Data Classification and Handling Policies

Information Classification Standard

The SDSU College of Education (COE) has adopted the draft CSU Data Classification and SDSU Information Classification Standards as a minimum information classification standard. These standards outline three levels of classification and standards (Protected Level 1, 2 and 3) to which information must be secured. Along with these standards, the following guidelines and policies have been established by the COE to assist in reducing exposure to information and data loss.

Information security is essential whether information is conveyed electronically, over the phone or in written documents, whether it is acquired, transmitted, processed, transferred and/or maintained by the COE.

All COE faculty, staff, project directors and entities working on behalf of COE are subject to these guidelines and policies, and to SDSU Information Security policies and procedures, including periodic Security Awareness Orientation training.

Protected Level 1 Data / Confidential

Protected Level 1 information is information primarily protected by statutes, regulation, other legal obligation or mandate. The CSU and SDSU have identified standards regarding the disclosure of this type of information to parties outside the College of Education and controls needed to protect the unauthorized access, modification, transmission, storage or other use. Level 1 Confidential information is intended for use by the COE and access is limited to those with a “business need-to-know.” Included in this level are:

  • Passwords or credentials
  • PINs (Personal Identification Numbers)
  • Credit/debit/payment card numbers with any of the following:
    • cardholder name
    • expiration date
    • card verification code
  • Social Security number or Tax ID with name
  • Birthdate with name and last four digits of social security number
  • Driver’s license number, state identification card, and other forms of international identification (such as passports, visas, etc.) with name or social security number
  • Name with bank account information or bank account information with password, security code or any other access code information
  • Private key (digital certificate)
  • Health insurance information
  • Medical records related to an individual (including disability information)
  • Psychological counseling records related to an individual
  • Electronic or digitized signatures
  • Employee name with personally identifiable employee information:
    • Mother’s maiden name
    • Race and ethnicity
    • Gender
    • Birthplace (city, state, country)
    • Employee net salary
    • Marital status
    • Physical description/personal characteristics
    • Employment history (including recruiting information)
    • Biometric information
    • Electronic or digitized signatures
    • Parents and other family member names

Protected Level 2 Data / Internal Use

Protected level 2 information must be guarded due to proprietary, ethical or privacy considerations. The final authorities for approving departmental procedures for the use, storage and dissemination of protected level 2 information are listed in Table 3-2. University standards will indicate the controls needed to protect the unauthorized access, modification, transmission, storage or other use of:

  • Student name with personally identifiable educational records
    • Birth date (full: mm-dd-yyyy or partial: mm-dd only)
    • Courses taken
    • Schedule
    • Test scores
    • Financial aid received
    • Advising records
    • Educational services received
    • Disciplinary actions
    • Photograph
    • Most recent educational agency or institution attended
    • Participation in officially recognized activities and sports
    • Weight and height of members of athletic team
    • Grades
    • SDSU identification number (RedID)
    • Race & Ethnicity
    • Gender
    • Transcripts
    • E-mail addresses
  • Employee name with personally identifiable employee information
    • Birth date (full: mm-dd-yyyy or mm-dd)
    • Emergency contact home address
    • Emergency contact personal telephone number
    • Emergency personal contact information (name, cell phone, pager)
    • Personal telephone numbers
    • Personal vehicle information
    • Personal email address
    • Parents and other family member names
    • Payment history
    • Employee evaluations
    • Background investigations
    • Photograph (voluntary for public display)
  • Other
    • Legal investigations conducted by the College of Education
    • Sealed bids
    • Trade secrets or intellectual property such as research activities
    • Location of highly sensitive or critical assets (e.g. safes, check stocks, etc.)
    • Library circulation information
    • Vulnerability or incident information
    • Licensed software
    • Attorney/client communications
    • Third party proprietary information per contractual

Protected Level 3 Data / Generally Regarded as Publicly Available

Protected level 3 is information that is regarded as publicly available. This information is either explicitly defined as public information (such as state employee salary ranges), intended to be available to individuals both on-campus and off-campus (such as employee work email addresses), or not specifically classified elsewhere in the protected information classification standard. Publicly available information may still be subject to College of Education review or disclosure procedures to mitigate potential risks of inappropriate disclosure.

  • Student information designated as Educational Directory Information (excluding grades):
    • Student name
    • Major field of study
    • Dates of attendance
    • Degrees, honors and awards received
  • Employee Information (including student employment)
    • Employee title
    • Employee name (first, middle, last; except when associated with protected information)
    • Enrollment status
    • Department employed
    • Work location and telephone number
    • Work e-mail address
    • Employee classification
    • Status as student (such as TA, GA, ISA)
    • Employee gross salary
    • Signature (non-electronic)
    • SDSU identification number (RedID)

Where several categories apply, use the highest level of security, that is, use Level 1 versus Level 2 and so on. Questions about the proper classification of a specific piece of information should be addressed to your manager.

Non-State (personal) information (both electronic and non-electronic), such as personal credit reports, personal bank statements, or even contact information from a synchronized cell phone or PDA should not be stored on the COE systems as the COE does not assume responsibility for securing this information and many systems may not be secured for this information by default. Personal information does not just pertain to first party personal information (yours), but also to any third party personal information (someone else’s).

The full information on the Information Classification Standard is available in the San Diego State University Information Security Plan, Section 3.0.

Information Labeling Guidelines

Marking is at the discretion of the owner or custodian of the information. If marking is desired, the words "Protected Level 1 (PL1)” , “Confidential”, “Protected Level 2 (PL)” or “Internal Use” may be written or designated in a conspicuous place on or in the information in question. Other labels identifying the data classification may be used at the discretion of individual business units or departments.

If no marking is present, the COE information is presumed to be "the COE Confidential" unless expressly determined to be the COE Public information by a the COE employee with authority to do so.

Information Handling Guidelines

The following guidelines are presented to assist PI’s, project directors, employees and vendors working with the COE secure information. The final authorities for approved procedures are documented in Table 3-2 Approvers for Protected Information Procedures in the San Diego State University Information Security Plan.

Procedures for Handling Protected Level Information