Data Classification Policy

Data Categories

The following document provides definitions and examples of Macalester College’s three data categories: Public, Regulated, and Confidential. Macalester Sensitive Information (MSI) by definition includes Confidential and Regulated information. “Public” information, as described below, is not considered “sensitive” provided it was not inappropriately accessed or altered in any way. This classification applies to all Macalester information regardless of the storage medium (e.g., hard copy vs. digital/electronic).

PUBLIC DATA

Public Data: Definition 
Information that can be shared with anyone without damage to Macalester College

Public Data: Risk 
Minimal but possible

Public Data: Examples

  • Official statements and press releases
  • Campus maps
  • Public directory data (e.g., contact information)
  • Email address
  • Dates of attendance

REGULATED DATA

Regulated Data: Definition 
Information that is subject to regulatory compliance

Regulated Data: Risk 
High

Regulated Data: Examples

  • Student record information
  • Prospective students
  • Employee info
  • Financial records
  • Contracts
  • Physical plant details
  • Credit card numbers
  • Health records

CONFIDENTIAL DATA

Confidential Data: Definition 
Information integral to the business operations of the college

Confidential Data: Risk 
Medium to High

Confidential Data: Examples

  • Information maintained by the Office of the Provost
  • Alumni/Advancement info (unless permission for release is granted)
  • Donor/prospect info
  • Research data
  • Performance reviews
  • Donor profiles

Email 

Email, regardless of platform, should at all times be assumed to be transported in the clear—there should be no expectation of privacy or confidentiality. Email messages and attachments, therefore, should never contain MSI except when all such information has been encrypted using an ITS approved methodology.

The Family Educational Rights and Privacy Act (FERPA) (20 U.S.C. § 1232g; 34 CFR Part 99) is a federal law that protects the privacy of student education records which are defined as records “directly related to a student” that are “maintained” by an educational institution (Part 99.3). Personal email accounts of students on macalester.edu have never been considered “education records” within the meaning of FERPA because they are not “maintained” either by or on behalf of Macalester College. Instead the college previously, and now with Google, merely provides a server to facilitate such exchanges. However, Macalester College does accord FERPA protection to emails that directly relate to a student when those emails are in the accounts of a Macalester employee.

Intellectual Property 

Except where explicitly addressed in the Employee Handbook (Sec 12.13, Ownership of Copyrights in Works (Revised 09/18/06)) or in the Macalester College Copyright Policy, the development of any aspect of Intellectual Property (i.e., material or products suitable for copyright or patent) that occurs within the scope of employment at Macalester College shall be deemed an asset of the college and shall not be disclosed outside of the ordinary channels of communication within the institution.

Macalester Sensitive Information

The data specified in the next five sections are representative examples of Macalester Sensitive Information (MSI). This listing is not comprehensive. Please contact your department or division director for a current, comprehensive listing for your unit.

STUDENT INFORMATION

  • Grades
  • Student conduct records
  • Student Identification Number
  • Maritial status
  • Religous affliation
  • Social Security numbers
  • Ethnic backgrounds
  • Wire transfers
  • Student schedules
  • Home address
  • Payment history
  • Financial aid/grants
  • Student bills

EMPLOYEE INFORMATION

  • Social Security number (includes partials, such as last four digits)
  • Performance reviews and related documents
  • Date of birth
  • Home address or personal contact information

INFORMATION ON ALUMNI AND FRIENDS OF THE COLLEGE

  • Name
  • Date of birth
  • Graduating class and degree(s)
  • Social security numbers
  • Giving history
  • Donor/prospect information
  • Addresses
  • Telephone/fax numbers
  • Email addresses
  • Employment information
  • Family information (spouse(s)/children/grandchildren)

FINANCIAL INFORMATION - INDIVIDUAL

  • Credit card numbers
  • Bank account numbers
  • Student financial information
  • Salary

FINANCIAL INFORMATION - INSTITUTIONAL

  • Accounts Payable/Accounts Receivable
  • Spending Balances
  • Vendor SSN
  • Vendor Business ID

PROTECTED HEALTH INFORMATION (PHI)

Electronic transmission of student and employee health information is governed by the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Business Associate agreements compliant with HIPAA protecting such information are in place between Macalester College and health-related vendors.

The Macalester College Health Plan, a covered entity for purposes of HIPAA, has developed this HIPAA Privacy Policy in order to comply with the requirements under the HIPAA privacy regulations and guidelines. The Health Plan is a fully-insured health plan sponsored by Macalester College (Plan Sponsor).

Protected Health Information (PHI) means individually identifiable information relating to the past, present or future physical or mental health or condition of an individual, provision of health care to an individual, or the past, present or future payment for health care provided to an individual.

Neither the Health Plan nor the Plan Sponsor (or any member of the Plan Sponsor's workforce) shall create or receive protected health information (PHI) other than specifically described below.

THE HEALTH PLAN DOES NOT CREATE, MAINTAIN OR RECEIVE PHI EXCEPT FOR:

  • Enrollment/disenrollment information
  • Summary health information
  • Periodic review of status

Summary health information may be used by the Plan Sponsor for two limited purposes: (1) obtaining premium bids for providing health insurance coverage under the Health Plan, and also for (2) modifying, amending or terminating the Health Plan. Violations of this policy will be subject to discipline.

Public Directory Information

STUDENT PUBLIC/DIRECTORY INFORMATION

Under FERPA and Macalester policy the following student data are considered directory and therefore public information which may ordinarily be released by the College without student consent unless the student designates otherwise. The U.S. Department of Education  has more information.

  • Name
  • Date and place of birth
  • Local phone number
  • Email address
  • Local address
  • Participation in officially recognized activities and sports
  • Weight and height of members of athletic teams
  • Dates of attendance
  • Degree(s) awarded and date(s)
  • Major field of study
  • Degrees and awards received
  • Institution attended immediately prior to Macalester
  • ID card photographs

EMPLOYEE PUBLIC/DIRECTORY INFORMATION

  • Name
  • Job title
  • Department
  • Campus address
  • Campus phone
  • Date of hire
  • Date of termination

Appreciation is extended to Brown University for permission to use their Classification of Data document as a model. Contact  with any questions or comments.