http://www.bw.edu/Assets/Offices/university-relations/BWUlogoColor.gif
 
 

Data Request Form

This Data Request has been sent to Verlyn Mol and Chuck Kennick. 

Resolution of Data Request

Data request classification *
 

 

Baldwin Wallace:

Data Classification Standard

Contents

I. Authorizations and Document Ownership

II. Purpose and Scope

III. Business Considerations and Impact

IV. Data Classification Table

APPENDIX A: Data Classification Requirements

Level 0: Public Directory Information

Level 1: Academic Related Personnel and Student Records

Level 2: Regulatory Requirement for Notification

Level 3: Critical or Inferred Data

APPENDIX B: Data Classification Guidance

I. DCG Scope

II. Applicant Information

III. Credentials

IV. FERPA "Opt Out” Requests

V. Notice Triggering Data Components

VI. Partial SSNs and Partial Student IDs

I. Applicability to Baldwin Wallace

II. Awareness and training

APPENDIX C: DGT Approval and Authorizations

13  

I.             Authorizations and Document Ownership

1)    The following Baldwin Wallace Classification Standard is issued under the authority vested in the Baldwin Wallace Chief Information Officer.

2)    Issue Date:     IN DRAFT
 Effective Date:    IN DRAFT

Responsible Executive:    Chief Information Officer, Greg Flanik

Responsible Office:    IT Administrative Office
 Responsible Group: Data Governance Team

Contact:    IT Policy Manager, Melissa Bauer 

II.           Purpose and Scope

1)    The BW Data Classification Standard is a framework for assessing data sensitivity, measured by the adverse business impact a breach of the data would have upon the campus. This standard provides the foundation for establishing protection profile requirements for each class of data.

2)    The Baldwin Wallace Classification Standard covers BW campus data.  BW campus data is information prepared, managed, used, or retained by an operating unit or employee of BW relating to the activities or operations of the University.  BW campus data does not include individually-owned data, which is defined as an individual’s personal information that is not related to University business.

3)    This classification does not cover evaluation of data availability requirements. For guidance regarding data availability requirements please see the Baldwin Wallace Disaster Recovery and Business Continuity Plan.

4)    Data classification does not alter public information access requirements. Ohio Public Records Laws or federal Freedom of Information Act requests and other legal obligations may require disclosure or release of information from any category.

5)    This document is owned and governed by the Baldwin Wallace Data Governance Team or DGT.

6)    Departmental DGT Owners: are those members of the DGT representing their respective or complimentary departments, or those assigned as a designee by a Department Director of Chair to serve on the DGT. 

III.         Business Considerations and Impact

1)    Evaluating potential business considerations and impact to the campus due to loss of data confidentiality or integrity include but are not limited to:

·         Loss of critical campus operations

·         Negative financial impact (money lost, lost opportunities, value of the data)

·         Damage to the reputation of the campus

·         Potential for regulatory or legal action

·         Requirement for corrective actions or repairs

·         Violation of University or campus mission, policy, or principles

·         Loss of availability of critical campus systems 

·         Establishing and maintaining the confidentiality and integrity of student records

·         Students, faculty, and staff health and well being

IV.         Data Classification Table

Class

Business Impact:

Examples of Data to include but not limited to:

Protection
 Level 0

Public Directory Information

Limited or none

Information intended for public access, e.g.,:

  • Public directory information
  • Public websites
  • Course listings and pre-requisites

Protection
 Level 1

Academic Related Personnel and Student Records

Moderate

Information intended for release only on a need-to-know basis, including personal information not otherwise classified as Level 0, 2 or 3, and data protected or restricted by contract, grant, or other agreement terms and conditions, e.g.,:

  • FERPA student records (including Student ID)
  • Staff and academic personnel records (including Employee ID)
  • Licensed software/software license keys
  • Library paid subscription electronic resources

