Information Technology, Documents, & Records

Select a Policy to jump to: Accepting Credit Card Payments Access to Personnel Files Data Classification and Secure Data Handling Policy E-mail as Official Communication for Students Identity Theft Prevention Program iPad Purchase Policy New Technology Request Program Password Policy Privacy Statement Records Retention Related Party Disclosure Statement (Conflict of Interest Policy) Responsible Use of Technology Student Records Surveillance Camera Guidelines

Data Classification and Secure Data Handling Policy

Issuing Authority: Cabinet

Preface

The College is deeply committed to safeguarding the privacy of its community members, including students, alumni, parents, faculty, staff, and affiliates. This commitment extends to ensuring the confidentiality, integrity, and availability of information vital to the College’s mission.

Confidentiality: Private information is treated with the utmost care and should not be accessed by unauthorized parties.
Integrity: Measures are in place to prevent unauthorized tampering with important data.
Availability: Ensuring the continuous availability of data and services is an information security priority.

To achieve these, the College has classified its information assets into risk-based categories. This classification system determines who can access the information and specifies the necessary security measures to prevent unauthorized access. By categorizing data as high, medium, or low risk, the College can effectively prioritize its efforts and focus on areas that require the most attention, thereby enhancing overall information security.

Who owns the data?

Data created, processed, and stored across the College’s academic and administrative departments and offices is considered a unified resource despite its diverse storage formats, such as applications, spreadsheets, and databases, whether on-premises or in the cloud. To provide maximum value to the institution, our data must be well-documented, well-supported, accurate, accessible, and as lightly encumbered as we can legally, reasonably, responsibly, and ethically make it. Where appropriate and feasible, it must also be centrally accessible to employees using standard software tools and methods. College data may be stored in different systems and maintained by various offices, but the data belongs to the College.

Contents

• Data Classification
• Secure Data Handling
• Notifications for Breach of Security
• Who do contact for more information?
• Precedence
• Revision History

Data Classification

Security controls are deployed commensurate with risk. More and stronger security controls are appropriate and, in many cases, required for data that presents a fiduciary or reputational risk to the College if subject to loss or unauthorized access. Therefore, defining risk classifications and assigning data types to each classification is essential.

Data Risk Classification Definitions

The College classifies data into three levels:

High-risk: Data falls into this category if it meets some or all of the following criteria:

• • The College must publicly report unauthorized disclosures as defined by state or federal law or regulation.
  • The College could be subject to fiduciary penalties if its confidentiality, integrity, or availability were compromised.
  • State or federal laws or regulations mandate specific information security controls.

Medium-risk: This category encompasses data that requires information security controls but does not meet the requirements for high-risk classification.

• • Social Security number
  • Driver’s license number or Minnesota identification card number
  • Bank account number, credit card number, or debit card number, along with a necessary security code, access code, or password enabling account access.
• In the event of a suspected breach involving personal information or other high-risk data at the College, promptly initiate the following incident response procedures:

1. 1. The person discovering the breach should immediately inform the Information Security Officer or the IT Help Desk.
   2. The Information Security Officer, CIO/CTO, and other resources will assess whether a data security breach has indeed occurred and decide on the appropriate course of action.
   3. Engage departmental and campus incident response plans as appropriate.

Who do I contact about regulatory obligations?

Regulatory Obligations

Precedence

This policy replaces and renders obsolete the following policies:

Data Risk Classification Guidelines, August 2016

Data Management and Access Guidelines

College Data on Mobile Devices, June 1, 2012

Information Technology Services:  X 5999 or helpdesk@carleton.edu

Revision History

Revision History

Low-risk: Low-risk data includes publicly available or non-public data that would have minimal impact if disclosed, altered, or lost. However, it’s important to note that even low-risk data must be safeguarded against unauthorized alterations or deletions.

Data Risk Classification Examples

The following examples are provided for illustrative purposes. The lists are not exhaustive.

High-risk:

• • Personally Identifiable Information (PII), like Social Security, passport, and driver’s license numbers
  • Banking information, like bank account numbers, credit card numbers, and account balances
  • Tax return information
  • Real estate values
  • Health information, like diagnoses and treatments
  • Health insurance information, like payments and claims
  • Bulk passwords and security keys

Medium-risk:

• • Protected student data and student records, like student ID numbers, grades, courses taken, educational services received, and disciplinary actions
  • Tenure, promotion, and personnel performance review materials
  • Employee ID numbers
  • Faculty/staff employment applications, personnel files, benefits, salary, birth date, and personal contact information
  • Employee disciplinary records
  • Non-public contracts
  • College internal memos and emails, nonpublic reports, budgets, plans, and financial information
  • Engineering design and operational information regarding College infrastructure
  • Donor contact information and nonpublic gift information
  • Alumni information such as philanthropy, wealth, contact, and giving data
  • Unpublished research data

Low-risk:

• • Policy and procedure manuals
  • Non-public College policies and policy manuals
  • User account IDs without associated passwords
  • Licensed software & software license keys
  • Job postings
  • Contact information in the College directory
  • Information in the public domain
  • Publicly available campus maps
  • Faculty, staff, and department web sites and mailing addresses
  • Press releases
  • Public College website content
  • Published or public research data

Secure Data Handling

Data and information can be stored and transmitted in various ways, including, but not limited to, files stored on computers, mobile devices, servers, portable electronic storage devices, paper files, audio or video files, telephone calls, and verbal communications. The College owns all administrative data, although individual units or departments may have governance responsibilities for portions of that data.

Paper files should never contain high-risk data such as Social Security numbers. When unavoidable, they must be kept in a secure, locked area. High-risk data should not be taken off campus; if necessary, it should never be left unattended or unsecured. Paper records containing medium- and high-risk data should be destroyed securely when no longer needed.

