Data Classification Standards

Post

Community colleges collect, compile, store, and manipulate data from a variety of sources. In order to apply the appropriate security protocols for safeguarding the data, the college must first classify the data into one of three levels: (1) confidential, (2) internal use, and (3) general. This document describes the three levels of data classification that California community college districts must adopt regarding the level of security placed on the particular types of information assets.

The three levels described below are meant to be illustrative, and the list of examples of the types of data contained below is not exhaustive. When it is unclear how a data set should be classified, the question should be referred to the district’s or college’s official data trustee for final determination.

Please note that this classification standard is not intended to be used to determine the eligibility of requests for information under the California Public Records Act or HEERA. These requests should be analyzed by the appropriate district legal counsel or administrator.

Classification: Level 1 – Confidential

Protected Data

Access, storage, and transmissions of Confidential information are subject to restrictions as described in the Asset Management Standard. Information will be classified as confidential if it meets at least one of the criteria below:

  • Exposure Poses a Severe Risk – Confidential data includes information whose unauthorized use, access, disclosure, acquisition, modification, loss, or deletion could result in severe damage to the college, its students, employees, or business partners. Financial loss, damage to the college’s reputation, and legal action could occur if such information is not properly safeguarded.
  • Legal Obligation - Information for which disclosure to persons outside of the institution is strictly governed by State or Federal statute with the intention to protect the privacy of an individual’s information. California civil codes 1798.29, 1798.82 and 1798.84 requires the district to notify affected parties in the event of a data breach of certain private information.
  • Other Sensitive Information – Information deemed by the district or college as highly sensitive, typically reserved solely for use within the college and limited to those employees with a specific need to know.

Examples of Confidential information include but are not limited to:

  • Passwords or credentials that grant access to Confidential and Internal Use data
  • PIN (Personal Identification Numbers)
  • Birthdate combined with last four digits of SSN and name
  • Credit card numbers with cardholder name
  • Tax ID with name
  • Driver’s license number, state identification card, or other forms of national or international identification (such as passports, visas, etc.) in combination with a name
  • Social Security number and name
  • Health insurance information
  • Medical records related to an individual
  • Psychological counseling records related to an individual
  • Bank account or debit card information in combination with any required security code, access code, or password that would permit access to an individual’s financial account
  • Biometric information
  • Electronic or digitized signatures
  • A private key (digital certificate)
  • Personnel records
  • Criminal background check results

Classification: Level 2 – Internal Use

Protected Data

Access, storage, and transmissions of Internal Use information are subject to restrictions as described in the Asset Management Standard. Information may be classified as Internal Use if it meets at least one of the criteria below:

  • Sensitive Nature of Data – Information which must be protected due to proprietary, ethical, contractual or privacy considerations.
  • Exposure Poses a Moderate Risk - Information which may not be specifically protected by statute, regulations, or other legal obligations or mandates but for which unauthorized use, access, disclosure, acquisition, modification, loss, or deletion of could cause financial loss, damage to the college’s reputation, violate an individual’s privacy rights, or subject the institution to legal action .

Examples of Confidential information include but are not limited to:

Identity Validation Keys (Names with the following info)
  • Birthdate (full: mm-dd-yy)
  • Birthdate (partial: mm-dd only)
Employee Information
  • Employee net salary
  • Home address
  • Personal telephone numbers
  • Personal email address
  • Payment history
  • Employee evaluations
  • Pre-employment background investigations
  • Mother’s maiden name
  • Race and ethnicity
  • Sexual orientation
  • Parents’ and other family members’ names
  • Birthplace (City, State, Country)
  • Gender
  • Marital status
  • Physical description
  • Other
Student Information - Educational Records not defined as “directory” information as defined in FERPA and AP 5040, typically: 
  • Grades
  • Courses taken
  • Schedule
  • Test Scores
  • Advising records
  • Educational services received
  • Disciplinary actions
  • Student photo
Various Identifiers
  • Photo (taken for identification purposes)   
  • Library circulation information
  • Trade secrets or intellectual property such as research activities
  • Location of critical or protected assets
  • Licensed software
  • Vulnerability/security information related to a COLLEGE/DISTRICT or system
  • District or college attorney-client communications

Classification: Level 3 – General

Information which may be designated by Long Beach Community College District or by State or Federal statute as generally available and/or intended to be provided to the general public.

Disclosure of this information does not expose the college to financial loss or jeopardize the security of the college’s information assets.

Information at this level requires no specific protective measures but may be subject to appropriate review or disclosure procedures at the discretion of Long Beach Community College District in order to mitigate potential risks.