College of Engineering - Data Classification Policy: COE–DCP–01

  1. Purpose:  The purpose of these classifications are to assist in the determination of the different categories of data for the purpose of establishing appropriate security measures to ensure that sensitive information with the potential to damage the College and/or University is adequately protected from intentional or inadvertent release to the public.
  2. Classifications:  Data can be classified into three main groups: public, internal and restricted.
    1. Public information is intended for distribution to the general public, both internal and external to the University. Release of the data either intentional or inadvertent would have no or minimal negative impact on the institution.
    2. Internal information is intended for distribution within Penn State only, and frequently only to specific personnel. Public release of the data has the potential to damage the institution. Such damage may be legal, academic (loss or alteration of intellectual property), financial, or intangible (loss of reputation). 
    3. Restricted information is data which the University has a legal, regulatory or contractual obligation to protect and for which access must be strictly controlled. The release of such data has the potential to create major damage to the institution including significant financial liability. Examples of data in this category include Social Security numbers, personally identifiable credit card information and personally identifiable health information.
  3. Security Measures needed:
    1. Public information:  no security measures are required.
    2. Internal information: Access controlled storage requiring at a minimum a unique userid and password for appropriate personnel to access the data.
    3. Restricted information: SOS approval is required to store restricted information.
  4. Definitions

Terms

Definitions

Personally Identifiable Information (PII)

While PII refers to information that can be used to uniquely identify, contact, or locate a single person or can be used with other sources to uniquely identify a single individual, current Pennsylvania law mandates notification in cases of the release of Social Security Numbers, Credit Card Numbers and Drivers License Numbers when coupled with other information that could be used identify an individual and compromise their personal data.

 

 

 

 

 

 

 

 

 

 

 

6.0 Revision History

Last updated: 12/9/2009

 

Back to top

Electronic & Computer Services (ECS)

ECS is designing for the future.