Data Governance: Classification of College Data

All College data are classified into levels of sensitivity to provide a basis for understanding and managing college data. Accurate classification provides the basis to apply an appropriate level of security to college data. These classifications take into account the legal protections (by statute, regulation, or by the data subject’s choice), contractual agreements, ethical considerations, or strategic or proprietary worth. They also consider the application of “prudent stewardship,” where there is no reason to protect the data other than to reduce the possibility of harm or embarrassment to individuals or to the institution.

The classification level assigned to data will guide Data Trustees, Data Stewards, Data Administrators, and Data Users in the security protections and access authorization mechanisms appropriate for those data. Such categorization encourages the discussion and subsequent full understanding of the nature of the data being displayed or manipulated.

By default, all institutional data will be designated as “Internal.” College employees will have access to the data for use in the conduct of college business.

Classification Levels

Public Data (low level of sensitivity)

Access to “Public” institutional data may be granted to any requester. Public data are not considered confidential. The integrity of Public data must be protected, and the appropriate owner must authorize replication of the data. Examples include: institutional statistics that appear in publications, academic course descriptions, Common Data Set, and Bates Facts.

* Information contained in the Bates Online Directory is technically “Directory Information” under FERPA (can be released without consent) but some information is password protected and should not be considered “Public.”

Internal Data (moderate level of sensitivity)

This classification applies to information protected due to proprietary, ethical, or privacy considerations, even though there may not be a direct statutory, regulatory, or common-law basis for requiring this protection. Internal data is restricted to personnel designated by the College who have a legitimate business purpose for accessing such data. Examples include: institutional survey data and enrollment projection data.

Restricted Data (highest level of sensitivity)

This classification applies to information protected by statutes, policies, or regulations. This level also represents information that isn’t by default protected by legal statute, but for which the Data Administrator has exercised her or his right to restrict access. Examples include: PII – Personally identifiable information (SSN, driver’s license, bank account numbers), salary data, academic record data (unit level) and financial aid data.