Data Classification and Usage Policy

  1. Overview and Purpose
  2. Scope
  3. Data Type Definitions
  4. Examples of Data Types
  5. Data Handling Requirements and Acceptable Uses
  6. Inappropriate Uses of University Data
  7. Data Destruction Guidelines and Retention Schedule
  8. Exceptions
  9. Enforcement
  10. Reporting Violations
  11. Policy Support Contact
  12. Approval and Revisions
  13. Supporting Documentation

1.0 Overview

Information technology resources and data constitute as valuable University assets. In order to protect the security, confidentiality and integrity of University data from unauthorized access, modification, disclosure, transmission or destruction, as well as to comply with applicable state and federal laws and regulations, all University data are now classified within different levels of sensitivity, with requirements on the appropriate usage of data at each level.

2.0 Scope

This policy applies to all university employees, faculty, staff, contractors, vendors, and other personnel who are granted privileges to university data. This policy applies to all university administrative data, all user-developed data sets and systems that may access these data, regardless of the environment where the data reside (including systems, servers, personal computers, laptops, portable devices, etc.). The policy applies regardless of the media on which data reside (including electronic, microfiche, printouts, CD, etc.) or the form they may take (text, graphics, video, voice, etc.).

Bentley University also expects all employees, partners, consultants and vendors to abide by the university's information security policies. If non-public information is to be accessed or shared with these third parties, they should be bound by contract to abide by the university's information security policies.


3.0 Data Type Definitions

Level 1 - High Risk Confidential: This includes data which is protected by state or federal laws. Level 1 data if compromised by an unauthorized user can create a substantial risk of identity theft or fraud against the data owner. High risk confidential data requires formal notification to the owner of the data within a reasonable amount of time, in addition to state and federal entities, if the unauthorized acquisition or unauthorized use of unencrypted data is suspected or detected.

Level 2 - Internal Restricted: This includes data not defined as Level 1 and may be protected by applicable state or federal laws, regulations, university policy, legal contractual agreements and any university proprietary information.

Level 3 - Public (Unrestricted): This includes data for which there is no expectation for privacy or confidentiality. This data may be disclosed to any individual or entity inside or outside of the university.


4.0 Data Type Examples (not all-inclusive)

Please see the following document for further examples of data types.


5.0 Data Management Requirements and Acceptable Uses

Level 1 Data Management Requirements and Acceptable Uses: Level 1 data, whether in physical (paper) or electronic format, shall only be accessed when business requires such use and all controls shall be appropriately designed to allow for authorized access only. Protection of this data is required by law. Use of this data must not violate university policy or any applicable state and federal laws.

  • Level 1 data in an electronic format must be encrypted to be transmitted over a public network, and encryption of all data containing personal information to be transmitted wirelessly;
  • Level 1 data in an electronic format must be encrypted when stored on portable devices;
  • Level 1 data in an electronic format must be protected and accessed by a secure user authentication protocol;
  • Level 1 data in a physical (paper) format must be stored in locked receptacles and in a locked room;
  • Level 1 data in an electronic format can be stored on systems and applications residing in the university Data Center;
  • Level 1 data in either physical or electronic format can be stored by university approved third party vendors.
    • All third parties that will store level 1 data on behalf of the university must be reviewed and approved by the university’s Information Security and Privacy Administrator and General Counsel;
    • A written contractual agreement that has been reviewed by the university’s General Counsel must be in place between the university and the third party storing level 1 data on behalf of the university;
    • All contracts with third parties storing level 1 data on behalf of the university must have the appropriate contractual language included in all agreements (see Third Party Contract Boiler Plate);
    • All third party storing level 1 data must sign the university Confidentiality Agreement;

Level 2 Data Management Requirements and Acceptable Uses: Level 2 data, whether in physical (paper) or electronic format, shall only be accessed when business requires such use and all controls shall be appropriately designed to allow for authorized access only. Protection of this data is at the discretion of the owner or custodian. Use of this data must not violate university policy or any applicable state and federal laws.