Protection
  Level 2

Regulatory Requirement for Notification

High

Data or information with a legal requirement for notification to affected parties in case of a confidentiality breach:(See Appendix A.II Legal Requirements for Notification for more information)

  • Full name (if not common)
  • Home address
  • Email address (if private from an association/club membership, etc.)
  • National identification number
  • Passport number
  • IP address (when linked, but not PII by itself in US)
  • Vehicle registration plate number
  • Driver's license number
  • Face, fingerprints, or handwriting
  • Credit card numbers
  • Digital identity
  • Date of birth
  • Birthplace
  • Genetic information
  • Telephone number
  • Login name, screen name, nickname, or handle
  • Social security number
  • Driver's license number, California identification number
  • Financial account numbers, credit or debit card numbers and
     financial account security codes, access codes, or passwords
  • Personal medical information
  • Personal health insurance information

For International students applicability to General Data Protection Standards apply to any information collected by the various departments at BW: 

  • Basic identity information such as name, address and ID numbers (Passport ID/copy, Citizenship documents)
  • Web data such as location, IP address, cookie data and RFID tags
  • Health and genetic data
  • Biometric data
  • Racial or ethnic data
  • Political opinions
  • Sexual orientation
  • Grades and related scores (TOEFL Score)
  • Financial related information (list of these required such as International financial statement)

 

 

 

Protection
 Level 3

Critical Data or “Inferred Data”

Extreme

Data or information that creates “Inferred Data” (See Appendix A) risk between multiple sensitive systems, e.g., enterprise credential stores, backup data systems, and central system management consoles.

 

APPENDIX A: Data Classification Requirements

Figure 1. Baldwin Wallace Data Classification and Access Approval Structure

Level 0: Public Directory Information

1)    Non-Personal” Academic Personnel Information:

·         Name

·         Date of hire or separation

·         Current position title

·         Organizational unit assignment including office address and  telephone number

·         Full-time, part-time, or other employment status

2)    Staff personnel records designated as "public information" 

·         Name

·         Date of hire

·         Current position title

·         Organizational unit assignment

·         Date of separation

·         Office address and office telephone number

·         Current job description

·         Full-time or part-time, and appointment type

3)    Student Directory Information, unless the student has requested that information about them not be released as public information:

·         Name of student

·         Telephone, e-mail

·         Dates of attendance

·         Number of course units in which enrolled

·         Class level

·         Major field of study

·         Last school attended

·         Degrees and honors received

·         Participation in official student activities

·         Name/weight/height (intercollegiate athletic team members only)

1)    Access Control(s): to this data requires a documented request via Data Governance Request Form (if needed) with review by the Data Governance Team should it be deemed required by any member of the DGT. (See Appendix C: DGT Approval and Authorization Process)

 

Level 1: Academic Related Personnel and Student Records

1)    Student records include, but are not limited to:

a)    FERPA student records (including Student ID)

b)    Staff and academic personnel records (including Employee ID)

c)    Licensed software/software license keys

o    Library paid subscription electronic resources

o    Transcripts (grades)

o    Exam papers

o    Test scores

o    Evaluations

o    Financial aid records

o    Loan collection records

o    Directory information for students who have requested that information about them not be released as public information

d)    See the Appendix A.II Legal Requirements for Notification section above for the list of protection level 2 data, which also applies to student data. See the Student Directory Data section under Public Directory Information below for the list of protection level 0 student data.

e)    Access Control(s): Access to this data requires: 

i)     Completed Data Governance Request Form

ii)    Submitted to, and reviewed/approved by the appropriate Department DGT Owner

iii)   With an additional DGT Peer Check by one or more of the DGT members. 

iv)   Completed Level 1 DGT Requests shall be archived and audited periodically by the DGT.

