2.02 – Data Classification Policy

Purpose of Document

To define levels for identification, classification, and protection of potentially sensitive data at Asbury Theological Seminary.

Executive Summary

  • This policy establishes and defines four levels of data sensitivity: Sensitive, Confidential, Internal, and Public. 

Policy

Any person who uses, stores or transmits data has a responsibility to maintain and safeguard such data. The first step in establishing the safeguards that are required for a particular type of data is to determine the level of sensitivity applicable to such data. Data classification is a method of assigning such levels and thereby determining the extent to which the Data need to be controlled and secured.

Data security measures must be implemented commensurate with the sensitivity of the data and the risk to the Seminary if data is compromised. It is the responsibility of the applicable data owner to evaluate and classify data for which they are responsible according to the classification system described herein.

If data of more than one level of sensitivity exists in the same system, such data shall be classified at the highest level of sensitivity. 

Four classifications of data will be used to classify data. 

1. Sensitive Data: any information protected by federal, state, or local laws and regulations or industry standards, such as FERPA, HIPAA, GLBA, and the Kentucky Data Breach Notification Act. 

For purposes of this and related policies, sensitive data includes (but is not limited to) the following:

  • Personally Identifiable Information (PII): any information about an individual that (1) can be used to distinguish or trace an individual’s identity, such as name, date and place of birth, mother’s maiden name, or biometric records; (2) is linked or linkable to an individual, such as medical, educational, financial, and employment information, which if lost, compromised, or disclosed without authorization, could result in harm to that individual; and (3) is protected by federal, state, or local laws and regulations or industry standards. 
  • Protected Health Information (PHI): Individually identifiable health information that is transmitted or maintained by the Seminary in electronic or any other form or medium. The Seminary’s General Counsel is responsible for determining whether particular information created, received, maintained, processed, or transmitted by Asbury constitutes PHI.

2. Confidential Data: any information that is contractually protected as confidential by law or by contract and any other information that is considered appropriate for confidential treatment by the Seminary. 

For purposes of this and related policies, confidential data includes, but is not limited to the following: 

  • Student education records that are directly related to prior, current, and prospective Seminary students and maintained by Asbury or an entity acting on Asbury’s behalf, but not including (a) “directory information” as defined by the Seminary and as specified in FERPA and the Seminary’s FERPA policies or (b) such records disclosed to school officials with legitimate educational interests or to organizations conducting certain studies on Asbury’s behalf. 
  • Dissertations and theses under embargo in order to protect the rights and welfare of humans participating (see Publication Policy – Dissertations and Theses). 
  • Recordings of Chapel and other events if the speaker denies permission to release the recording on the Copyright/Recording Release Form.
  • Human resources information, such as salary and employee benefits information.
  • Non-public personal and financial data about donors.
  • Information received under grants and contracts subject to confidentiality requirements.
  • Law enforcement or court records and confidential investigation records.
  • Citizen or immigration status.
  • Unpublished Seminary financial information, strategic plans, and real estate or facility development plans.
  • Information on facilities security systems.
  • Nonpublic intellectual property.
  • Applicant financial information.

3. Internal Data: any information that is proprietary or produced only for use by members of the Seminary community who have a legitimate purpose to access such data.

For purposes of this and related policies, internal data includes, but is not limited to the following: 

  • Internal operating procedures and operational manuals.
  • Internal memoranda, emails, reports, and other documents. 
  • Technical documents such as system configurations and floor plans. 

4. Public Data: any information that may or must be made available to the general public, with no legal restrictions on its access or use. 

For purposes of this and related policies, public data includes, but is not limited to the following: 

  • General access data on asburyseminary.edu
  • Seminary financial statements and other reports filed with federal or state governments and generally available to the public. 
  • Copyrighted materials that are publicly available.
  • Directory information under FERPA.

LITS Staff reserve the right to modify this policy at any time.

Approvals: 

  • LITS: October 11, 2019
  • Provost: February 2020