The first step in establishing the safeguards that are required for particular types of data, as defined in the Information Security Charter, is to determine the level of sensitivity applicable to particular data. Data classification is a method of assigning such levels and thereby determining the extent to which the data needs to be controlled and secured.
This policy applies to all students, staff, faculty members, officers, employees, and affiliates of Teachers College, Columbia University, including extended learning sites, guests, tenants, visitors, contractors, consultants, vendors, individuals authorized by affiliated institutions and organizations, and all others granted use of and/or access to Teachers College, Columbia University technology resources and data.
1. General Statement
Data security measures must be implemented commensurate with the sensitivity of the data and the risk to the College if data is compromised. It is the responsibility of the applicable Data Stewards to evaluate and classify, with support from the CISO, the data for which they are responsible according to the classification system adopted by the College and described below. If data of more than one level of sensitivity exists in the same System or Endpoint, such data shall be classified at the highest level of sensitivity.
2. Specific Requirements
2.1. Data Classification
The College has adopted the following four classifications of data:
2.1.1. Sensitive Data: Any Personally Identifiable Information (PII) or information protected by federal, state, or local laws and regulations or industry standards, such as HIPAA, HITECH, the New York State Information Security Breach and Notification Act, The New York State SHIELD act, similar state laws and PCI-DSS. This category also includes privileged information, such as communications and related documents (a) reflecting communications between psychologists, counselors, and similar professionals and their patients or clients; and (b) subject to the attorney-client privilege and work-product protection.
For purposes of this Policy and the other Information Security Policies, Regulated and PII data include, but are not limited to:
2.1.2. Confidential Data: Information that is protected as confidential by law or by contract and any other information that is considered by the College appropriate for confidential treatment.
For purposes of this Policy and the other Information Security Policies, Confidential Data include, but are not limited to:
2.1.3. Internal Data: Any information that is proprietary or produced only for use by members of the College community who have a legitimate purpose to access such data.
For purposes of this Policy and the other Information Security Policies, Internal Data include, but are not limited to:
2.1.4. Public Data: Any information that may or must be made available to the general public, with no legal restrictions on its access or use.
For purposes of this Policy and other Information Security Policies, Public Data include, but are not limited to, data which was intended to be widely available and was not made public through a violation of policy, contract or law. Examples include:
3. Related Policies
The Information Security Policies referred to in this Policy can be found in the Information Security Charter.
Violations of the Information Security Policies may result in corrective actions which may include: (a) the immediate suspension of computer accounts and network access and (b) mandatory attendance at additional training as a condition of continued use of computer accounts and network access. Subject to the College’s other rules of conduct and disciplinary procedures, significant violations may also result in (a) a letter to the individual’s personnel or student file; (b) administrative leave without pay; (c) other sanctions, up to and including termination or non-renewal of employment, faculty appointment or student status. Violations of the Information Security Policies may also result in civil or criminal liability under state, federal or international laws.
To protect Teachers College from legal and financial penalties, and loss of reputation that result from the exposure of confidential/sensitive data (e.g. protected health information (PHI), social security numbers (SSNs), credit card numbers, driver license numbers, passport and visa numbers), TC will implement Data Loss Prevention (DLP) solutions to safeguard data and prevent the unencrypted transmission of sensitive information. DLP enables an organization to reduce the risk of unintentional disclosure of sensitive data by identifying, monitoring and protecting confidential data while in use, in motion and at rest.
Personally Identifiable Information (PII): Any information about an individual that (a) can be used to distinguish or trace an individual’s identity, such as name, date and place of birth, mother’s maiden name, or biometric records; (b) is linked or linkable to an individual, such as medical, educational, financial, and employment information, which if lost, compromised, or disclosed without authorization, could result in harm to that individual; and (c) is protected by federal, state or local laws and regulation or industry standards.
Examples of PII include, but are not limited to, any information concerning a person that can be used to identify such person, such as name, number, personal mark or other identifier, in combination with any one or more of the following:
Protected Health Information (PHI): Individually Identifiable Health Information that is transmitted or maintained by that is used, maintained, stored, or transmitted by a HIPAA-covered entity.
Research Health Information (RHI): Individually Identifiable Health Information that (a) is created or received in connection with research that does not involve a Covered Transaction; or (b) although previously considered Protected Health Information, has been received in connection with research pursuant to a valid HIPAA authorization or IRB waiver of HIPAA authorization. The College’s Office of the General Counsel is responsible for determining whether particular information created, received, maintained, processed or transmitted by Teacher’s College constitutes PHI.
See the Definitions section of the Information Security Charter.
Responsible Office: Teachers College Information Technology
Effective Date: February 1, 2021
Last Updated: January 15, 2021