 

2)    Level 1: Personnel Records

a)    Academic Personnel Records include, but are not limited to: 

o    Confidential academic review records

o    non-confidential academic review records 

o    "personal" information.

b)   Staff Personnel Records include, but are not limited to:

o    Home telephone number and home address

o    Spouse's or other relatives' names

o    Birth date

o    Citizenship

o    Income tax withholdings

o    Information relating to evaluation of performance

o    Any information relative to pay and/or compensation

c)    See Appendix A.II Legal Requirements for Notifications section above for the list of protection level 2 data, which also applies to student data. See the Student Directory Data section under Public Directory Information below for the list of protection level 0 student data.

d)    Access  Control(s): Access to this data requires: 

i)     Completed Data Governance Request Form

ii)    Submitted to, and reviewed/approved by the appropriate Department DGT Owner

iii)   Completed Level 1 DGT Requests shall be archived and audited periodically by the DGT.

iv)   (See Appendix C: DGT Approval and Authorization Process)

Level 2: Regulatory Requirement for Notification

1)    Ohio State Law (link is external) and other legal statues, such as the Health Information Portability and Accountability Act (HIPAA), require notification to individuals in the event of a security breach of certain personal information. (Note: FERPA does not require notification of a breach, only “recordation” of the incident)

2)    The BW campus refers to this data as "Notice Triggering” information:

·         Social security number

·         Driver's license number, Ohio identification number

·         Financial account numbers, credit or debit card numbers, and
 financial account security codes, access codes, or passwords

·         Personal medical information

·         Personal health insurance information

3)    Note the following registration and approval requirements applicable to notice-triggering information:

·         Campus Credit Card transactions are handled differently based on the method of payment. Specialized training and Data Governance approval is required for BW staff, faculty, and/or students to handle credit card transactions on behalf of Baldwin Wallace.

·         Storage, transmission or use of notice-triggering data requires that the requestor fill out a Data Governance Request Form. 

4)    For International students, applicability to General Data Protection Standards apply to any information collected by the various departments at BW: 

·         Basic identity information such as name, address and ID numbers (for example: Passport ID/copy, Citizenship documents)

·         Web data such as location, IP address, cookie data and RFID tags

·         Health and genetic data (for example BW Health Center Med Center information)

·         Biometric data

·         Racial or ethnic data

·         Political opinions

·         Sexual orientation

·         Grades and related scores (for example, TOEFL Score)

·         Financial related information (list of these required such as International financial statement)

5)    Access Control(s): Access to this data requires: 

·         Completed Data Governance Request Form

·         Submitted to, and reviewed/approved by the appropriate Department DGT Owner

·         With an additional DGT Peer Check by one or more of the DGT members. 

·         Completed Level 1 DGT Requests shall be archived and audited weekly by the DGT.

·         (See Appendix C: DGT Approval and Authorization Process)

Level 3: Critical or Inferred Data

1)    This data includes but is not limited to enterprise credentials, leadership credentials, financial information, backups, access to data resident on centralize system consoles, monitoring data, security related data.

2)    If a data compromise would cause further and extensive data compromise from multiple (even unrelated) sensitive systems, the data creating this "Inferred-Data" warrants an elevated data protection level.

3)    Access Control(s): Access to this data requires: 

o    Completed Data Governance Request Form

o    Submitted to, and reviewed/approved by the appropriate Department DGT Owner

o    This data shall only be released after the approval by either the Chief Information Officer (CIO), Chief Information Security Officer (CISO), Data Protection Officer (DPO), or designee. 

o    Completed Level 3 DGT Requests shall be archived and audited weekly by the DGT.

o    (See Appendix C: DGT Approval and Authorization Process)

 

 

APPENDIX B: Data Classification Guidance

I.      DCG Scope

1)    The Baldwin Wallace Data Classification Standard is a framework for assessing data sensitivity, measured by the adverse business impact a breach of the data would have upon the campus. Based on the data protection levels defined in the Data Classification Standard, the Security Standards for the Control of BW Information (SS-CBI, this document is in DRAFT) identifies the technical and operational security controls required to safeguard BW data.

