Data Classifications: Highly Restricted, Restricted and Low

Question

 

What types of data does MNSCU or Minnesota State consider Confidential, Protected Private or Public data?

Data Classification, Storage, and Sharing

St. Cloud State has chartered a Data Classification initiative to inventory and classify data that is stored on campus systems. Data Classification establishes a foundation for identifying appropriate and consistent information security controls.

Below are the classifications and examples of data elements that fit into each category. It is important to note that those who have access to highly restricted and restricted data must ensure that it is kept secure.

After determining what type of data you will be processing, use the End User Data Storage and Sharing Recommendations to guide storing or sharing the data.

Highly Restricted:

Institutional data must be classified as "highly restricted" if the data requires limiting access to only persons with a legitimate need to know, and:

  • the data elements for which loss of confidentiality could facilitate identity theft; or
  • by law, regulation, or contract, the data requires high-level security controls, or
  • the loss of confidentiality could cause significant personal or institutional harm

Includes:

  1. Social security numbers
  2. Credit/payment card numbers and related information
  3. Financial account numbers such as banking or investment account numbers
  4. Security or access codes or passwords used to access highly restricted data
  5. Personal health/medical information including insurance policy ID numbers and any information covered under HIPAA
  6. Non-public investigation data (determined by legal counsel)
  7. Credentials for IT systems that manage data elements in this classification level
  8. Biometric information
  9. Trade secret or intellectual property protected by a non-disclosure agreement

Restricted

Institutional data must be classified as “restricted” if it does not classify as “highly restricted” but the data:

  • by law is not public data, or
  • requires limiting access to only persons with a legitimate need to know, or
  • whose unauthorized disclosure will require statutory notification to affected parties (i.e., breach notification).

Includes:

  1. Student records – admission applications, transcripts, exam papers, test scores, evaluations, grades, student discipline, student class schedule, student worker information, financial aid, and loan collection records
  2. Student directory information that has been suppressed by the Student class lists
  3. College, university, system office, or faculty trade secret or intellectual property
  4. Library use information
  5. Individual demographics including age, race, ethnicity, gender, citizenship, visa status, veteran or disability status, employee home address/phone, dependent information
  6. Faculty/staff employment applications, personnel files, benefits information, birth date, and personal contact information
  7. Donor contact information and non-public gift amounts
  8. Privileged attorney-client communications
  9. College, university or system office internal memos, email, reports, and financial data identified as non-public
  10. Driver’s license numbers
  11. Student ID numbers (if not directory data) and passwords
  12. Employee performance information and other private personnel data
  13. Parking lease information
  14. Request for proposal vendor responses and scoring information prior to contract award
  15. Credentials for systems that manage data elements in this classification level and systems classified as Low
  16. Partial social security number
  17. Business continuity and disaster recovery plans
  18. Security information as defined by Minn. Stat. § 13.37

Low

Institutional data must be classified as "Low" if by law it is available to the public upon request.

Includes:

  1. Certain employee information name, job title, job description, work location and phone number, employee identifier, salary, gross pension, value and nature of fringe benefits, payroll time sheets, education/training and previous work experience, first and last employment dates, existence and status of complaints, terms of employment settlement disputes, final disposition of discipline, honors and awards received or as identified as public in Minn. Stat. § 13.43, subd. 2.
  2. Student information (unless suppressed by the student) name, other information identified as directory information by the college/university in its published FERPA policy • Financial data on public sponsored projects
  3. Course offerings
  4. Invoices and purchase orders
  5. Budgets
  6. “Summary” or statistical data that does not identify an individual
  7. Information authorized to be made available on or through a website that does not require a Minnesota State recognized authentication system (e.g., StarID)
  8. Published research data
  9. Campus maps
  10. Job postings
  11. Information in the public domain
 
Submit a request for help

 

Print Article

Details

Article ID: 119563
Created
Mon 11/2/20 1:53 PM
Modified
Mon 5/6/24 2:25 PM

Related Articles (4)

Parent Information
Information on student privacy
Release of Information (ROI)
Provide permission to someone other than you about your financial aid or bill.
Restricting Release of Information
Information on restricting a ROI
Technology Policies & Guidelines
What are SCSU's technology policies/guidelines?

Related Services / Offerings (2)

Data Integration Request
Request data be integrated into an application or data warehouse used at St. Cloud State University.
Request IT Security Assistance for Confidential Matters
Request IT security assistance for confidential matters including but not limited to investigations, litigation, hold requests, compliance (HIPAA, PCI, etc.), requests for confidential information