Data Protection Procedures for Complying with the Data Classification Policy

I. Purpose

The purpose of these procedures is to provide written guidance that describes how to comply with the university’s Data Classification Policy.

II. Coverage

All persons or entities who have access to Institutional Data are expected to be familiar with and to follow these procedures. This includes, but is not limited to, university faculty, faculty emeriti, staff, students, officers, trustees, volunteers, guests, vendors, consultants, and service providers.

III. Definitions 

For the definition of terms used in these procedures, please see Puget Sound’s Data Classification Policy.

“Endpoint” refers to any laptop, desktop, or mobile computing device.

IV. Procedures

For questions about these procedures as they relate to specific Institutional Data, please contact the responsible Data Steward.

A. Determining Data Classification

  1. Data Classification Workflow 
  2. See Procedure Appendices A and D for examples of data classifications.
  3. Consult the Data Steward for classification.

B. Protecting Data Classified as Confidential or Controlled 

Data Protection at Puget Sound

  1. Access, use, and sharing
    Confidential or Controlled Data, including verbal or written information, must be shared only with those who have a legitimate business need. Usage of such data should take place on university-supported services or systems (see Appendices B and C) and may require special training, data use agreements, or other procedures. Protection of Confidential or Controlled Data is the responsibility of all Data Users.

    Alternatives to using Confidential Data should be identified and used whenever possible. Where individuals require access to Confidential Data for legitimate business purposes, approval from the Data Steward must be documented.

    Confidential Data must be protected even if the data is allowed to be shared outside the university. Disclosure or sharing of Confidential Data to a third-party agent or vendor is permitted only if approved by the Data Steward and if the agent or vendor assumes the same obligation to safeguard the data and comply with all applicable laws and regulations as the university.
     
  2. Storage and protection
    Confidential Data in paper form must be stored in locked cabinets or safes in secured areas when not in active use. Controlled Data in paper form should be stored in locations with restricted access and should not be accessible to the public or the university community at large.

    Confidential Data in electronic form must be stored encrypted in systems and/or databases and/or portable media, with the data encryption implementation proportional to the protection needs of the data. Confidential or Controlled data in electronic form must be stored securely according to established policies and/or procedures. Confidential or Controlled data stored, processed, or managed by vendors or other third parties must also be similarly protected. 

    Confidential or Controlled Data should not be transferred from university premises or systems/devices unless a legitimate business need exists. Upon termination of any assignment or as requested by the Data User’s supervisor/department chair, any and all such materials, including copies thereof, must be returned to the Data User’s supervisor/department chair or their designee.

    Appendix B identifies minimum security requirements for endpoints that may store institutional data.

    Appendix C identifies commonly used Institutional Data Systems and indicates which classifications of data are allowed to be stored on the systems.

    Appendix D identifies data subject to external laws and/or regulations that may require additional controls for storage and protection. 
     
  3. Transmission
    Reports and communications should not include Confidential Data except when required. Transmission of Confidential Data must be by secure methods and should reach only the intended recipient. If Confidential or Controlled Data is transmitted electronically, it must be encrypted, using encryption methods proportional to the protection needs of the data, to ensure that it does not traverse networks in clear text. The electronic exchange of Confidential or Controlled Data outside of the university must have proper approval and follow documented procedures. An explicit discussion of data handling requirements by the external recipient should precede transmission.
     
  4. Labeling
    Confidential Data should be clearly labeled as such, in order to notify Data Users to treat the information accordingly. Labeling of Controlled Data is encouraged, but not required, for internal use and distribution. If there is a contract or other agreement that has been executed relative to a partnership or digital platform for the exchange of data, the contract/agreement should be referenced to determine any specific labeling standards.
     
  5. Destruction of Confidential or Controlled Data:
    Institutional Data should be maintained consistent with relevant university record retention policies and procedures.

    According to university record retention policies and procedures, when Institutional Data that is classified as Confidential or Controlled is no longer needed and is not subject to a legal hold, it must be disposed of in a manner that makes the data no longer readable or recoverable. 