  • Level 2 data can be stored in an electronic format on systems and applications residing in the university Data Center;
  • Level 2 data can be stored in an electronic format on systems and applications hosted by third party vendors.
    • A written contractual agreement that has been reviewed by the university’s General Counsel must be in place between the university and the third party storing level 2 data on behalf of the university;
    • All third parties storing level 2 data must sign the university Confidentiality Agreement;
  • Level 2 data can be stored in a physical (paper) format and should be stored in locked receptacles and rooms;
  • Level 2 data can be stored in a physical (paper) format and efforts must be made to maintain the least number of copies and storage locations as required by the business;
  • Level 2 data can be stored in an electronic format on any university owned desktops, laptops, or mobile devices;
  • Level 2 data can be stored in an electronic format in supported desktop application formats such as Microsoft Word, Excel or Access;
  • Level 2 data can be stored in an electronic format on university shared drives;
  • Level 2 data can be sent in an electronic format via email any data considered confidential should be encrypted;
  • Level 2 data in an electronic format should be accessed via a secure authentication mechanism;
  • Level 2 data transmitted in an electronic format should be encrypted to protect the privacy of the data owners when sent over a public network or wirelessly;

Level 3 Data Management Requirements and Acceptable Uses: Level 3 data, whether in physical (paper) or electronic format, that can reside in the public domain and is available to all students, faculty and staff. Protection of this data is at the discretion of the owner or custodian. Use of this data must not violate university policy or any applicable state and federal laws.


6.0 Inappropriate Uses of University Data

Inappropriate Uses of Level 1 Data (include but are not limited to);

  • Level 1 data must not be stored on any university desktops, laptops, or portable devices;
  • Level 1 data must not be stored in any desktop application formats such as Microsoft Word, Excel or Access (with the exception of data required for critical business purposes and stored in an approved, secure area);
  • Level 1 data must not be stored on any personally owned systems or portable devices;
  • Level 1 data must not be stored on any third party systems or applications without formal university approval and a written contractual agreement between the parties;
  • Level 1 data must not be transmitted via email, instant message, chat or other social media technologies;
  • Level 1 data must not be transmitted over a public network or wirelessly in an unencrypted format;
  • Level 1 data must not be used in a manner which violates university policy or any applicable state or federal laws;

Inappropriate Uses of Level 2 Data (include but are not limited to);

  • Level 2 data should not be stored on any personally owned systems or mobile devices;
  • Level 2 data should not be stored on a third party system or application without a formal written contractual agreement between the parties;
  • Level 2 data should not be transmitted via instant message, chat or other social media technologies is strongly discouraged;
  • Level 2 data should not be transmitted over a public network or a wirelessly in an unencrypted format;
  • Level 2 data must not be used in a manner which violates university policy or any applicable state or federal laws;

Inappropriate Uses of Level 3 Data (include but are not limited to);

  • Level 3 data must not be used in a manner which violates university policy or any applicable state or federal laws;

7.0 Data Destruction Guidelines and Retention Schedule

  • Data in either electronic or physical (paper) format shall be destroyed in accordance with the university’s Record Retention and Destruction Policy;
  • Data when no longer require for university purposes must destroyed by rendering the data unreadable and unable to be reconstructed in both electronic and paper formats; 
  • Data stored on university shared resources must be monitored by all departments and have policies in place to periodically review shared electronic storage areas and their physical (paper) storage areas to insure that data is being destroyed in a timely and effective manner;

8.0 Exceptions

Any exceptions to this policy are to be reviewed and approved by the Information Security and Privacy Administrator in consultation with the Information Privacy Council as needed.

9.0 Enforcement

As described in Bentley University’s Acceptable Usage Policy, anyone found to have violated this policy may be subject to disciplinary action, up to and including immediate termination.

10.0 Reporting Violations

Report suspected violations of this policy to the Information Security and Privacy Administrator, the appropriate Data Manager or the Responsible Organization/Party. Reports of violations are considered restricted data until otherwise classified.

11.0 Policy Support Contact

12.0 Approval and Revisions

  • Revision v1: Approved by the Information Privacy Committee on 01/29/2010
  • Revision v2: Approved by the Information Privacy Committee on 9/30/2013

13.0 Supporting Documentation

This policy is supported by the following policies, procedures, and/or guidelines;