How do I store and share data?

Users should first consider the classification of the data they use, store, or share. Then, data users should ensure that the systems used to store, transmit, or process the data are appropriate for that data classification. Data should always be shared only with other users authorized to access that data. Not all storage devices and services are equally suited to store, process, or transmit all data risk classifications. Data may only be stored, processed, or transmitted by systems and services approved for their data risk classification. Data must also be stored and shared in a manner commensurate with its data risk classification. For example, Google Drive is approved for storing and sharing high-risk data, provided it is narrowly shared only with authorized College personnel. High-risk data should never be shared without requiring authentication. Using the share with “Anyone with the link” feature in Google Drive is inappropriate for high-risk data.

Storing and sharing data

1. If both sender and receiver have a College account, Gmail confidential mode can be used. Trustifi should be used when sending or receiving medium- or high-risk data with people who do not have a College account. For a Trustifi account, please contact the help desk.
2. E.g., Google Drive and Dropbox
3. Narrowly shared to only named users with @carleton.edu accounts.
4. E.g., Google Chat and Slack
5. Consider if chat is the best method for transmitting high-risk data. Only share with authorized College users.
6. E.g., Google Meet and Zoom
7. E.g., OnBase
8. E.g., WordPress
9. Medium-risk data accessible on the College website must require authentication with multi-factor authentication (single sign-on)
10. Viewing and processing medium- and high-risk data inevitably requires it to be transmitted to your local device. Routinely storing medium- and high-risk data should not be practiced.
11. Large data sets, such as research data, may require external storage. The researcher or third-party data provider may classify this as medium-risk. Medium-risk data should be kept in a safe or locked cabinet when not in use.
12. E.g., Google Sites and CarlSites
13. E.g., Qualtrics
14. Paper records containing medium- and high-risk data should be secured in a locked file cabinet when unattended.
15. Medium-risk data may be entered into or integrated with an AI or LLM application if the contract or terms of service explicitly state that the data will not be shared (e.g., used to train the model or improve the service).
16. Google Gemini and Amplify are approved for use with high-risk data. However, users should always carefully consider whether it is appropriate to enter the data into an LLM in the first place.

Access Data

Data access involves three key aspects: obtaining authorization, managing data entry and maintenance, and extracting data from systems.

The respective data managers authorize entry, maintenance, extraction, and removal of data in information systems. While IT or system support personnel may configure system-level security, they implement decisions supporting the data managers’ needs. Individuals requiring access to campus data should request access from the data managers per the campus data governance guidelines.

To maintain data security, the College reserves the right to:

• • Restrict or revoke user privileges
  • Inspect, copy, or alter data or system resources
  • Take necessary steps to manage and protect information systems and data

These actions may occur with or without user notice.

Acquiring a New System or Service for Medium-or-High-Risk Data

Departments considering purchasing new software systems or services that in any way access, create, or process medium- or high-risk data must contact the IT department to discuss the purchase before making any such purchases. Insurance, audit, and regulatory requirements dictate that we evaluate the security posture of such vendors.

College Data on Personal Devices and Services

Employees must exercise care when conducting College business on a personally owned computing device such as a personal computer, mobile phone, or tablet. Accessing College email, calendaring, files, and applications is considered conducting College business, and as such, it is subject to this and other campus policies. College employees must not store or access high-risk data on personal devices and services.

Regarding Generative Artificial Intelligence (AI)

Although some providers claim they won’t incorporate user data into their learning model, one should carefully consider the classification of the data submitted to any Generative AI application. Medium—and high-risk data should never be submitted to an AI application that does not clearly guarantee in its contract or terms of service that the vendor will not use customer data for any purpose and will not share it with third parties.

Regarding Research and Other Data

Unpublished research data and associated systems generally fall within the medium-risk classification, while published research data is generally low-risk data. However, the College recognizes that researchers and third parties may require and implement data protection controls that exceed those outlined in this policy. In cases of conflict between this policy and other stakeholder requirements, the stricter of the required controls will take priority.

Notifications for Breach of Security

Minnesota’s Security Breach law (Statute: § 325E.61) mandates that any individual or business conducting Minnesota’s Security Breach law (Statute: § 325E.61) mandates that any individual or business conducting operations within Minnesota and possessing or licensing data containing personal information must promptly disclose any discovered or reported breaches of data security to affected state residents. This disclosure must be made as quickly as possible and without undue delay.

According to the law, “personal information” includes an individual’s first name or first initial and last name, combined with any of the following unencrypted data elements:

• • Social Security number
  • Driver’s license number or Minnesota identification card number
  • Bank account number, credit card number, or debit card number, along with a necessary security code, access code, or password enabling account access.
• In the event of a suspected breach involving personal information or other high-risk data at the College, promptly initiate the following incident response procedures:

1. 1. The person discovering the breach should immediately inform the Information Security Officer or the IT Help Desk.
   2. The Information Security Officer, CIO/CTO, and other resources will assess whether a data security breach has indeed occurred and decide on the appropriate course of action.
   3. Engage departmental and campus incident response plans as appropriate.

Who do I contact about regulatory obligations?

Regulatory Obligations

Precedence

This policy replaces and renders obsolete the following policies:

Data Risk Classification Guidelines, August 2016

Data Management and Access Guidelines

College Data on Mobile Devices, June 1, 2012

Information Technology Services:  X 5999 or helpdesk@carleton.edu

Revision History

Revision History

Last Revised: August 29, 2023

For: Faculty, Staff, Students

Last Reviewed: July 2, 2025

Maintained by: Information Technology Services

List all Policies & Guidelines for Information Technology, Documents, & Records