does not ensure that the message is stored securely at its destination or that it is not being forwarded on to another email address through a non-SSL connection.

Institutional/Proprietary Data (moderate level of sensitivity)

Description:  Data at the Institutional/Proprietary level must be protected due to privacy, ethical, or proprietary constraints. Data of this type includes, but is not limited to, departmental data, Lehigh internal memos, and internal reports that are not intended for public access or distribution.

Access:  Only those individuals who have been approved for access and have a need to know will have access to this type of information. External release of this type of information is only through management or through subpoena or warrant. Unauthorized release of this type of data could result in disciplinary action.

Electronic Storage and Transmission:  Any storage of this type of information in a cloud environment must adhere to the Lehigh University Cloud Computing Policy (ACIS Policy #11). While full disk encryption is the preferred option, any files containing this type of data should be encrypted whether on any computer, or on flash drives, cell phones, or any other external form of storage (including backups). Institutional/proprietary data should not be sent by email unless it is sent as an encrypted attachment or your email is encrypted using public-key cryptography. While Lehigh-hosted email and Lehigh Google email are encrypted in transit using SSL connections, this does not ensure that the message is stored securely at its destination or that it is not being forwarded on to another email address through a non-SSL connection.

Public/Unrestricted Data (lowest level of sensitivity)

Description:  Data at the Public/Unrestricted level is protected at the discretion of the department or the data owner. Data of this type includes, but is not limited to, all documents slated for public distribution, directory information as per FERPA, and any departmental data not deemed to be at a higher level of sensitivity (i.e., not meant for public consumption, but not necessarily important enough to warrant encryption).

Access:  Access to all data not meant for public consumption is at the discretion of the department or data owner.

Electronic Storage:  As with all data, it is recommended that all data of this type be stored on LAN drives where it will be backed up on a daily basis. Any backups of data stored on local hard drives are the responsibility of the user of that system.

Examples of Confidential Data

University confidential data and confidential data entrusted to the University include, but are not limited to:

  • Student Records - including grades within spreadsheets (protected via FERPA - Family Educational Rights and Privacy Act).
  • Human subjects information.
  • Health Care Information - personally identifiable information (protected via HIPAA - Health Insurance Portability and Accountability Act).
  • Personnel Records - including, but not limited to, employment applications, personnel files, performance evaluations, benefits information, payroll information, birth date, and Social Security number.
  • Financial Records - both institutional and personal (protected by the Financial Services Modernization Act of 1999 (also known as the Gramm Leach Bliley Act) as well as other federal and state statues.
  • Credit Card Records - governed by the Payment Card Industry - Data Security Standard (PCI-DSS).
  • Passwords and biometric identifiers.
  • Privileged attorney-client communications.
  • Internal Police Records.
  • Security Breach Triggers - while Pennsylvania law defining the unauthorized release of personal information that constitutes a data breach (as an individual’s name and Social Security Number, name and driver’s license number (or State identification card), or name and financial account number), similar laws exist in most other states and cover the residents of those states whether in state or at Lehigh. In addition to name, the unauthorized release of the types of data which may require the University to declare a data breach include, but are not limited to:
    • Social Security numbers
    • Driver’s license numbers
    • State identification card numbers
    • Credit/debit card numbers
    • Bank account/financial account numbers
    • Financial aid information
    • Donor information and non-public gift amounts
    • Lehigh University account credentials: Lehigh University identification numbers (LIN) with personal identification numbers (PIN), or Lehigh University usernames with passwords
    • Protected health care information
    • Passport and visa numbers

Externally funded research may be considered confidential data and is subject to the terms of any contract governing said project.

Intellectual property, including copyrighted resources obtained via fair use, may be considered confidential data and is protected by federal copyright law.

University confidential data or other confidential data maintained via a personal computer should be stored in an encrypted form within the personal network (LAN) file space of the individual and must not be backed up to a cloud storage service.

Any institutional or proprietary data placed into a cloud environment must be encrypted. This would include, but is not limited to, Lehigh internal memos and email, non-public reports, budgets, plans, financial information, contract information (between Lehigh and a third party), and physical plant detail.

Last modified on: by skr5.