Data Classification Levels
Sensitive Data
For purposes of the Data Classification Policy and other Information Security Policies, Sensitive Data includes, but are not limited to:
Personally Identifiable Information (PII): any information about an individual that
(a) can be used to distinguish or trace an individual’s identity, such as name, date, and place of birth, mother’s maiden name, or biometric records,
(b) is linked or linkable to an individual, such as medical, educational, financial, and employment information, which if lost, compromised, or disclosed without authorization, could result in harm to that individual and
(c) is protected by international, federal, state, or local laws and regulations or industry standards.
A non-exhaustive list of PII is any information concerning a natural person that can be used to identify such natural person, such as name, Jenzabar ID number, Moravian NetID, email address, personal mark, or other identifiers, in combination with any one or more of the following:
- Password
- Social security number / national identification number
- Driver’s license number or non-driver identification card number
- Vehicle registration plate number or title number
- Visa permit number
- Passport number
- Bank account number
- Credit or debit card number
- Human resources information, such as salary and employee benefits information
- Non-public personal and financial data about donors
- Law enforcement or court records and confidential investigation records
- Citizen or immigration status
- Device identifier and serial number
- Web Universal Resource Locator (URL)
- Asset information, such as Internet Protocol (IP) or Media Access Control (MAC) address or other host-specific persistent static identifier that consistently links to a particular person or small, well-defined group of people
- Web cookies
- Personal characteristics, including x-rays, fingerprints, or other biometric image or template data (e.g., retina scan, voice signature, facial geometry)
- Any other unique identifying number, characteristic, code, or combination that allows identification of an individual
Protected Health Information (PHI): any information processed, transmitted, or stored by a Covered Entity or Business Associate that relates to the past, present or future physical or mental health or condition of an individual, the provision of health care to an individual or the past, present or future payment for health care and:
(a) identifies the individual or
(b) for which there is a reasonable basis to believe that the information can be used to identify the individual. The University’s Legal Counsel, Health Center Coordinator, VP of Human Resources, VP of Student Life, and Director of Information Security are responsible for determining whether particular information maintained or disclosed by Moravian constitutes PHI.
Examples of PHI include, but are not limited to, any health information about an individual, in combination with any one or more of the following:
- Name
- Geographic subdivision smaller than a state
- Any element of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, or date of death
- Telephone number
- Fax number
- Electronic mail address
- Social security number
- Medical record number
- Health plan beneficiary number
- Account number
- Certificate/License number
- Vehicle identifier and serial number, including license plate number
- Device identifier and serial number
- Web Universal Resource Locator (URL)
- Internet Protocol (IP) address number
- Biometric identifier, including finger and voiceprint
- Any other unique identifying number, characteristic, code, or combination that allows identification of an individual
Gramm-Leach-Bliley Act (GLBA): Title IV of the Higher Education Act of 1965 (the HEA, reauthorized and amended by the Higher Education Opportunity Act of 2008, the HEOA) covers the administration of the United States federal student financial aid programs. This includes personal financial information held by financial institutions and higher education organizations as related to student loan and financial aid applications.
Examples of GLBA include, but are not limited to, any personally identifiable information combination with:
- FAFSA/ISIR Data
- Financial Aid Award Information
- Any/all personal or financial information/documents used to verify FAFSA data and/or administer financial aid programs
- Loan information
- Payment history
Human Subjects Research - research where the researcher (the investigator) observes, interacts, obtains, or creates data that would be considered private. Almost all Human Subjects Research has risk collecting private data, which is or can be linked to Personal Identifying Information.
Confidential Data
For purposes of the Data Classification Policy and other Information Security Policies, Confidential Data include, but are not limited to:
FERPA - Student education records that are directly related to prior, current, and prospective University students and maintained by Moravian or an entity acting on Moravian’s behalf, but not including (a) “directory information,” such as a student’s name, address, degrees and awards, subject to certain requirements as specified in FERPA and the University’s FERPA policies or (b) such records disclosed to school officials with legitimate educational interests or to organizations conducting certain studies on Moravian’s behalf.
- Grades
- Course enrollments
- Applicant financial and household information
- Financial aid eligibility and award amounts
- Unpublished research data (non-human subjects research)
- Nonpublic intellectual property, including invention disclosures and patent applications
- Externally funded research subject to confidentiality requirements
- Information received under grants and contracts subject to confidentiality requirements.
Additionally, confidential data includes information pertaining to University operational planning, technical operations, or operational security, including but not limited to:
- Unpublished University financial information, strategic plans, and real estate or facility development plans
- Information on information technology systems configurations
- Information on facilities security systems, including electronic and manual security system operational and configuration documentation
Private Data
Any information that is not contractually protected as confidential or restricted by law or by contract and any other information that is considered by the University as not appropriate for public disclosure.
By default, all Institutional Data that is not explicitly classified as Sensitive, Confidential, or Public data should be treated as Private data.
For purposes of the Data Classification Policy and other Information Security Policies, Private Data include, but are not limited to:
- Internal operating procedures and operational manuals
- Internal memoranda, emails, reports, and other documents
- Facilities technical documents such as floor plans and building systems documentation (non-security systems)
Public Data
For purposes of the Data Classification Policy and other Information Security Policies, Public Data include, but are not limited to:
- General access data on sanctioned Moravian-affiliated websites and applications
- University financial statements and other reports filed with federal or state governments and generally available to the public
- Copyrighted materials that are publicly available
- Directory information under FERPA
- Name, local and permanent address, and phone number
- Jenzabar ID number
- Email address
- Major field of study
- Dates of attendance
- Degrees, honors, and awards received
- Participation in officially recognized activities and sports
- Weight and height of members of athletic teams
- The most recent previous educational agency or institution attended by the student
- Enrollment status (undergraduate, graduate, freshman, part-time, full-time)