Data Classification Policy

The classification scheme in this policy is to be applied to all institutional data, both physical and electronic, throughout Earlham College and Earlham School of Religion (“Earlham”).

Earlham data is information generated by or for, owned by, or otherwise in the possession of Earlham that is related to Earlham’s activities. Data may exist in any format (i.e., electronic, physical) and includes, but is not limited to, all academic and administrative data.

Employees granted access to institutional data may access data only to conduct Earlham’s business. In this regard, employees must:

• Respect the confidentiality and privacy of individuals whose records they access
• Observe ethical restrictions that apply to the use of the data to which they have access
• Abide by applicable laws and policies with respect to access, use, or disclosure of information

All Earlham data will be reviewed on a periodic basis and classified according to its use, sensitivity, and importance to Earlham, and in compliance with federal and/or state laws. Any data item or information that is not classified will be assumed to be of the Internal classification until otherwise determined, unless the data is known to be addressed by applicable law or statute. Questions on the classification and handling of particular data shall be directed to the Records Advisory Council (RAC).

Data classifications are defined as follows:

A. Public

Public data is accessible and can be shared freely without any restrictions and with no expectation for privacy, risk, or confidentiality. There are no legal and/or institutional limitations on its access or use. To prevent any harm to Earlham’s reputation and to support appropriate use, it is crucial to verify the accuracy of data and materials before external publication.

Common types of Public data include the following:

• Faculty and Staff directories (name, role, phone, email)
• Campus maps
• Course Catalogs
• Events Calendar
• Promotional materials, such as recruitment brochures
• Published enrollment statistics
• Industry standards

B. Internal

Internal data may be accessed by eligible employees and designated appointees of Earlham for the purpose of performing Earlham’s business. Internal data is institutional information that must be guarded due to proprietary, ethical, privacy, or business process considerations. It must be protected from unauthorized access, modification, transmission, storage, or release. This classification applies even though there may be no legal or contractual controls which require such protection.

Internal data should only be stored in approved, Earlham managed systems.  Internal information generally should not be disclosed outside of the College without the permission of the person or group that created it.

Common types of Internal data include the following:

• Non-public Earlham policies
• Earlham internal memos and email, internal reports, budgets, plans, and financial information
• Contracts
• Faculty, staff, and student ID numbers

C. Restricted

Restricted data may be accessed by eligible employees and designated appointees of Earlham for the purpose of performing Earlham’s business. Restricted data is highly confidential business or personal information. Information contained in such records are regulated by state and federal law, confidentiality agreements, or institutional policy. It must be protected from unauthorized access, modification, transmission, storage, or release and must only be used when necessary for business purposes and should be protected in use, storage, or transportation.

Restricted data should only be stored in approved, Earlham managed systems.

Common types of Restricted data include the following:

• Donor information: personal contact details, donation and gift amounts that are not disclosed to the public
• Privileged attorney-client communications
• Admission applications
• Educational records and information protected by the Family Educational Rights and Privacy Act (FERPA)
• Personnel files, employment applications, benefits information, salary, birth dates, and personal contact information
• Data protected by the Payment Card Industry (PCI) including credit card numbers, card security codes (CVV2 codes), and authorization codes
• Data protected by the Health Insurance Portability and Accountability Act (HIPAA) including healthcare information and insurance policy numbers
• Personal data of individuals in the European Union that is protected by GDPR
• Password, password hashes, encryption keys, and cryptographic tokens used for authentication to any Earlham information systems or for the encryption of any other confidential data
• Individuals’ unique identification details including: social security, driver’s license, passport, and student/travel visa numbers
• Magnetic stripes, barcodes, or proximity (RFID, NFC, etc.) data which is encoded on identification cards or key fobs and is used for authentication, point of sale, or physical security systems.
• Financial account details including checking, investment, or retirement account numbers
• Any data which is export-controlled information under applicable laws

Data related and derived from research may fall into any of the classifications noted above. Research that contains Restricted data must retain the Restricted classification. Research containing Internal data retains the Internal classification.

Research agreements and related funding agreements may specify sharing and/or confidentiality requirements. If Earlham agrees to participate in research that relies on restricted data and requires non-restricted access upon approval of the research agreement, Office of Grants and Sponsored Research (OGSR) will notify: Records Advisory Council Convener, Data Privacy Officer, and Chief Information Officer.

• Published research: Public
• Unpublished research: Assumed to be Internal. Unless dictated by regulations (e.g. IACUC) or contract terms, the researcher may treat it as Public data (sharing it at the researcher’s discretion) even though it is classified as Internal.

Responsible data owners may reevaluate data classifications as needed. Reclassification may occur after approval from Records Advisory Council.

1. Data Trustee: Data trustees are senior Earlham leaders (or their designees) who have planning and policy-level responsibility for data within their functional areas and management responsibilities for defined segments of institutional data. They are responsible for assigning data stewards.
2. Data Steward: Data stewards are Earlham employees having direct operational-level responsibility for information management. Data stewards are responsible for data access and policy implementation.
3. Data Custodian: Information Technology Services (ITS) and the College Archives are the data custodians. The custodians are responsible for providing a secure infrastructure in support of the data, including, but not limited to, providing physical security, backup and recovery processes, granting access privileges to system users as authorized by data trustees or their designees (usually the data stewards), and implementing and administering controls over the information.
4. Data User: Data users are individuals who need and use Earlham data as part of their assigned duties or in fulfillment of assigned roles or functions. Individuals who are given access to non-public data have a position of special trust and as such are responsible for protecting the security and integrity of that data.

Violation of this policy may result in disciplinary action, including but not limited to discontinued access to certain resources, suspension, or termination of employment.

This policy will be reviewed as needed by the Records Advisory Council (RAC). Amendments will be adopted with the approval of the President.

• Federal Information Processing Standard Publication 199 (FIPS-199)
• NIST Special Publication 800-171
• Family Educational Rights and Privacy Act (FERPA)
• The Gramm – Leach Bliley Act (GLBA)