May 16, 2026  
Policies 
    
  Catalog Home

  Academic Affairs
  Administrative Organization
  Business and Finance (Includes Plant Operations)
  College Advancement and Public Relations
  Economic and Workforce Development
  General Information
  Organizational Culture and Engagement
  Institutional Effectiveness, Research, and Planning
  Purpose, Values and Mission
  Student Affairs
  System of Governance
  TCAT
  Technology Division
  Title IX

  08:30:00 Approval of Technology Resources
  02:45:00 Awarding Posthumous Academic Credentials
  My Portfolio
HELP
Policies

Technology Division

08:16:00 Data Classification and Protection

 
  1. Introduction and Purpose  
    1. The College’s data is a vital asset.  The College is committed to protecting the confidentiality, integrity, and availability of this data through a risk-based classification framework. This policy ensures that safeguards are commensurate with the sensitivity of the data and comply with the College’s regulatory environment.   
  2. Scope  
    1. This policy applies to all institutional data created, collected, or stored by faculty, staff, students, and third-party agents, regardless of the location of the data (on-campus or cloud-hosted). 
  3. Data Classification Levels  
    1. To ensure consistent protection, all institutional data shall be categorized into one of the following three levels: 
      1. Restricted (Regulated): Data protected by federal or state law, or stringently controlled by contractual obligations. Examples may include Social Security numbers, student educational records (FERPA), and financial/payment card data (PCI). 
      2. Confidential (Internal): Data that is not legally restricted but is sensitive to College operations. Unauthorized disclosure could cause financial loss or reputational damage.   
      3. Public: Data intended for wide and open distribution. This information may be accessed by the public and carries no expectation of privacy (e.g., marketing materials, course catalogs). 
  4. Roles and Responsibilities 
    1. Data Custodians: Sometimes referred to as “data owners.”  Designated College officials responsible for the oversight of specific data sets.  Custodians are responsible for determining classification levels and authorizing access based on the “need to know”. 
    2. Data Users: All individuals authorized to access institutional data. Users are responsible for adhering to the handling requirements of the highest level of data they possess. 
    3. Technology Division: Responsible for implementing technical controls, such as encryption and access management, to support the requirements set by Data Custodians.  Facilitates the Data Custodians’ periodic confirmation of the accuracy of users’ access levels. 
  5. Protection and Handling Governance 
    1. Storage and Transmission: Restricted and Confidential data must be stored only on College-authorized systems and encrypted during transmission over public networks. 
    2. Cloud Vetting: Institutional data shall not be stored in any cloud service that hasn’t been vetted and approved by the Technology Division for the specific data classification level. 
    3. Principle of Least Privilege: Access to Restricted data is granted only when essential for a user’s job function. 
    4. Reporting: Any suspected loss or unauthorized acquisition of Restricted or Confidential data must be reported immediately to the Technology Division. 

 

References: 

1. TBR Policy 1.08.04.00 (Personally Identifiable Information) 

 

Submitted to Policy Review Committee on March 2, 2026

Submitted to Policy Review Board on April 13, 2026

Approved by Policy Review Board on April 29, 2026

 

Policy Approved October 24, 2017 as Technology Deivision Policy 08:16:00, Data Security and Controls