Guideline ADG07 DATA CATEGORIZATION EXAMPLES

Policy Steward:  Vice President for Administration

Contents:

  • Purpose
  • Responsibilities
  • Further Information

  • PURPOSE:

    This Guideline provide examples of data that fall under the data categories defined in Policy AD71, Data Categorization.

    RESPONSIBILITIES:

    In accordance with AD71, units must identify the types of data they hold and ensure adequate safeguards are provided. This guideline defines the categories for primary data types used within the University and provides policy references and units to contact with regard to the data itself when possible.  If there is uncertainty with regard to the category in which particular data resides, questions should be referred first to the unit liaison appointed in accordance with AD71, and then to Security Operations,the Privacy Office and Risk Management.

    Security Operations, the Privacy Office and Risk Management will be responsible for updating this Guideline as necessary when significant new data examples become known.

    EXAMPLES:

    The table below lists examples of the data types defined in policy AD71 (i.e., Public, Internal/Controlled, Restricted).
    Please note that the examples are not necessarily a complete list; there may be more data types that apply to a respective category.
    DATA TYPE DATA CATEGORY IMPORTANT END USER INFORMATION POINT OF CONTACT FOR QUESTIONS REGARDING DATA

    Campus Maps

    Public

     

    Office of University Relations

    Directory information (where no Confidentiality Hold applies)

    Public

    Consult University Policy AD11, University Policy on Confidentiality of Student Records for a list of Directory Information

    Office of the Registrar

    Email addresses of individuals (not bulk listings of all entries data mined from central or unit services)

    Public

     

    LDAP – Information Technology Services (ITS)

    Employee work addresses

    Public

     

    Office of Human Resources and unit Human Resources representatives

    Library catalog information

    Public

     

    University Libraries

    Network diagrams minus specific IP addresses

    Public

     

    Applicable Information Technology (IT) departments

    News stories (subject to copyright restrictions)

    Public

     

    Office of University Relations

    Organizational charts (unless otherwise specified by the unit)

    Public

     

    Applicable units

    Public-facing web sites containing general information about Penn State

    Public

     

    Applicable units and the Office of University Relations

    Public relations brochures

    Public

     

    Office of University Relations or issuing unit

    Active interlibrary loan records

    Internal/Controlled

     

    University Libraries

    Alumni Directories

    Internal/Controlled

     

    Office of Development and Alumni Relations

    Building blueprints unless designated as restricted by OPP or the unit

    Internal/Controlled

     

    Office of Physical Plant and applicable unit

    Bulk email address listings containing all members of a major population (e.g., all
    students, all faculty/staff)

    Internal/Controlled

    Permission must be obtained for bulk email. See AD56 – Use of Group Communication Tools to Communicate University Business to Employees and Students. AD20 – Computer and Network Security also prohibits unauthorized mass email

    Data Stewards (Students – Office of the Registrar. Employees – Office of Human Resources); ITS

    Employee home addresses unless permission is obtained

    Internal/Controlled

     

    Office of Human Resources and unit Human Resources representatives

    Financial account numbers of the institution

    Internal/Controlled

     

    Office of the Corporate Controller and Finance Offices

    Guest information (e.g., hotels, conferences, sports camps)

    Internal/Controlled

     

    Office of the Corporate Controller (Penn State Hospitality Services)

    Information regarding University-owned vehicles (e.g., license plate numbers, VIN’s, insurance)

    Internal/Controlled

     

    Risk Management

    Inventory Records – Food Services

    Internal/Controlled

     

    Office of the Corporate Controller (Cost Analysis and Property Inventory)

    Library Collections limited to Penn State use only

    Internal/Controlled

     

    University Libraries

    Livestock (purchase and care information)

    Internal/Controlled

     

    Procurement Services; College of Agriculture (Dairy and Animal Science)

    Network diagrams with specific IP addresses (unless categorized as restricted by the unit)

    Internal/Controlled

     

    Applicable central and unit IT departments

    Other inventory records (e.g., sports equipment)

    Internal/Controlled

     

    Office of the Corporate Controller (Cost Analysis and Property Inventory)

    Penn State Identification Number (PSUID)

    Internal/Controlled

    AD19 (Use of Penn State Identification Number and Social Security Number) applies

    Chief Privacy Officer

    Purchasing and receiving reports

    Internal/Controlled

     

    Purchasing departments, Accounting Operations and Finance Offices throughout PSU

    Purchasing receipts

    Internal/Controlled

     

    Purchasing departments, Accounting Operations and Finance Offices

    Research data NOT subject to contractual, legal, or regulatory restrictions Internal/Controlled (until released by researcher) PSU researchers have a dual olibgation to disseminate research results for public benefit (RA24) and disclose all research intellectual property to the Office of Technology Management (IP01). Office of the Vice President for Research

    Sponsored Project contracts, grants and associated protocols

    Internal/Controlled

     

    Office of the Vice President for Research, Sponsored Programs, Research Accounting and Administrative Research departments

    Staff Directories

    Internal/Controlled

     

    Office of Human Resources

    Travel reimbursement forms (unless a specific credit card number or SSN is included)

    Internal/Controlled

     

    Office of the Corporate Controller and Finance Offices throughout PSU

    Access control system data (e.g., key card database(s), ID card database(s))

    Restricted

    AD65 (Electronic Security and Access Systems) applies

    Office of Physical Plant; University Police and Public Safety

    Active library circulation records

    Restricted

     

