Data Classification

Purpose

The purpose of this policy is to establish a consistent framework for classifying Hamilton College's information assets based on their sensitivity, value, and criticality. Proper classification ensures that data is appropriately protected against unauthorized access, theft, corruption, or exposure that could harm the institution, its employees, or constituents. By classifying data appropriately, the College can apply proportionate security measures where they are most needed.

Hamilton College must comply with various regulatory requirements that mandate the protection of specific types of information, including the Gramm-Leach-Bliley Act (GLBA), Family Educational Rights and Privacy Act (FERPA), New York State SHIELD Act, and other applicable regulations. This policy helps ensure compliance by identifying data subject to these regulations and establishing appropriate protection standards.

Effective data classification enables Hamilton College to:

• Prioritize security resources toward the most sensitive information
• Reduce institutional risk and maintain regulatory compliance
• Ensure business continuity and protect institutional reputation
• Promote responsible data stewardship across the organization
• Enable appropriate information sharing while protecting sensitive data

Scope

The scope of this policy includes all information assets governed by Hamilton College. All personnel and third parties who have access to or utilize Hamilton College information assets, including data at rest, in transit or in process shall be subject to these requirements.

This policy applies to all forms of data including but not limited to electronic data, physical documents, verbal communications containing sensitive information, and data processed or stored in cloud environments.

The policy does not apply to personal information of individuals that is not collected, stored, or processed for College purposes; public information from external sources that is not modified or repackaged by the College; or personal academic work of students that is not subject to research data requirements.

Policy

All institutional data must be protected in accordance with its sensitivity, value, and criticality to Hamilton College's operations and reputation. The Data Governance Committee defines reasonable and appropriate protection measures based on a risk-based approach. By classifying data according to the requirements outlined in this policy, Hamilton College can effectively allocate security resources, meet regulatory obligations, and protect the privacy and integrity of information entrusted to the institution. The following sections establish the framework and requirements for data classification at Hamilton College.

Hamilton College's Data Governance Policy establishes the governance framework, roles, and responsibilities for data management across the institution. This Data Classification Policy operates within that broader governance structure, with specific focus on the classification and protection of information assets. The Data Governance Policy defines key roles including Data Trustees, Data Stewards, Data Custodians, and Data Users/Requesters, each with specific responsibilities related to data classification and protection. These roles work together to ensure that institutional data is appropriately classified, protected, and managed throughout its lifecycle.

Data Stewards have primary responsibility for identifying and classifying information assets within their areas of oversight. They determine the appropriate classification level based on the criteria outlined in this policy and ensure that appropriate security controls are implemented. Data Stewards also initiate reclassification when necessary due to changes in data content, structure, or applicable regulations.

The Data Governance Subcommittee provides collective governance and oversight of data classification standards and practices, resolving disputes and offering guidance on complex classification decisions.

For detailed information on governance roles, responsibilities, and the organizational structure for data management, refer to the Data Governance Policy.

Hamilton College employs a tiered classification model that categorizes data based on the potential impact of compromise to confidentiality, integrity, or availability. This approach allows for proportional application of security controls based on risk level. The classification levels form a hierarchy of sensitivity, with corresponding protection requirements that increase with higher classification levels.

Hamilton has established the following data classifications:

• HIGH - Information assets whose loss, corruption, or unauthorized disclosure would cause a SEVERE personal, financial, or reputational harm to the institution, employees, or the constituents we serve, or would result in regulatory or government sanctions such as violations of federal or state laws or security breaches that result in the compromise of customer or associate private information. Information of this type requires significantly more security controls for accessing, storing or processing.
  
  Common examples include but are not limited to:
  • Banking and financial information
  • Protected health information (PHI) covered under HIPAA
  • Personal financial information covered under GLBA
  • Elements of student records protected under FERPA
  • Legal name as protected by NYS HRL's definition of gender identity or expression
  • Credit/debit card information (if collection is authorized)
  • Faculty and staff personnel records
  • Information systems' authentication data (passwords, private keys)
  • Sensitive network or information system documentation
  • Biometric data
  • Precise geolocation data tied to identifiable individuals
  • Non-public research data concerning vulnerable populations
  • Legally privileged information
     
• MODERATE - Information assets whose loss, corruption, or unauthorized disclosure would cause LIMITED personal, financial, or reputational harm to the institution, employees, or our constituents.
  
  Common examples include but are not limited to:
  • Contracts and legal information not containing HIGH data
  • Institutional research data (in aggregate form)
  • Employment applications (without SSNs or other HIGH data)
  • Budget information (non-public)
  • Non-sensitive survey data
  • Aggregated analytics data that cannot identify individuals
  • Meeting minutes containing non-public decisions
  • Intellectual property not classified as HIGH
  • Facilities management information (excluding security systems)
  • Donor information (excluding financial account details)
  • Partnership agreements
  • Internal communications not containing HIGH data
     
• LOW - Information assets whose loss, corruption, or unauthorized disclosure would cause MINIMAL or NO IMPACT to the institution or institutional functions.

