Data Classification Standard

Data classification is the process of organizing data into information security categories in support of data security handling requirements. 

Data classification, data privacy, and protection standards at Towson University require that every employee takes appropriate measures to safeguard the confidentiality, integrity, availability, and quality of data throughout its lifecycle, from creation to destruction.

Classifications of Data

TU categorizes data into three types (Public, Protected, and Confidential) to provide guidance on the proper handling of that data:

Level 1 - Public Data

Data intended for general public use. An example is the university’s online directory.

Level 2 - Protected Data

Protected is the default classification of data at TU. Protected data is considered private and intended for internal use only. It includes all data which are not legally restricted, and which may be accessed by university employees in the performance of official university business. Examples include, but are not limited to non-sensitive FERPA PII data, TU ID numbers, and third-party contracts.

Level 3 - Confidential Data

Confidential data is sensitive information that needs to be carefully protected from unauthorized access (data as defined under HIPAA, PCI or other federal law). Examples include, but are not limited to medical records, financial data, credit card payment data, sensitive FERPA PII data, background checks for employment or business-related information, and Personally Identifiable Information (PII).

PII, as defined in the Maryland Code under State Government Article §10-1301, is an individual’s first name or first initial and last name, personal mark, or unique biometric or genetic print or image, in combination with one or more of the following data elements:

  • a social security number.
  • a driver’s license number, state identification card number, or other individual identification number issued by a unit.
  • a passport number or other identification number issued by the United States government.
  • an individual taxpayer identification number.
  • a financial or other account number, a credit card number, or a debit card number that, in combination with any required security code, access code, or password, would permit access to an individual’s account. 

Sensitive FERPA PII, consists of data that falls under PII as defined in the Maryland Code under State Government Article, §10-1301 and / or that may be considered harmful to an individual or Towson University in the event of unauthorized access.

Questions

Questions or other comments on these standards should be directed to the Office of Technology Services (OTS) by submitting a TechHelp service request. Requests for exceptions or guidance should also be directed to OTS.  

Related Resources

Release of Student Information Under FERPA
Data Use Standards (PDF)

Adobe Reader Download button