    Destruction of paper records containing Confidential or Controlled Data usually should be accomplished by confidential shredding. 

    Destruction of electronic records containing Confidential or Controlled Data begins with deleting the data from its storage location(s), i.e. from all systems and devices including email, trash, backup, and file storage. Disposal of electronic media containing Confidential or Controlled Data should adhere to industry-recognized guidelines for media sanitization. For questions on data destruction, contact Technology Services.
     
  6. Reporting Unauthorized Disclosure:
    All suspected or confirmed incidents involving the unauthorized disclosure of Confidential or Controlled Data, including data breaches involving third-party vendors, must be immediately reported to Technology Services. Incidents may be reported using this form. Technology Services Information Security will coordinate with the relevant offices to ensure timely investigation, containment, mitigation, and reporting. 

C. Information Use & Security Policy

Please also refer to and follow (as applicable) the university’s Information Use & Security Policy.

 

Procedure Owner: Data Governance Committee
Procedure Contact: datagovernance-chairs@pugetsound.edu
Date Adopted: June 3, 2026
Date Last Reviewed: June 3, 2026
Date Last Revised: June 3, 2026


 

Appendix A - Data Classification Examples

The list of examples below is provided to assist Data Stewards with determining the risk classification of Institutional Data for which they are responsible.

Data Classification Examples (non-exhaustive)
Confidential*
  • Attorney/client privileged records
  • Account passwords and cryptographic keys
  • Current or prospective donor giving information
  • Reports to the Board of Trustees committees or subcommittees, President, and/or President’s Cabinet unless approved for sharing by the Board Secretary
  • Vendor non-disclosure agreements 
  • Gifts or grants from donors or foundations who request to remain anonymous
  • Investments that are not publicly-traded
  • Student education records
  • Patient records
  • Certain Uniform Guidance audit-required disclosures
  • Any university information labeled “confidential”
Controlled
  • Internal emails and memos
  • Non-public reports, plans, budgets, financial info
  • Employee (faculty and staff) personnel information and personnel files
  • Employee personal contact information
  • Specific physical or technical security measures
  • Budget variance reports and other internal budget reports and financial statements, including data from PeopleSoft Financials
  • University Committee or Task Force reports and presentations to the campus community (e.g., Budget Task Force)
  • Class Syllabi
  • Financial modeling and projections
  • Any university information labeled “controlled”
Unrestricted
  • Campus Maps
  • Campus Postings and Events Notices
  • Public-facing websites
  • Published research
  • Job postings
  • Course listings
  • Audited financial reports (financial statements) available on the public website
  • Financial information for bondholders available on the public website
  • Publicly available endowment information
  • Student directory information
  • Any other university information that is available to the public

*Please see Appendix D for an extended list of data subject to laws and regulations.

Appendix B - Minimum Endpoint Security Standards

An endpoint refers to any laptop, desktop, or mobile computing device. If you use a personally-owned endpoint to access Institutional Data, you are responsible for properly securing it according to the minimum standards set for the data's classification level. In general, university-managed endpoints are configured to meet these standards. Exceptions may be granted on a case-by-case basis following consultation with Technology Services.  For questions on implementing these standards, contact Technology Services.

R - Required; S - Suggested
 

Standard Procedure Unrestricted Controlled Confidential
OS Patching
  • Use a supported operating system version. 
  • Apply security updates promptly and enable automatic updates where possible.

S

R

R
Software Patching
  • Only install and run supported software. 
  • Promptly update browsers and core business/productivity software. 
  • Enable automatic updates where possible.

S

R

R
Malware Protection
  • Install and run anti-malware software.

S

R

R
User Authentication
  • Use unique user accounts to access endpoints. 
  • Create passwords that match the requirements for a Puget Sound login.

S

R

R
Full Disk Encryption
  • Enable BitLocker for Windows or FileVault for Mac.

S

S

R
Automatic Screen Lock
  • Activate a screen lock after 15 minutes of inactivity.

