Data Classification Guideline

Emerson College takes its commitment to protect the privacy of its students, faculty, staff and alumni seriously. The College also has a need to protect the confidential information important to its academic mission and its research. For these reasons the College has identified three levels of data categories, what security precautions must be taken to protect said data, and who is allowed to access such data to prevent unauthorized use. The table below lists the categories of data and some examples of such data. Any data that falls into multiple categories should be considered of the higher security category for protection purposes. If you have questions about a classification of data, contact your Department Records Officer or the Director of Networking and Telecommunications.

Data Classification Table

Data Classification Table

Data Classification Risk Level Description Examples
High Risk (PII data) High Data whose loss, corruption, or unauthorized access would pose an extreme identity or financial risk to the College, a school partner, or the public and require notification of the MA Attorney General and affected users.
  • Social Security Number
  • Credit/Debit Card Number
  • Bank/Financial Account Numbers
  • HIPAA or medical records
  • Passwords or Biometric data
  • Driver’s License or State ID number
  • FERPA records
Moderate Risk Medium Data whose loss, corruption, or unauthorized access would impair the academic, research, or business functions of the College or is not available to the general public.
  • Student ID
  • Employee ID
  • HR Documents
  • College Proprietary Data or Intellectual Property
  • Copyrighted College or Student material
  • Board meeting minutes
  • Expense reports
  • Litigation
  • Software license numbers
  • College infrastructure plans
  • System configuration/log files
  • Training data
Low Risk Low to None Data to which the general public has access
  • Any data found on www.emerson.edu
  • Policies
  • Publications
  • Academic Calendar
  • Campus Maps

Data Access

Access to data should be limited to what is required to complete an individual’s job duties. Individuals should not attempt to access information that is not already made available to them. If a change in access is necessary, permission can only be granted by submission of a Helpdesk Ticket by the employee’s supervisor or director and reviewed by Networking and Telecommunications. Networking and Telecommunications may also design and delegate a process by which the supervisor of the department can maintain their own operational access controls.

Data Transmittal and Storage

All members of the Emerson College community and its working partners are responsible for the proper handling, transmittal and storage of all data entrusted to the College. All individuals and departments must follow the policies and procedures of the College to ensure that data is protected and used properly. Any partner, consultant or vendor that needs access to or shares any Emerson College non-public data must sign a Third Party Data Security Agreement.

Below is the Acceptable Data Transmission and Storage Table that all members of the Emerson College community, all working partners, vendors and consultants must abide by.

Acceptable Data Transmission and Storage Table

Acceptable Data Transmission and Storage Table

Data Classification Data Transmission Data Storage
High Risk (PII data) Emerson College IT Dept. approved encryption is REQUIRED when transmitting any information over a network. Third party email services are not appropriate for transmitting High Risk information. High Risk numbers/data may be redacted instead of encrypted. High Risk data is PROHIBITED from being stored on local computing hard drives or storage equipment unless approved by the Director of Networking and Telecommunications. All data should be stored on Emerson College’s Box storage system or its Central IT maintained databases. If given approval for local storage, Emerson College IT Dept. approved encryption MUST be used for all data. Data may be redacted instead of encrypted if on Emerson College owned equipment. Data stored on non-Emerson College owned equipment MUST be encrypted at all times. Printing of High Risk data is discouraged.  Printed data must be stored in a secure and locked area. Printed data may also be redacted to prevent unauthorized access. Use of a Third party processing or storage services are not appropriate for the transmission or storage of High Risk data unless approved in advance by the Director of Networking and Telecommunications.
Moderate Risk Emerson College IT Department approved encryption is REQUIRED when transmitting any information over a network. Third party email services are not appropriate for transmitting Moderate Risk information. Moderate Risk numbers/data may be redacted instead of encrypted. The storage of Moderate Risk data on local computing hard drives or storage equipment is discouraged. All data should be stored on Emerson College’s Box storage system or its Central IT maintained databases. If local data is to be stored, Emerson College IT Dept. approved encryption MUST be used for all data. Data may be redacted instead of encrypted if on Emerson College owned equipment. Data stored on non-Emerson College owned equipment MUST be encrypted at all times. Printing of Moderate Risk data is discouraged. Printed data must be stored in a secure and locked area. Printed data may also be redacted to prevent unauthorized access. Use of a Third party processing or storage services are not appropriate for the transmission or storage of Moderate Risk data unless approved in advance by the Director of Networking and Telecommunications.