    University Libraries

    Admission and financial aid information

    Restricted

     

    Undergraduate and Graduate Admissions offices; Office of Student Aid

    Building HVAC Monitoring/Control data

    Restricted

     

    Office of Physical Plant

    Building safety plans

    Restricted

     

    Office of Physical Plant; University Police and Public Safety

    Bursar bills that are personally identifiable

    Restricted

     

    Office of the Bursar

    Customer credit card numbers (PCI must also be taken into account)

    Restricted

    FN07– Electronic Payments - Credit Cards (Formerly Credit Card Sales)

    Office of the Corporate Controller; All PSU merchants

    Details of University Budgets

    Restricted

     

    Office of the Corporate Controller and applicable units

    Disability status other than aggregate statistics

    Restricted

     

    Office of Human Relations; Disability Services; Affirmative Action Office

    Donor information

    Restricted

     

    Office of the Vice President for Development and Alumni Relations; Development Offices

    Drivers’s License numbers

    Restricted

     

    Chief Privacy Officer

    Employee background check information

    Restricted

     

    Office of Human Resources and unit Human Resources representatives

    Employment Applications

    Restricted

     

    Office of Human Resources and unit Human Resources representatives

    Ethnicity data other than aggregate statistics

    Restricted

     

    Office of Human Relations; Educational Equity; Affirmative Action Office

    Faculty tenure and review information

    Restricted

     

    Academic Deans

    Faculty/staff emergency contact information

    Restricted

     

    Office of Human Resources and unit Human Resources representatives

    Human Subject Information (May have additional security requirements as identified by the originator or the Institutional Review Board)

    Restricted

    RA14 (The use of Human Subjects in Research) applies

    Institutional Review Board; Office of the Vice President for Research

    Individual benefit elections

    Restricted

     

    Central OHR and Human Resource Departments throughout PSU

    Information to/from University Legal Counsel unless otherwise designated

    Restricted

     

    Office of General Counsel

    Intellectual property information owned by Penn State

    Restricted

    RA11  (Patents and Copyrights (Intellectual Property));  RA12 (Technology Transfer  and Entrepreneurial Activity (Faculty Research))

    Office of Technology Management

    Non-directory information, to include photographs of individuals unless permission has been obtained for their use

    Restricted

    AD11  (University Policy on Confidentiality of Student Records) defines what is and is not Directory information

    Office of the Registrar

    Other SCADA Monitoring/Control Data

    Restricted

     

    Office of Physical Plant

    Passport number Restricted   Chief Privacy Officer

    Password or other system access control information (to include biometric identification parameters)

    Restricted

     

    ITS for central services; unit IT for College, Campus or local units (subject to overall University Policy)

    Personally identifiable bank account/routing numbers

    Restricted

     

    Chief Privacy Officer and Payroll

    Personally identifiable grade or transcript information

    Restricted

     

    Office of the Registrar

    Personally Identifiable Health Information (PHI). May also be subject to HIPAA controls

    Restricted

    AD22 (Health Insurance Portability and Accountability Act) applies

    Chief Privacy Officer and covered components

    Police Officer’s personal contact information

    Restricted

     

    University Police and Public Safety

    Proprietary information obtained under a Nondisclosure Agreement (NDA)

    Restricted

     

    Data Originator. Protection must be provided by the unit and individuals involved with the NDA

    Purchasing Card (PCard) number

    Restricted

     

    Corporate Controller’s office

    Research data subject to contractual, legal, or regulatory restrictions (e.g., classified data, export controlled data, proprietary data, human subjects data, personally identifiable health information)

    Restricted

    See RA18 (Federal Export Regulations), RA14 (Use of Human Participants in Research), RA22 (HIPAA), and RA23 (HIPAA-Hershey)

    Office of the Vice President for Research

    Salary and tax information related to individuals

    Restricted

     

    Office of Human Resources and unit Human Resources representatives

    Security camera recordings

    Restricted

    AD65 (Electronic Security and Access Systems) applies

    University Police and Public Safety

    Security settings or details of security configurations (e.g., detailed firewall rulesets)

    Restricted

     

    IT in the affected units

    Social Security Numbers

    Restricted

    AD19 (Use of Penn State Identification Number and Social Security Number) applies

    Chief Privacy Officer, data steward and unit with authorization to use

    Staff employee review information

    Restricted

     

    Office of Human Resources and applicable units

    Student Academic Actions (e.g., drops, holds)

    Restricted

     

    Office of the Registrar

    Student Emergency Contact Information

    Restricted

     

    Office of Student Affairs

    Workman’s Compensation or Disability Claims

    Restricted

     

    Office of Human Resources and unit Human Resources representatives

    Technology licensing and invention disclosure information

    Restricted

    RA11  (Patents and Copyrights (Intellectual Property));  RA12 (Technology Transfer  and Entrepreneurial Activity (Faculty Research))

    Office of Technology Management

    FURTHER INFORMATION:

    For questions, additional detail, or to request changes to this policy, please contact Security Operations and Services.


    Effective Date: October 12, 2012
    Date Approved: September 10, 2012
    Date Published: October 12, 2012 (Editorial changes, January 29, 2014)

    Most recent changes:

    Revision History (and effective dates):

    | top of this policy | GURU policy menu | GURU policy search | GURU home | GURU Tech Support | Penn State website |