Data Classification Best Practices

Internal and external distribution of sensitive data should be classified to better manage media of varying types.

KCTCS has a signed Business Associate's Agreement (BAA) with Microsoft to reasonably safeguard personal data against inappropriate use and or disclosure. Users needing to store and or share their private data using OneDrive, should turn on auditing. If an account is compromised, auditing allows a user to see when a file was created, who and when it was read, who edited the file and or even searched for it. This is important information to have in the event of any account compromises.

What is sensitive data and how can it be defined? 

According to KCTCS policy 4.2.5, section 4.2.5.3, sensitive data can be classified into three subtypes:

  • Confidential
  • Restricted
  • Public

Classification Types and Data Elements

Confidential information, the highest level of sensitivity, is defined as information that could cause substantial damage to or liability by KCTCS if treated irresponsibly.

Confidential Information

Confidential

Confidential Information is defined by substantial damage to or liability by KCTCS if treated irresponsibly. This information is subject to disclosure upon appropriate legal and administrative review.

Restricted Information

Restricted information is defined by the need for special safeguards beyond that taken for public information.

Public Information

Public information, the lowest level of sensitivity, may be released according to rules, guidelines, and definitions developed to safeguard the information entrusted to KCTCS.

Data Classifications

The goal of information security, as stated in the KCTCS Information Security Policy, is to protect the confidentiality, integrity and availability of Institutional Data. Data classification reflects the level of impact to the KCTCS if confidentiality, integrity or availability is compromised.

Data Element Classification
Foundation Donor Information - all data in Donor Database Confidential
Health Information (Email, Medical Records, Patient Information, Dates, Certain Business Numbers, etc…) Confidential
Social Security number Confidential
Driver's License number Confidential
Passport number Confidential
Visa number Confidential
Certificate/License number Confidential
All payment card data (including all credit/debit cards and cardholder information) Confidential
Bank Account Number or other financial account numbers Confidential
Student Loan Information (Account Numbers, Credit Information, etc.) Confidential
Passwords, passphrases, PIN numbers, security codes, access codes Confidential
Student Academic Transcript Confidential
Student Ethnicity Confidential
Student Country of Birth or Citizenship Confidential
Emergency contact Restricted
Ethnicity Restricted
Military Status Restricted
Veteran Status Restricted
Citizenship Restricted
Visa status Restricted
Country of birth or citizenship Restricted
Job action reason (e.g. terminations or leave) Restricted
Benefits enrollment info Restricted
Payroll information (e.g. taxes, deductions, etc.) Restricted
Marital Status Restricted
Date of Birth/Age, place of birth Restricted
Name – Employee/Student Public
Address Public
Telephone Number(s) Public
Dates of first and last employment Public
Compensation Public
Job Title Public
Job Description Public
Business Address Public
Business Telephone Number Public
Previous work experience Public
Education & Training Background Public
Home Mailing Address Public

Major field of study

  • Dates of attendance
  • Degrees and awards received
  • The most recent previous educational agency or institution attended by the student
Public