Data Classification

Purpose

To establish a framework for classifying institutional data based on its level of sensitivity, value, and criticality to the university as required by the university’s Information Security Policy. The classification of data helps determine what baseline security controls are appropriate for safeguarding that data. Classification of data should be performed by the appropriate data owner. Further standards, guidelines, and recommendations will specify handling requirements for data based on its classification.

Scope

This policy applies to all data or information that is created, collected, stored, or processed by the university, in electronic or non-electronic formats. This policy applies to all departments/data owners who are responsible for classifying and protecting institutional data.

Recommendations and Guidelines

Data classification, in the context of information security, is the classification of data based on its level of sensitivity and the impact to the university should that data be disclosed, altered, or destroyed without authorization. All institutional data should be classified into one of four sensitivity levels, or classifications:

Public

Data should be classified as public when unauthorized disclosure, alteration, or destruction of that data would result in little or no risk to the university. While little or no controls are required to protect the confidentiality of public data, some level of control is required to prevent unauthorized modification or destruction.

Internal

Data should be classified as internal when unauthorized disclosure, alteration, or destruction of that data could result in a moderate level of risk to the university. By default, all institutional data not explicitly classified as public, confidential, or highly confidential should be treated as internal data. A reasonable level of security controls should be applied to internal data.

Confidential

Data should be classified as confidential when unauthorized disclosure, alteration, or destruction of that data could cause significant harm to the university. This includes sensitive internal data that is not legally protected but still requires controlled access. A strong level of security controls should be applied to confidential data.

Highly Confidential

Data should be classified as highly confidential when unauthorized disclosure, alteration, or destruction of that data could cause severe harm or legal liability to the university. This includes data protected by state or federal privacy regulations and data protected by confidentiality agreements. The highest level of security controls should be applied to Highly Confidential data.

Determining Classifications

Data owners should use the table below as a guide in determining classification of data. Data types that have classifications mandated (due to applicable laws, regulations, or contracts) and those that are in common use throughout the university are included. For assistance in determining an appropriate classification or to add a new data type, send your request to infosec@bryant.edu.

Classification	Examples
Public	Admission brochures and application forms Campus maps and building locations Course catalogs and class schedules University directory information (not restricted by FERPA) Press releases and news articles Academic calendars and faculty profiles Published research available to the public
Internal	Committee and group membership details Internal contact lists and employee directories Draft policies and unpublished research data Internal emails, meeting minutes, and reports Technical documentation for university systems Strategic plans and internal project documents Job postings not open to external applicants
Confidential	Student academic records (grades, transcripts, schedules) Employee HR data (benefits, salaries, evaluations) Alumni and donor contact information University ID numbers Emergency planning documents Course evaluations Internal audit reports Unpublished research proposals
Highly Confidential	Social Security numbers Bank account and routing numbers Credit/debit card numbers (PCI-DSS) Financial aid records and FAFSA data Protected Health Information (PHI) under HIPAA Grievance and disciplinary action records Passport, visa, and driver’s license details Passwords, PINs, and encryption keys Biometric data

Data Collections

Data owners may wish to assign a single classification to a collection of data that is common in purpose or function. When classifying a collection of data, the most restrictive classification of any individual data element should be used.

Reclassifications

It is important to periodically reevaluate the classification of institutional data to ensure the assigned classification is still appropriate based on changes to legal and contractual obligations as well as changes in the use of the data or its value to the university. This evaluation should be conducted by the appropriate data owner. The data owner should determine the appropriate frequency of review. If a data owner determines that the classification of a certain data type has changed, an analysis of security controls should be performed by the data custodian to determine whether existing controls are consistent with the new classification. If gaps are found in existing security controls, they should be corrected in a timely manner, commensurate with the level of risk presented by the gaps.

Compliance

The university considers any violation of the directives outlined within this document to be an objectionable offense. Failure to comply may subject the violator to disciplinary or legal action by the university.

Exceptions

Any exceptions to the directives outlined within this document are to be reviewed and approved by the Security Management Team, as needed.

Policy Review and Revisions

Last Reviewed	Last Updated	Summary
9/1/2025	9/1/2025	Annual review and update.