2)    The information below is provided as guidance on interpreting the Data Classification Standard.

II.    Applicant Information

1)    Current and past applicant student or previously employed faculty and staff information should be treated with equivalency in accordance with this standard with currently enrolled student and currently employed faculty and staff information. 

III.  Credentials

1)    The Baldwin Wallace credentialing process which leverages Active Directory is considered as of Extreme importance, level 3 because it contains the whole authoritative universe of BW credentials.  

2)    Other applications that that do not provide direct authentication shall be considered no less than level 2.

3)    Baldwin Wallace employee ID’s are the first initial of the user’s first name followed by their last name (up to 7 characters). Students leverage the same schema but with a 2 digit year attached at the end of the name. This same ID is used for the email identification as well. 

IV.  FERPA "Opt Out” Requests

1)    The Family Educational Rights and Privacy Act (FERPA) allows students the opportunity to “opt out” of disclosure of data protected by FERPA.  A student link is provided on the student enrollment system that allows students to “opt out” of this disclosure (To be added in 2018) All departments handling FERPA controlled data shall be sent a copy of this request. In the absence of release information, the unit should assume that the student has requested "no release."

V.    Notice Triggering Data Components

1)    Regardless of impact, all Notice Triggering Information (See Appendix A.II Legal Requirements for Notification) shall merit level 2 data designation, regardless of the actual data breach notification requirement.  

VI.  Partial SSNs and Partial Student IDs

1)    Standard practice on campus is to treat partial SSNs the same as full SSNs, even though the former is not notice triggering.  (Research indicates that last 4 digits of an SSN plus place of birth very accurately indicates the full SSN.)

2)    Similarly, partial Student IDs should be treated like full Student IDs.


 

1)    c disclosure, assure Baldwin Wallace students the following rights:

a)    To inspect and review their student records.

b)    To have withheld from public disclosure, absent their prior consent, personally identifiable information from their student records.

c)    To inspect records maintained by campus offices concerning disclosure of confidential information from their student records.

d)    To seek corrections of their records through a request to amend the records, or a request for a hearing to challenge the content of their records, or to include a written statement therein.

e)    To file complaints with the Office of the Chancellor or with the U.S. Department of Education regarding violations of the rights accorded by federal law or University policy.

2)    Campus Information Disclosure Policy defines "public records" which may be released without prior student consent, describes the record access rights of applicants who have not been admitted or enrolled at the Baldwin Wallace campus, and describes the conditions under which students may waive the right of access to their records. 

I.      Applicability to Baldwin Wallace

1)    Baldwin Wallace has implemented a Data Governance Policy to ensure that each department maintain controls regarding the protection of personally identifiable data. See Data Governance Policy.

2)    The campus maintains various types of student records in various locations throughout the campus. Information about these records and university and campus policies on student records may be requested via documented request via the Data Governance Data Request Form.

II.    Awareness and training

1)    FERPA Training and Awareness for Faculty

2)    Student Release Schedule

 

APPENDIX C: DGT Approval and Authorizations

 

Proposed Authorization and Reporting Process for DGT Approvals:

 

Resolution of Data Request

Data request decision *
0/560 characters
0/560 characters

Request Details

Please select ‘Yes’ to acknowledge that you have read and are in compliance with FERPA confidentiality guidelines and that you have read through and understand the BW PII Policy *
Incomplete requests or requests requiring follow-up may not be completed by Needed Dates.  Please cautiously evaluate the information you need and provide the necessary information for our group to complete your request in a timely manner.
Is this request for an existing Informer report that needs modified? *
Purpose of request *
What is the frequency of requested data? *
Frequency Requirement *
For which group(s) do you need this information? *
Select the source system *
 
Select the destination system *
 

The following questions are required before your data request will be processed.
IMPORTANT - Only select 'Next' when the data request has been completed.
Secured by Formsite
DISCLAIMER: The data presented on this page is confidential.