Data Classification

Sinclair Information Classification Matrix

Updated 9/23/13

 

Type of Information

Primary Owner or Repository

Confidentiality Classification

Applicable Legislation or Standard

Campus Police/Law Enforcement records

Campus Police

Confidential

 

Checking account (accounts payable) information

Accounting

Confidential

 

Student Class Schedules

RSR

Confidential

FERPA

College Credit Card Information

Accounting/Purchasing

Confidential

PCI,

Degree awarded and date

Registrar

Public

FERPA

Digitally captured identification photos

RSR/Departments

Public (Directory)

FERPA

Direct Deposit account information

Payroll

Confidential

ORC 1345,1347,1349

Donor information

Foundation

Confidential

ORC 1345,1347,1349

E-mail address (Sinclair provided)

ITS

Public

 

Employee Background Checks

HR

Confidential

 

Employee Contracts

HR/Department

Confidential

 

Employee degrees, certificates, or awards earned

HR

Public (Directory)

 

Employee dental insurance Records

HR

Confidential

HIPAA

Employee Disability/ Health records

HR

Confidential

HIPAA

Employee health insurance records

HR

Confidential

HIPAA

Employee individual benefit details

HR

Confidential

HIPAA

Employee name

HR

Public (Directory) Unless name is linked to SSN, Driver License, or other personal identifying information

ORC 1345,1347,1349

Employee personnel records

HR

Confidential

ORC 1345,1347,1349

Employee previous educational institution affiliation

HR

Public (Directory)

 

Employee salary information

HR/Payroll

Confidential (NOTE: Data may be officially ‘public record’ but is treated as confidential for routine access/use)

 

Employee SCC email address

ITS

Public (Directory)

 

Employee SCC telephone number

HR

Public (Directory)

 

Employee home phone number

HR

Internal Use Only

 

Employee time/attendance information

HR/Payroll

Confidential. (NOTE: Data may be officially ‘public record’ but is treated as confidential for routine access/use)

 

FAFSA

Financial Aid

Confidential

FERPA, GLBA

Financial Aid / Grants 

Financial Aid

Confidential

FERPA, GLBA

Financial Aid Applications

Financial Aid

Confidential

FERPA, GLBA

Grades

Registrar

Confidential/ Aggregate may be Public

FERPA

Honors Status

Registrar

Public

FERPA

Parent and Student Tax Returns, and verifying information (i.e. W-2, verification worksheets)

Financial Aid

Confidential

FERPA, GLBA, ORC 1345,1347,1349

Payroll advices

Payroll

Confidential

ORC 1345,1347,1349

Salary

HR/Payroll

Confidential (NOTE: Data may be officially ‘public record’ but is treated as confidential for routine access/use)

 

Scholarship Details

Financial Aid

Confidential – Directory information may be released, i.e. announcing award winner/recipient names.

FERPA, GLBA

SSNs

HR/RSR

Internal Use Only – Confidential when linked with name

ORC 1345,1347,1349

Student address

RSR

Public (Directory)

FERPA

Student athlete’s weight and height

RSR

Public (Directory)

FERPA

Student Conduct

Student Affairs

Confidential

FERPA

Student dates of enrollment

RSR

Public (Directory)

FERPA

Student degrees or certificates earned

RSR

Public (Directory)

FERPA

Student Financial information  (Bank Accounts, Wire Transfers, Payment History. Fee Bills)

Financial Aid/ Bursar

Confidential

FERPA, GLBA

Student Disability/ Health records

RSR, Educational Support Services

Confidential

FERPA, HIPAA

Student Loans

Financial Aid

Confidential

FERPA, GLBA

Student participation in officially recognized activities and sports; including special honors, distinctions, and awards

RSR

Public (Directory)

FERPA

Student Payroll

Payroll

Confidential

FERPA

Student SCC email address

ITS

Public (Directory)

FERPA

Student telephone number

RSR

Public (Directory)

FERPA

Student’s date and place of birth

RSR

Public (Directory)

FERPA

Student’s major

RSR

Public (Directory)

FERPA

Student’s name

RSR

Public (Directory) Unless name is linked to SSN, Driver License, or other personal identifying information

FERPA, ORC 1345,1347,1349

Student’s recent previous educational institution

RSR

Public (Directory)

FERPA

Employee Tax details

Payroll

Confidential

ORC 1345,1347,1349

Wage records (individual)

Payroll

Confidential

ORC 1345,1347,1349

 

Definitions:

Confidentiality classification refers to the sensitivity and the access controls required to protect the information.  Does legislation or College policy require the information be protected, or is it freely distributable? Is the information time sensitive? Will its confidentiality status change after some time? Confidentiality is defined in terms of:

a) Confidential: Access is restricted to a specific list of people. Examples include human resources/payroll data such as salaries, garnishment orders, child support orders, and employee health information.  Stored credit card numbers are also confidential.

b) Sensitive Access and use of the information must be protected from routine disclosure and is restricted to specific uses only.  This includes information required to be protected by legislation and/or generally recognized best practices.  Examples include Social Security Numbers, Financial Aid Data, Student identity information (as defined by FERPA).

c) Public: Where the resources are publicly accessible: for example, directory information, the College Bulletin, the College Web Site, recruitment brochures.

Availability classification is a measure of criticality.  How important is it that the information asset is accessible/available to the authorized constituent? Is it a single instance or is a backup available? Availability is measured based on reliability and timely access to the asset. In other words, is the system up and running when needed? How long can the asset be down or unavailable?  For classification purposes, the availability hierarchy is:

1) Vital: The asset is essential to the College, even a brief outage is significant and may result in a serious negative impact, financial, legal, or otherwise, to Sinclair.

2) Critical: Necessary for routine operation of the College, must be available during normal working hours and/or during registration, reporting, or other business cycles.  Brief outage other than during these periods is acceptable, outages during these periods are significant and result in serious negative impact.

3) Important: Significant to a small segment of the College such as a single department or committee. Should be available during normal working hours, outages of up to 24 hours do not significantly impact the College.

4) Routine: Has value to the college and should be routinely available, but extended outages (1-5 days) would not significantly impact Sinclair.

Integrity classification is seldom used for primary information classification, but may be used as a ‘tie-breaker’ when determining priority during business continuity and contingency planning. How important is it that the information is 100% accurate and can be verified as tamper-free?  How critical is the accuracy of information to the College or stakeholder? Can it be duplicated or replaced? Integrity is defined in terms of value: high, medium or low. As this is often a subjective valuation, justification may be required for assigning a value classification if the rationale is not obvious or is questionable.

 

 

 

This table provides suggested classifications for Sinclair information. It is not authoritative and may be superseded by the data owners of the information. This table will be updated periodically.