Common examples include but are not limited to:

• Publicly accessible data
• Marketing materials and public press releases
• Course catalogs and public academic program information
• Public research publications
• Public event information
• Public directory information (as defined under FERPA)
• Public-facing website content
• Building maps and general campus information
• Published financial information (e.g., annual reports)
• Job postings
• General organizational structure information
   

• UNCLASSIFIED - Information assets that have not yet been classified. All information assets default to this state prior to classification. Unclassified data should be handled as MODERATE data until properly classified.
• PROHIBITED - Information types that require extraordinary protection and explicit authorization for access, processing, or transmission. These information types may be collected or processed by Hamilton College, but are not accessible for processing or transmission without the explicit written request and approval of the VP of LITS, Director of Information Security and Privacy, and appropriate data trustee. Examples include Social Security Numbers, passport numbers, driver's license numbers, government-issued identification numbers, and credit card holder data stored outside of approved payment processing systems.

The data classification should be determined based on the highest applicable impact level across these criteria. For example, if data has a HIGH confidentiality impact but a MODERATE integrity impact, it should be classified as HIGH.

Information assets shall be handled according to their prescribed classification, including access controls, labeling, retention policies and destruction methods. The specific methods must be described in the Data Handling Policy.

Any information system that stores, processes or transmits institutional data shall be secured in a manner that is considered reasonable and appropriate to the data classification. Individuals who are authorized to access institutional data shall adhere to the guidelines set forth in the documentation approved by the Enterprise Information Committee.

No unauthorized use, handling, transmission, or other form of dissemination of institutional data is permitted.

A re-evaluation of classified data assets will be performed at least once per year or as needed defined by the appropriate Data Steward. Re-classification of data assets should be considered whenever the data asset is modified, retired or destroyed.

Data Stewards are responsible for initiating the re-classification process when:

• The sensitivity or criticality of the data changes
• The regulatory requirements applicable to the data change
• The data structure or content is significantly modified
• New use cases for the data are introduced

The re-classification process must be documented and approved by the appropriate Data Steward and, if necessary, the Data Governance Subcommittee.

Assets, logical or physical, that "contain" a data asset may inherit classification from the data asset(s) contained therein. In these cases, the inherited classification shall be the highest classification of all contained data assets.

For example:

• A database containing both HIGH and MODERATE data should be classified as HIGH
• A report that combines LOW and MODERATE data should be classified as MODERATE
• A system that processes multiple data classifications should be protected according to the requirements of the highest classification

Individual data elements that may be classified as LOW or MODERATE when isolated can sometimes reveal sensitive information when combined or aggregated, requiring a higher classification level that warrants stronger protection.

Data Stewards must consider potential aggregation impacts when:

• Creating reports that combine multiple data sources
• Designing datasets for analysis or distribution
• Establishing access controls for systems containing diverse data elements
• Approving data sharing requests that involve multiple data types

Examples of data aggregation requiring elevated classification include, but are not limited to:

• Demographic Data: Individual demographic attributes (such as age range, general location, or academic status) might each be classified as LOW or MODERATE when standalone. However, when combined to create detailed demographic profiles that could potentially identify specific individuals, the aggregated dataset should be classified as HIGH, especially in small population segments where individuals might become identifiable.
• Research Data: Non-sensitive research parameters might individually be classified as MODERATE, but when combined to reveal patterns in human subject research, the aggregated dataset might require HIGH classification due to privacy implications.
• Academic Performance Data: Course enrollment (LOW) combined with grade distributions (MODERATE) and student demographics (MODERATE) could potentially identify specific students' academic performance, warranting HIGH classification for the combined dataset.

When evaluating data access requests or designing information systems, Data Stewards should assess not only the classification of individual data elements but also the potential sensitivity of the combined dataset. If aggregation creates a dataset that presents greater privacy, security, or compliance risks, the classification must be elevated accordingly.

Any third party providers/vendors that will collect, store, or process data on behalf of the College must be vetted to ensure their ability to protect the confidentiality, integrity and availability of College data. This is done through the vendor assessment process, managed by the Director of Information Security in coordination with the Auxiliary Services office.

No unauthorized use, handling, transmission, or other form of dissemination of institutional data to third-party providers or vendors is permitted.

Users who violate this policy may be denied access to the institution's resources and may be subject to penalties and disciplinary action, both within and outside of the institution. The institution may temporarily suspend or block access to an account, prior to the initiation or completion of such procedures, when it reasonably appears necessary to do so in order to protect the integrity, security, or functionality of institution or other computing resources or to protect the institution from liability.

Violations of this policy will be addressed according to the severity of the violation:

• Unintentional violations may result in remedial training and counseling
• Repeated violations may result in loss of access to certain systems or data
• Serious or intentional violations may result in disciplinary action up to and including termination
• Violations involving legal requirements may be reported to appropriate authorities

Exceptions to this policy must be approved in advance by the Vice President of Library and Information Technology Services, Director of Information Security and Privacy, and the  Data Steward responsible for oversight of the requested data. Approved exceptions must be reviewed and re-approved not less than annually.

All exception requests must:

• Clearly identify the specific policy requirement(s) for which an exception is sought
• Provide business justification for the exception
• Detail the mitigating controls that will be implemented to reduce risk
• Specify the duration for which the exception is requested
• Be documented in the college's exception management system

Last Reviewed: January 2026