Effective Date: December 1, 2007
Latest Revision: October, 2013
As indicated in the Columbia University Information
Security Charter (the “Charter”)[http://policylibrary.columbia.edu/information-security-charter], any person who uses, stores or transmits Data (as defined in the Charter) has a responsibility to maintain and safeguard such Data.
The first step in establishing the safeguards that are required for particular types of Data is to determine the level of sensitivity applicable to particular Data. Data classification is a method of assigning such levels and thereby determining the extent to which the Data needs to be controlled and secured.
A PDF of this policy is also available to the right.
Capitalized terms used in this Policy without definition are defined in the Charter.
II. Policy History
The effective date of this Policy is November 1, 2013. This Policy replaces the University’s Data Classification Policy, dated December 2007, as amended in February 2013.
III. Policy Text
Data security measures must be implemented commensurate with the sensitivity of the Data and the risk to the University if Data is compromised. It is the responsibility of the applicable Data Owner to evaluate and classify Data for which he/she is responsible according to the classification system adopted by the University and described below. If Data of more than one level of sensitivity exists in the same System or Endpoint, such Data shall be classified at the highest level of sensitivity.
A. Data Classification
The University has adopted the following four classifications of Data:
1. Sensitive Data: any information protected by federal, state or local laws and regulations or industry standards, such as HIPAA, HITECH, FERPA, the New York State Information Security Breach and Notification Act, similar state laws and PCI-DSS.
For purposes of this Policy and the other Information Security Policies, Sensitive Data include, but are not limited to:
Personally Identifiable Information (PII): any information about an individual that (a) can be used to distinguish or trace an individual’s identity, such as name, date and place of birth, mother’s maiden name or biometric records, (b) is linked or linkable to an individual, such as medical, educational, financial and employment information, which if lost, compromised or disclosed without authorization, could result in harm to that individual and (c) is protected by federal, state or local laws and regulation or industry standards.
Protected Health Information (PHI): any information processed, transmitted or stored by a Covered Entity that relates to the past, present or future physical or mental health or condition of an individual, the provision of health care to an individual or the past, present or future payment for health care and (a) identifies the individual or (b) with respect to which there is a reasonable basis to believe that the information can be used to identify the individual. The University’s Office of the General Counsel and Office of HIPAA Compliance are responsible for determining whether particular information maintained or disclosed by Columbia constitutes PHI.
Examples of Sensitive Data can be found in Appendix A hereto.
2. Confidential Data: any information that is contractually protected as confidential by law or by contract and any other information that is considered by the University appropriate for confidential treatment.
For purposes of this Policy and the other Information Security Policies, Confidential Data include, but are not limited to:
Human resources information, such as salary and employee benefits information
3. Internal Data: any information that is proprietary or produced only for use by members of the University community who have a
legitimate purpose to access such data.
For purposes of this Policy and the other Information Security Policies, Internal Data include,but are not limited to:
4. Public Data: any information that may or must be made available to the general public, with no legal restrictions on its access or use.
For purposes of this Policy and other Information Security Policies, Public Data include, but are not limited to:
B. Protection of Data
The protection requirements
applicable to each classification of Data can be found in the Columbia University
Registration and Protection of Systems Policy http://policylibrary.columbia.edu/registration-and-protection-systems-policy
the Columbia University Registration and Protection of Endpoints Policy. http://policylibrary.columbia.edu/registration-and-protection-endpoints-policy
IV. Cross References to Related Policies
The Information Security Policies referred to in this Policy
are listed in Appendix B hereto.
Examples of Sensitive Data
Examples of PII include, but are not
limited to, any information concerning a natural person that can be used to
identify such natural person, such as name, number, personal mark or other
identifier, in combination with any one or more of the following:
Examples of PHI include, but are not
limited to, any health information about an individual, in combination with any
one or more of the following:
Information Security Charter
Registration and Protection of Endpoints Policy
Registration and Protection of Systems Policy