 Information Stewardship  SummaryFull PolicyDownload PDF Use of Institutional Systems SummaryFull PolicyDownload PDF Information Classification and Handling SummaryFull PolicyDownload PDF Information Roles and Responsibilities SummaryFull PolicyDownload PDF |
Information Classification and Handling Policy
Purpose
This policy establishes a framework for classifying the confidentiality level of institutional data and their levels of confidentiality. It also establishes the requirement for maintaining the integrity and availability of institutional data.Scope
All members of the Tufts community.Policy Statement
This policy outlines broad categories of institutional data that are created, collected, licensed, maintained, recorded, used, or managed at Tufts. It also provides a three-level classification scheme for the confidentiality of institutional data and establishes the requirements to maintain the integrity and availability of institutional data regardless of its ownership or origin.Confidentiality
This policy establishes three levels of confidentiality for institutional data. All members of the community must know the level of confidentiality for the institutional data under their care. All members of the community must manage institutional data under their care with safeguards that are commensurate with the datas level of confidentiality. This includes implementing and operating institutional systems that support the confidentiality of the institutional data under their care.
| Confidentiality Level | Description | Consequences of Unauthorized Disclosure | Examples |
| Level A: Confidential Institutional Data | Institutional data that is meant for a very limited distribution—available only to members of the Tufts community on a strictly need-to-know basis. This institutional data includes, but is not limited to, personally identifiable information (name plus social security number, state ID number, financial account number) or protected health information. Tufts is usually, but not always, required to protect this information by law or contract. | Some of the consequences may include: violation of peoples’ privacy, reputational and financial loss, and legal sanctions for Tufts. | Payroll records, personnel files, compensation data, tenure and promotions files, financial aid records, student records, accounts payable records, vulnerability and audit reports, protected health information, any documents with nonpublic personal information, any information unauthorized individuals can use to steal identities or financial resources. |
| Level B: | Institutional data that is meant for a limited distribution; available only to members of the Tufts community that need the institutional data to support their work. This institutional data derives its value for Tufts in part from not being publically disclosed. | Some of the consequences may include: reputational and financial loss, a hindrance to productivity, or a competitive disadvantage for Tufts. | Internal memos and emails, planning documents, logs, audit trails, research notes documenting the development of a patentable invention. |
| Level C: | Institutional data that is meant for members of the Tufts community and in some cases wide and open distribution to the public at large. This institutional data does not contain confidential information. | Some of the consequences may include: violating licenses, loss of access to subscription resources, or a financial loss for Tufts. | Limited to Tufts Community Licensed library resources, licensed software. Wide and Open Distribution Publications, press releases, information posted on and meant for open websites. |
Integrity
All information owners, managers, and custodians are responsible for maintaining the integrity of the institutional data under their care, ensuring that the data is complete and unaltered in all essential respects. Information managers and custodians are responsible for implementing and operating institutional systems that support the integrity of the institutional data under their care.
Availability
All information owners, managers, and custodians are responsible for maintaining the availability of the institutional data under their care to persons who are permitted to use such data, ensuring the data is retrievable, deliverable, and understandable. Information managers and custodians are responsible for implementing and operating institutional systems that support the availability of the institutional data under their care.
Policy Violation
Depending on the circumstances, and in management’s sole discretion, members of the Tufts community who violate this policy may be denied access to institutional data and systems, and may be subject to other penalties and disciplinary action, both within and outside of the University. The University may refer suspected violations of applicable law to appropriate law enforcement agencies.
Review Entities
Information Stewardship CommitteeInformation Technology Advisory Council
Information Technology Leadership Forum
University Library Council
Institutional Compliance Executive Committee
Approval Date
September 15, 2011Effective Date
September 20, 2011Executive Sponsor
David Kahle, Vice President for Information Technology and Chief Information OfficerPolicy Managers
University Information TechnologyDigital Collections and Archives
University Counsel
Responsible Offices
- University Information Technology
- Digital Collections and Archives
- University Counsel
Revision
The University reserves the right to change this policy from time to time. Proposed changes will normally be developed by the policy managers with appropriate stakeholders. The review entities have sole authority to approve changes to this policy.Distribution
http://uit.tufts.edu/?pid=788Related Policies
Information Stewardship PolicyUse of Institutional Systems Policy Information Roles and Responsibilities Policy University Records Policy 
