Appendix A: Data classifications
PCC data is any data related to Portland Community College (PCC) operations that is
- Stored on PCC information technology systems
- Physically recorded and stored on PCC premises
- Maintained by PCC faculty, staff, or students
- Related to institutional processes on or off campus
Critical versus non-critical
PCC Data is either critical or non-critical:
Non-critical data is information considered public and non-confidential in nature. Non-critical data is not subject to protection or data handling procedures.
Critical data is information considered valuable to some degree to PCC. Classification of critical data varies based on the context and use case with respect to the value of the information, the degree of protection required, and the degree of damage that unauthorized disclosure would cause. Critical information is not releasable on demand without due process.
Some examples of critical data are:
- Personally Identifiable Information (PII)
- Financial account numbers
- Information that may have a derogative impact on PCC, staff or students of PCC
- Internal communications that may have a derogative impact on PCC operations if sent to someone without a need to know
- Health-related information
- Any information deemed confidential, restricted or academically sensitive
Critical data classifications
The following are the most common terms and classifications of critical data in use at PCC:
Personally identifiable information (PII)
A commonly used security industry term that describes any data that could potentially identify a specific individual. PII is any information that can be used to distinguish one person from another and can be used for de-anonymizing anonymous data. PII may be a single unit of data (e.g. a social security number) or may result from the combining of related pieces of information (e.g. a user name and password).
GLBA covered information
PCC is required to protect covered customer data in accordance with the Gramm Leach Bliley Act (GLBA). GLBA defines covered customer information as any record containing nonpublic personal information or personally identifiable financial information about a customer of PCC – whether in paper, electronic, or other form – that is handled or maintained by or on behalf of PCC or its affiliates.
GLBA nonpublic personal information
Nonpublic personal information is GLBA’s terminology for customer data covered by the regulation. It includes:
- Any list, description, or other grouping of consumers (and publicly available information pertaining to them) that is derived using any personally identifiable financial information that is not publicly available
- Any information a student or other third party provides in order to obtain a financial service from PCC
- Any information about a student or other third party resulting from any transaction with PCC involving a financial service
- Any information otherwise obtained about a student or other third party in connection with providing a financial service to that person
Examples of nonpublic personal information include (but are not limited to):
- Social Security number
- Credit card number
- Account numbers
- Account balances
- Any financial transactions
- Tax return information
- Driver’s license number
- Date or location of birth
Examples of services or activities that PCC may offer, which result in the creation of nonpublic personal information, could include (but are not limited to):
- Student (or other) loans, including receiving application information and the making or servicing of such loans
- Credit counseling services
- Collection of delinquent loans and accounts
- Check cashing services
- Obtaining information from a consumer report
Information considered valuable to PCC but not requiring confidentiality controls. Unclassified information may have additional departmental controls on the handling, collection, processing, and/or distribution. Examples of this would include destruction or storage dates/instructions, rare historical documents, copyrighted materials, and special instructions such as conditional access provisions.
A classification of critical information controlled for academic purposes to maintain academic freedom. This does not include student personal identification.
Academic data deals with faculty lesson and testing content. This includes but is not restricted to test banks, quizzes, sequential lesson material, answer keys, or research conducted by faculty affiliated with PCC or research conducted on the premises with other institutions. It also can include information regarding academic thesis research by faculty.
Academic information disclosure can degrade the integrity of grades, the reputation of PCC, the student body, and faculty as a whole. It can also cause enormous financial losses and penalties due to the illicit exploitation of research.
A classification of critical information considered medium to high risk, because the exposure of this information can cause serious harm to PCC. Information in this category is largely proprietary and operational in nature. This includes information about PCC-related activities. Examples include detailed information about some information technology infrastructure, PCC buildings, security procedures, activities or events, information about future PCC development plans, and grant information.
A classification of critical information considered high risk, either because the exposure of this information can cause tremendous harm to an individual or PCC or because the information is specifically protected under law or contract (e.g. HIPAA, FERPA, GLBA, PCI, and ORS 646.600 Oregon’s Identity Theft Protection Act). This includes information that can be linked, directly or indirectly, to individual people. Social security numbers, credit card numbers, financial information, personally identifiable medical information, personal addresses, and personally identifiable academic information fall into this category.
Data in these categories will require varying security measures appropriate to the degree to which the loss or corruption of the data would impair the business functions of the PCC, result in financial loss, or violate law, policy or PCC contracts.
Controlled sensitive data
An encompassing definition used in PCC’s Information Security policies that references all confidential and private information governed by those policies. This includes data classified as PII, regulated data (PHI, HIPAA, FERPA, GLBA, etc.), protected, academic, internal or confidential data. In simple terms, any critical personal or sensitive information for which PCC is liable if publicly disclosed.