Data Classification Policy
This policy applies to all faculty, staff, student workers, third-party agents, and other University affiliates authorized to access University Data. The purpose of this policy is to establish a framework for classifying University data based on its level of sensitivity, value, and criticality, so sensitive institutional data can be secured appropriately. Classification of data will aid in determining baseline security controls for the protection of data.
Data Classification Levels
University data will be classified into one of the four categories defined below:
| Classification | Definition | Examples | Access | Transmission | Storage |
|---|---|---|---|---|---|
| Confidential | Legally or contractually protected data where unauthorized disclosure could cause significant harm | Social Security Numbers, credit card data, financial aid records, medical information, passwords | Restricted to authorized personnel with a legitimate business need | Encrypted methods only | Encrypted and access-controlled systems |
| Sensitive | Internal-use-only data that could cause reputational or operational harm if disclosed | Donor records, ID numbers, building access logs, internal memos | University employees or agents with approved access | Secure methods recommended | Secure systems, avoid unencrypted portable devices |
| Private | Not protected by law but still proprietary or contractually controlled | Contracts, business processes, internal schedules | Limited to internal stakeholders | Shared with appropriate discretion | Reasonable safeguards including permissions and authentication |
| Public | Data that may be freely disclosed | Press releases, academic catalogs, marketing materials | No restriction | No restriction | No restriction |
Access, Transmission, and Storage
Access to data must be role-based and approved. Confidential and sensitive data should only be transmitted via secure methods. Storage of such data must follow university IT standards, including encryption and access controls.
Data Handling Responsibilities
- University employees are responsible for understanding and following the classification of any data they access or manage.
- Data stewards and system owners are responsible for enforcing this policy within their units.
Purpose
This policy establishes a framework for classifying ÌÇÐÄlogoÈë¿Ú data based on sensitivity, value, and criticality, and provides guidelines for protection of institutional data.
Scope
This policy applies to all faculty, staff, student workers, contractors, and affiliates authorized to access University data.
Accountability
Violations of this policy may result in disciplinary action, up to termination or legal penalties. Data stewards and department heads are responsible for ensuring policy compliance within their areas.
Policy Owner
This policy is maintained by the Office of Information Security. Contact itsecurity@moravian.edu with questions.
Records
- Effective Date: August 2025
- Approved By: University Council
- Last Reviewed: July 2025
- Next Review Due: July 2026