Minimum Data Safeguards Standard
Effective: 12/30/2019
Last Updated: 2/4/2020
Responsible University Office: Information Technology
Responsible Executive: Associate Provost and Chief Information Officer
Background
The various units and departments at the university have a multitude of types of documents and data. To the extent particular documents or data types are not explicitly addressed within this document, it is the responsibility of the Data Custodians to classify data by considering the potential for harm to individuals or the university in the event of unintended disclosure, modification or loss. Departments must be particularly mindful to protect sensitive personal information, such as social security numbers, driver’s license numbers and financial account numbers; the disclosure of which may create risk of identity theft.
Minimum Safeguards by Classification Level
This document describes the actions necessary to secure and protect university- owned data classified as Public data, Internal Use data, Confidential data, and Export Controlled data.
Public
Public data is information that may be disclosed to any person regardless of their affiliation with the university. The Public classification is not limited to data that is of public interest or intended to be distributed to the public; the classification applies to data that do not require any level of protection from disclosure. While it may be necessary to protect original source documents from unauthorized modification, Public data may be shared with a broad audience both within and outside the university community and no steps need to be taken to prevent its distribution.
Internal Use
Data should be classified as Internal Use when the unauthorized disclosure, alteration or destruction of that data could result in a moderate level of risk to the university or its affiliates. By default, all institutional data that is not explicitly classified as Export Controlled, Confidential, or Public data must be treated as Internal Use data. A reasonable level of security safeguards should be applied to Internal Use data.
The following is Internal Use data. Please note that this is not an exhaustive listing. Please work with the Data Custodian and Information Technologies if you require additional assistance classifying data.
FERPA Data
- Graded work, grade book, etc.
- Name; Birth name is controlled if no preferred name is selected
- Date of birth
- Place of birth
- Directory address and phone number
- Electronic mail address
- Mailing address
- Campus office address (for graduate students)
- Secondary mailing or permanent address
- Residence assignment and room or apartment number
- Dates of attendance, i.e. specific quarters or semesters of registration
- Enrollment status, i.e. college, class (frosh, sophomore, etc...)
- Xavier degree(s) awarded and date(s)
- Major(s), minor(s) and field(s)
- University degree honors
- Institution attended immediately prior to Xavier
- ID card photographs for university classroom use
- Banner ID (unique identifier for all students)
- College and class
Management Data
- Faculty and staff reviews and performance evaluations
Miscellaneous Controlled Data
- Data from research germane to intellectual property that is not categorized as Confidential
Data should be classified as Confidential when the unauthorized disclosure, alteration or destruction of that data could cause a significant level of risk to the university or its affiliates. Users of Confidential data must follow all the safeguards for Internal Use data plus additional safeguards. High levels of security safeguards must be applied to Confidential data.
The following contains examples of Confidential data. Please note that this is a list of common examples and not an exhaustive listing. Please work with the Data Custodian and Information Technologies if you require additional assistance classifying data.
Personally Identifiable Information
Personally Identifiable Information (PII) that consists of an individual’s name, including the last name along with the individual’s first name or first initial, in combination with and linked to any one or more of the following data elements:
- Social Security number or partial Social Security number
- Driver’s license number
- State identification card number
- Passport number