S

S

R
Disposal of Endpoint
  • Ensure disposal of electronic media adhere to industry-recognized guidelines for media sanitization.

S

R

R

Appendix C - Approved Institutional Data Systems

This table indicates which classifications of data are allowed on commonly used Institutional Data Systems. Please consult with Technology Services if you have questions about a specific system as this list is non-exhaustive. 

IMPORTANT NOTE - Please review Appendix D for data classified as Confidential-Regulated, as there may be specific requirements that preclude the usage of the systems below. Please contact Technology Services for assistance handling these types of data. 
 

Institutional Data System

Unrestricted

Controlled

Confidential

25Live Room Scheduling

Y

Y

N

Bill + Payment (TouchNet)

Y

Y

Y

Canva

Y

Y

N

Canvas

Y

Y

Y

CHWS Communication Portal (PointnClick) 

Y

Y

Y

Compliance Training (Vector LMS)

Y

Y

N

Coursedog

Y

Y

N

DocuSign

Y

Y

N

Drupal Website CMS

Y

N

N

Facilities Services Work Order Requests (Brightly Asset Essentials)

Y

Y

Y

Google Workspace

 

     Google Calendar

Y

Y

N

     Google Drive

Y

Y

Y

     Google Gemini

Y

Y

Y

     Google Groups

Y

Y

N

     Google Mail

Y

Y

N

     Other Google Workspace Applications

Y

Y

N

Handshake

Y

Y

Y

International Programs Portal (Terra Dotta)

Y

Y

Y

KnowBe4 Security Awareness Training

Y

Y

Y

Maxient

Y

Y

Y

Mediagraph Photo Archive

Y

Y

N

Medial

Y

Y

N

Millennium 

Y

Y

N

myPugetSound (PeopleSoft Campus)

Y

Y

Y

Network File Shares

Y

Y

Y

OptiSigns

Y

Y

N

PCS Print Shop (My Order Desk)

Y

Y

N

PeopleSoft Financials

Y

Y

Y

PeopleSoft Human Resources

Y

Y

Y

Raiser’s Edge NXT

Y

Y

Y

SAA Accommodate 

Y

Y

Y

ShareFile

Y

Y

Y

Slate 

Y

Y

Y

Snowflake

Y

Y

Y

Sounding Board ePortfolios (Digication)

Y

Y

N

StarRez

Y

Y

Y

Support Portal (TeamDynamix)

Y

Y

Y

Tableau Server

Y

Y

Y

WCOnline

Y

Y

N

WordPress

Y

N

N

Zoom

Y

Y

Y
Appendix D - External Laws and Regulations

Institutional Data may be subject to external laws and regulations, or institutional contractual requirements. Such “Confidential-Regulated” data may have higher or more specific security controls for data or systems. Please contact Technology Services for assistance. Below is a list of primary data privacy laws that affect Institutional Data or classes of high risk data. 

The Family Educational Rights and Privacy Act (FERPA) is a federal law that governs access to student educational records.

Student education records are generally classified as Confidential-Regulated, unless there is a specific FERPA exception. 

Examples of education records include:

  • Student demographic information (e.g. citizenship, gender, ethnicity, religious preference)
  • Student conduct and disciplinary records
  • Student academic records (e.g. transcripts, GPA, grades)
  • Student advising records 
  • Student medical treatment records
  • Student psychological treatment records

Student directory information under FERPA is an exception and this information is classified as Unrestricted. 

Student directory information encompasses the following:

  • Name
  • Enrollment Status
  • Class Schedule
  • Dates of Attendance
  • Class Standing
  • Program of study to include major, minor, or emphasis
  • Honors and awards to include Dean’s List
  • Degree(s) conferred and graduation date(s)
  • Attendance at other educational institutions
  • Participation in officially recognized sports or activities
  • Physical factors of athletes
  • Photograph
  • Date and place of birth
  • Campus mailbox
  • Local address
  • Permanent address
  • Telephone numbers
  • Email addresses

More information:

The Gramm-Leach-Bliley Act (GLBA) is a federal law that requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data. Under the GLBA, financial institutions include companies or organizations such as Puget Sound that offer consumers financial products or services like loans, financial or investment advice, or insurance.

