Data Classification and Protection Policy

hoverholt — Fri, 13 Sep 2024 19:52:39 +0000

Data Classification and Protection Policy hoverholt Fri, 09/13/2024 - 15:52

1-005

Cabinet

01-05-2009

10-21-2025

Data Classification Levels

Classification Level	Definition	Examples
Confidential	Regulated data requiring strict controls. Unauthorized disclosure could result in legal or financial penalties.	Private information such as SSNs, bank account numbers, health records, driver’s license numbers, disciplinary records
Sensitive	Internal data with reputational or operational risk.	Grades, G-numbers, performance reviews
General	Information not intended for public release but not subject to regulatory or contractual confidentiality. May be shared with Geneseo accounts and select external collaborators with a legitimate need.	Syllabi, meeting agendas, internal procedures
Public	Information intended for external audiences and unrestricted sharing.	Press releases, recruitment materials, published research

Safeguards

Safeguards for institutional data are applied based on its classification level and include administrative, technical, and physical controls. These controls are designed to ensure appropriate protection of data across its lifecycle: from creation and access to storage and disposal. Specific requirements for each classification level (Confidential, Sensitive, General, and Public) are detailed in the Data Protection Standard.

Incident Response

Any suspected data breach must be reported immediately to CIT. Breaches involving private information as defined by the SHIELD Act will trigger notification procedures in accordance with state law and the College’s cybersecurity incident response plan.

Roles and Responsibilities

Data Stewards: Ensure proper classification, access controls, and compliance within their data domain. In most cases the data steward of a department is the director or department head.
CIT: Implement technical safeguards, monitor systems, and respond to incidents.
Compliance Office: Ensure alignment with legal and regulatory requirements.
End Users: Apply appropriate sensitivity labels and follow data handling procedures.

Compliance

This policy supports compliance with the New York SHIELD Act, FERPA, HIPAA, NY Labor Law §203-d, and other applicable regulations.

Inappropriate disclosure of information pertaining to students, faculty, staff and other college constituents may violate applicable law and regulations and is considered a violation of ethics and a breach of trust placed in employees by the College. Upon finding of a violation of this policy by an employee in a collective bargaining unit, the College may initiate disciplinary action pursuant to the applicable collective bargaining agreement, up to and including termination of employment.

For employees not covered by a collective bargaining agreement, sanctions may include actions up to and including termination of employment.

Student employees who have violated these provisions may be referred to the student disciplinary process.

Volunteers who have violated these provisions may have their voluntary appointments terminated.

Employees who deal with confidential material on a regular basis will be required to sign a confidentiality agreement.

Every 3 years.

Paul Jackson

Chief Information Officer & Director of CIT