Data Classification Policy - Equal Opportunity

This policy provides standards to protect the confidentiality, integrity, and availability of university data. The policy applies regardless of the media on which the data resides.

Purpose:
This policy provides standards to protect the confidentiality, integrity, and availability of university data. The policy applies regardless of the media on which the data resides.

Applicability:
All users of NMU Network Resources, administrative data, systems that access university data and media that store university data.

Policy:

Data will be maintained in a secure, accurate, and reliable manner and be readily available for authorized use. Data security measures will be implemented commensurate with the value, sensitivity, and risk involved.  Data will be protected and secured according to applicable federal and state requirements as well as university policies.

To implement security at the appropriate level, to establish guidelines for legal/regulatory compliance, and to reduce or eliminate conflicting standards and controls, data will be classified into one of the following categories:

Confidential: data that, if disclosed to unauthorized persons, would be a violation of federal or state laws and regulations, university policy, or university contracts. Any file or data that contains personally identifiable information of a trustee, officer, agent, faculty, staff, retiree, student, graduate, donor, or vendor may also qualify as confidential data. Confidential data includes but is not limited to:

• Medical records of any kind.
• Education records as defined by NMU’s FERPA policy, except NMU IN numbers, which are classified as private.
• Unredacted unique government identifiers such as social security numbers.
• Research data, such as information supporting pending patents, grant applications, or information related to human subjects.
• Information access security, such as login passwords, personal identification numbers regulated by laws or regulations, digitized signatures, and encryption keys.
• Certain personnel records such as benefits records, health insurance information, retirement documents and/or payroll records.
• Library records as defined by the Michigan Library Privacy Act.
• Regulated primary account numbers, cardholder data, credit card numbers, banking information, or other information protected by consumer protection regulations and the payment card industry data security standards.
• Personal information protected from disclosure by state and federal identity theft laws including the Michigan Identity Theft Protection Act.
• Any data identified by state or federal law or government regulation, or by order of a court of competent jurisdiction to be treated as confidential or sealed by order of a court of competent jurisdiction.

Private: data that must be guarded due to proprietary, ethical, or privacy considerations and must be protected from unauthorized access, modification, transmission, storage or other use. This classification applies even though there may not be any law or other regulation requiring this protection. Private data is information that is managed and secured by personnel designated by the university who have a legitimate business purpose for accessing such data. Private data includes but is not limited to:

• Employment data.
• NMU Identification Numbers and redacted portions of government issued identification numbers.
• Business partner information where no restrictive confidentiality agreement exists.
• Planning documents.
• Alumni data.

Public: data to which the general public may be granted access in accordance with Northern Michigan University policy. Public data includes but is not limited to:

• Publicly posted press releases.
• Publicly posted schedules of classes.
• Posted university maps, newsletters, newspapers, and magazines.
• Directory information within the boundaries of NMU’s FERPA Policy.
• Information posted on the university’s public website including the website for Institutional Research.

Data owners, in conjunction with the Chief Technology Officer, the Assistant VP Information Services, and as appropriate, the Dean of Library and Instructional Support, or qualified designates, will develop, implement, and/or contract for appropriate data security using technology protocols, data encryption, data access controls, data retention and disposal procedures, data storage management, and end user training and awareness programs.

The Chief Technology Officer or a designate will regularly review this policy and the implementing procedures to ensure timely updates after legal, regulatory, technological, or other relevant changes.