GLBA data is classified as Confidential-Regulated. 

Examples of data protected by the GLBA include:

  • Birth certificates
  • Citizenship data
  • Date of birth
  • Death certificates
  • Details of financial transactions
  • Financial account numbers
  • Name, address, and phone numbers when collected with financial data
  • Social security number
  • Student financial aid data (includes FAFSA data)
  • Student financial data
  • Student loan data
  • Tax return data

More information:

The Health Insurance Portability and Accountability Act (HIPAA) of 1996 is a federal law that governs health information privacy. Note that student records covered under FERPA are excluded from HIPAA, and student health records are considered treatment records under Washington law.

Any data designated under HIPAA as Protected Health Information (PHI) is classified as Confidential-Regulated. 

Examples of protected PHI include:

  • Names
  • Geolocators
  • Dates (birth date, treatment date, discharge date, death date)
  • Age
  • Contact information (email address, telephone numbers, fax numbers)
  • Social Security number
  • Medical record number
  • Health plan beneficiary number
  • Vehicle identifiers
  • Device identifiers
  • Biometric identifiers
  • Full-face photographs or images
  • Any unique identifier

More information:

Payment Card Industry Data Security Standards are global standards issued by the Payment Card Security Standards Council and apply to all entities involved in payment card processing, including merchants (such as Puget Sound), processors, acquirers, issuers, and service providers.

Cardholder data is classified as Confidential-Regulated. 

Examples of protected cardholder data include:

  • Primary debit or credit card account number
  • Cardholder name
  • Security code (e.g. CVV or CVC)
  • PIN
  • Expiration date

More information:

The State of Washington protects certain personal information of its residents. This “Personally Identifiable Information” (PII) is any representation of information that permits the identity of an individual to whom the information applies to be reasonably inferred by either direct or indirect means.

PII as defined by Washington law is classified as Confidential-Regulated.

Examples of protected PII include:

  • Social security number
  • WA State ID number
  • Student, military, or passport ID number
  • Cryptographic private key
  • Financial account information
  • Full date of birth
  • Health insurance identification number
  • Biometric data
  • Username and password or security question answer

More information:

Federal Tax Information (FTI) is used in administering federal student aid programs authorized under Title IV of the Higher Education Act and is categorized as Controlled Unclassified Information (CUI). CUI is government created or owned information that requires safeguarding or dissemination controls consistent with applicable laws, regulations, and government-wide policies. 

Any data designated under FTI is classified as Confidential-Regulated. 

Examples include:

  • Tax Year
  • Tax Filing Status
  • Adjust Gross Income (AGI)
  • Number of Exemptions and Number of Dependents
  • Income Earned from Work
  • Taxes Paid
  • Educational Credits
  • Untaxed IRA distributions
  • IRA deductible and payments
  • Tax exempt interest
  • Untaxed pension amounts
  • Schedule C net profit/loss
  • Indicators for Schedules A, B, D, E, F, H
  • IRS response code
  • Total Parent Allowances Against Income
  • Parent Payroll Tax Allowance
  • Parent Income Protection Allowance (IPA)
  • Parent Employment Expense Allowance (PEEA)
  • Parent Available Income (PAI)
  • Parent Adjusted Available Income (PAAI)
  • Parent Contribution (PC)
  • Student Payroll Tax Allowance
  • Student Income Protection Allowance (IPA)
  • Student Allowance for Parents’ Negative Adjusted Available Income
  • Student Employment Expense Allowance (SEEA)
  • Total Student Allowances Against Income
  • Student Available Income (StAI)
  • Student Contribution from Income (SCI)
  • Student Adjusted Available Income (SAAI)
  • Total Student Contribution from SAAI
  • Student total income
  • Parent total income
  • FISAP total income

More information: