Data Classification Policy

This document defines the Cal Lutheran data classification scheme and establishes rules and procedures for protecting sensitive and protected university data processed, received, sent or maintained by or on behalf of the university. 

This policy applies to all data owned or leased by Cal Lutheran.

Data processed, received, sent, or maintained by the university is classified into the following three categories:

  1. Sensitive
  2. Protected
  3. Non-Sensitive

Departments should carefully evaluate the appropriate data classification category for their information.

When provided in this policy, examples are illustrative only, and serve as identification of implementation practices rather than specific requirements.

Sensitive Data

Sensitive data is highly confidential or personal information protected by statutes, regulations, university policies or contractual language which, if exposed or breached, could result in legal damages, fines/penalties, identify theft and/or financial fraud. Data stewards may also designate data as sensitive if it requires the same level of protection. Data elements defined as sensitive include:

  • Personally Identifiable Information such as full name with DOB, Gender, Race, etc...
  • Social Security Numbers
  • Driver's license numbers
  • Credit/debit card numbers
  • Passport numbers
  • Taxpayer identification numbers
  • Federal ID numbers
  • Student financial aid data
  • Employee health records
  • Financial data that informs the university’s end-of-year financial statements
  • System account credentials

Sensitive data does not include information in the Cal Lutheran directory or data that is made public by the university.  Furthermore, the university has no obligation to protect an individual’s personal information if the personal information is provided to a third-party by another supplier without the involvement of the university.

Protected Data

Protected Data is information that is protected by statutes, regulations, university policies or contractual language but which does not carry the same level of risk as Sensitive Data.  By way of illustration only, some examples of Protected Data include:

  • Student educational records protected by the Family Educational Rights and Privacy Act (FERPA) 

Under FERPA, education records are any documents, files, and/or other materials that contain information directly related to a student, are personally identifiable to that student, and are maintained by the university or a university agent. These records include but are not limited to grades, transcripts, class lists, student course schedules, contact and family information, student health records, student financial information (at the postsecondary level), and student discipline files. The information may be recorded in any way, including, but not limited to, handwriting, print, computer media, videotape, audiotape, film, microfilm, microfiche, and e-mail.

FERPA designates several types of records that are exceptions to this definition, including law enforcement records and medical and treatment records.

For more detailed information visit the webpage The Family Educational Rights and Privacy Act on the Cal Lutheran website

  • Personal information or giving history collected from a donor, alumnus, or another individual
  • Employment or non-identifiable personnel data
  • Performance evaluations

Non-Sensitive Data

Non-Sensitive data is information that may or must be open to the general public. It is defined as information with no existing local, national or international legal restrictions on access or usage. By way of illustration only, some examples of Non-Sensitive data include:

  • Publicly posted press releases
  • Publicly posted schedules of classes
  • Publicly posted interactive university maps, newsletters, newspapers, and magazines
  • Public announcements, advertisements, directory information, and other freely available data on university websites

Collecting Sensitive Data

There are laws governing university collection of sensitive data. The legal restrictions most commonly impacting the university are summarized below. For additional information, contact the Information Security Office.

  • Sensitive data may only be collected, maintained, used, or disseminated as necessary to accomplish a proper academic or business purpose of the university or as required by law.  
  • Departments requesting or collecting sensitive data must communicate why the data is being collected, how it will be used, and, if applicable, any consequences of not providing it.
  • Individuals have the right to inspect and challenge, correct, or explain their personal information as required by law.

Sending or Receiving Sensitive Data in Electronic or Physical Form

The following restrictions apply both to internal data transmissions (such as sharing files with another university employee) as well as transmissions to outside parties.

  • Sensitive data sent or received electronically must be secured using encryption technology, a secure web transfer, or the Secure File Transfer Protocol. Other acceptable methods include transferring files between network drives on the university's internal network or using the university's secure web file system. The university's email system is not designed to support the transmission of sensitive data securely. 
  • For any other release of sensitive data by the university to a third-party the sender must ensure that the third-party is aware of the confidentiality obligations applicable.
  • Sensitive data sent in physical form, such as through the post office or interdepartmental mail, must be secured in a sealed envelope or similar method.
  • Faxing sensitive data is permitted provided that the recipient is notified in advance and is available to retrieve the fax immediately following transmission or able to secure it upon receipt (i.e., receiving a fax in an office that is only accessible by the recipient). Individuals receiving faxed documents with sensitive data are responsible for securing the document after receipt.
  • Routine exchange of sensitive data with a vendor or application hosting provider requires that the vendor or hosting provider undergo a security review, including a third-party assessment of the vendor’s security controls. The sender must also ensure that there are contractual requirements describing which party is responsible for securing sensitive data in transit, how the data will be secured, and any specific confidentiality obligations.

Storing Sensitive Data

  • Sensitive data should only be stored on university-administered servers or the university’s approved cloud storage systems.  If sensitive data must be stored on personal or college-owned devices, including but not limited to laptops, personal computers, CDs, flash or thumb drives, cell phones, or personal computing devices (i.e. smartphones, tablets, etc...), the data must be encrypted and the device must be password protected.
  • Sensitive data that will be stored by a vendor or application hosting provider must be protected and secured to the same standards applied by the university.  Use of third-party vendors or application hosting vendors requires ITS evaluation and approval.
  • Sensitive data saved in non-electronic form (i.e. paper or a whiteboard) must be protected from unauthorized access when left unattended and destroyed when it is no longer needed.  For example, papers with sensitive data cannot be left on an unattended desk but instead must be filed in a locked cabinet or a locked office.


Sending or Receiving Protected Data in Electronic or Physical Form

The following restrictions apply both to internal data transmissions (such as sharing files with another university employee) as well as transmissions to outside parties.

  • Transmission of FERPA protected data using the university's electronic communications systems must be restricted to recipients with a legitimate educational interest. Emailing FERPA data to large groups of people is generally a violation of this restriction unless it is verified that each recipient has a legitimate educational interest.
  • Protected data sent or received electronically can be transmitted using the university’s email system.  In addition, protected data can be transmitted using secure web transfer, or the Secure File Transfer Protocol. Other acceptable methods include transferring files between network drives on the university's internal network or using the university's secure web file system.   
  • For any other release of protected data by the university to a third-party the sender must ensure that the third-party is aware of the confidentiality obligations applicable.
  • Protected data sent in physical form, such as through the post office or interdepartmental mail, must be secured in a sealed envelope or similar method.
  • Faxing protected data is permitted provided that the recipient is notified in advance and is available to retrieve the fax immediately following transmission or able to secure it upon receipt (i.e., receiving a fax in an office that is only accessible by the recipient). Individuals receiving faxed documents with protected data are responsible for securing the document after receipt.
  • Routine exchange of protected data with a vendor or application hosting provider requires that the vendor or hosting provider undergo a security review and contractual requirements describing which party is responsible for securing protected data in transit and how the data will be secured, and any specific confidentiality obligations.

Storing Protected Data 

  • Protected data should only be stored on university-administered servers or the university’s approved cloud storage systems.  If protected data must be stored on personal or college-owned devices, including but not limited to laptops, personal computers, CDs, flash or thumb drives, cell phones, or personal computing devices (i.e. smartphones, tablets, etc...), the data must be encrypted according to the university's eEncryption Standard;and the device must be password protected.
  • Protected data that will be stored by a vendor or application hosting provider must be protected and secured to the same standards applied by the university. 

Disposing of Protected Data 

Electronic media including computers, jump or flash drives, CD/DVDs or servers on which sensitive data has been stored must be disposed of by returning the media to ITS for proper backup (if necessary) and disposal. Paper documents containing protected data must be securely shredded.

©