Acceptable Use of Information Technology - Data Classification, Handling, Security, and Ownership
All members of Pierce College District (herein after referred to as "District") encounter data with varying levels of sensitivity. Each user must evaluate and follow the different requirements based on the types and sensitivity levels of information before using, transporting, or sending District data. Users are governed by both internal and external agency guidelines and requirements for compliance purposes.
Systems and services, both internally and externally, have different security, copyright, ownership, and privacy practices. It is the responsibility of each user to understand the different levels of data classifications for the various data and how to appropriately use District data within systems and services.
1. Data Classification and Requirements
The District IT department uses the data classifications outlined in the Washington Technology Service Data Classification Standard (SEC-08-01-S) as listed below:
Category 1 – Public Information
Public information is information that can be safely transferred electronically and released to the public. It does not need protection from unauthorized disclosure.
Public Information data includes the mission/vision/values of an agency, information related to obtaining services, staff phone numbers and work email addresses, budget information, and FERPA “directory information” designated by the District as FERPA information at level 1.
Use, transport, and electronic transfer of data in this classification is not restricted.
Category 2 – Sensitive Information (subject to Public Disclosure)
Sensitive information may not be specifically protected from disclosure by law and is for official internal use. Sensitive information is generally not released to the public unless specifically requested.
Specific examples include, but are not limited to:
- Certain personnel records – e.g., misconduct records subject to public disclosure
- Public Employee Financial information, but not salaries as this is public information
- Employee Identification Number (EMPLID)
Sensitive data should not be used, transported, or electronically transferred outside the District network electronically (e.g. email, electronic messaging systems, text messaging, etc.) unless password protected or on password protected media. You must be specifically authorized to transfer such data outside the District. Transfer inside the District network is allowed.
Category 3 – Confidential Information (exempt from Public Disclosure)
Confidential information is information that is specifically protected from disclosure by law. It may include but is not limited to:
- Personal information as defined in RCW 42.56.590 and RCW 19.255.010.
- Information about public employees as defined in RCW 42.56.250.
- Lists of individuals for commercial purposes as defined in RCW 42.56.070(8)
Information about the infrastructure and security of computer and telecommunication networks as defined in RCW 42.56.420. Confidential data can be transferred internally, with appropriate care – e.g., marked in email as confidential or private, or via secure network folders where everyone with access is authorized to see the data. Confidential data may only be used, transported, or electronically transferred outside the District if password protected or on password protected media. You must be specifically authorized to transfer such data outside the District.
Specific examples include, but are not limited to:
- Personnel records. – e.g., Evaluations
- Employee personal Information – e.g., home address, home email, home phone
- Student identification numbers
- Student email addresses
Note: Student email, personal email, or District Microsoft Office 365 email is not considered internal transfer.
Category 4 – Confidential Information Requiring Special Handling (exempt from Public Disclosure and other legal protections)
Confidential information requiring special handling is information that is specifically protected from disclosure by law and for which:
- Especially strict handling requirements are dictated, such as by statutes, regulations, agreements, or other external compliance mandates. Serious consequences could arise from unauthorized disclosure, such as threats to health and safety, or legal sanctions.
Confidential Information Requiring Special Handling can be transferred internally, with appropriate care – e.g., marked in email as confidential or private, or via secure network folders where everyone with access is authorized to see the data. It is highly recommended that the storage of category 4 data within the District network be password protected. Confidential data may only be used, transported, or electronically transferred outside the District if password protected or on password protected media and you must be specifically authorized by the Vice President for Technology and Infrastructure or their designee.
Specific examples include, but are not limited to:
- Banking/Financial Account information, Credit Card Numbers
- Employee and Student Social Security Number
- Date of birth
- Academic records of matriculated students
- Educational records protected by FERPA
- Medical Records, including psychological/counseling records
2. Data Handling Guidelines
2.1 All categories of Data shall be stored in as few places as possible and duplicated only when necessary.
2.2 Protected data must be stored on District network shares or District managed file stores (e.g. OneDrive, SharePoint, Teams) only. Exceptions must be approved in writing by the Vice President for Technology and Infrastructure or their designee.
2.3 Identify and inventory the data under your control that is external to District managed systems. Know where you have data and in what form (electronic, paper, etc.). Purge or delete data files in a timely manner consistent with the Washington State Records Retention schedules. Data on your system, network drives, portable media (e.g. thumb drives, external drives), etc., should be reviewed and purged/archived, properly and securely destroyed, or moved to a more secure location.
2.4 Do not save or copy protected data to local systems, network drives, or storage locations, unless such data is not available on the centralized systems. If you must store data on the local system, network drives, or storage locations, it is your responsibility to ensure your system is secure and/or ensure that only authorized individuals have access.
2.5 Do not use shared network drive(s) to store or exchange data internally or externally unless you are certain that the access to those shared drive resources is restricted to individuals authorized to access such data.
2.6 Social Security numbers and personal financial information must not be sent to any recipient via any unsecure message system. This prohibition includes email, voicemail, text messages, and electronic messaging systems to other District employees. Exceptions must be approved in writing by the Vice President for Technology and Infrastructure, or their designee.
2.7 Under no circumstances should credit card numbers be collected and stored on portable data storage devices, digital media, or paper media. Processing credit card numbers should be done via secure methods, which authorize or deny the transaction in real time. Exceptions must be approved in writing by the Vice President for Fiscal Services or their designee.
2.8 Transmission of any sensitive data must be encrypted. Websites using protocols such HTTPS or SSL are encrypted sites. Virtual Private Network (VPN), SFTP, or any other means of transferring files, and data must use secure industry standard versions of these protocols.
2.9 Users may transfer sensitive District data only with written authorization from Vice President for Technology and Infrastructure or their designee. If approved, such files must be password protected or assembled in password protected folders to safeguard materials on District-owned portable data storage devices
2.10 If a laptop is the user's primary system, any sensitive data transferred to the system for use in day-to-day operations; the data must be stored on District managed storage or on encrypted devices.
2.11 Fax transmissions over telephone lines are secure if appropriate safeguards exist when faxing sensitive information –i.e., make sure the fax recipient number is correct and call the recipient and verify they are ready to receive and prevent the fax from being left unsecured.
2.12 Users should exercise care, when approved, to send or transfer any sensitive or confidential information. In the case of email, it is recommended you add the following privacy notice to the bottom of any email that contains confidential information:
“Email Electronic Privacy Notice: This e-mail, and any attachments, contains information that is, or may be, covered by electronic communications privacy laws, and is also confidential and proprietary in nature. If you are not the intended recipient, please be advised that you are legally prohibited from retaining, using, copying, distributing, or otherwise disclosing this information in any manner. Instead, please reply to the sender that you have received this communication in error, and then immediately delete it. Thank you in advance for your cooperation.”
3. Data Breach Handling Guidelines
3.1 All breaches, compromises, or unauthorized/unexplained access of protected sensitive or confidential data (Category 2, 3 & 4) must be reported immediately to the Vice President for Technology and Infrastructure or Director for Information Security directly, or via contacting the Help Desk.
3.2 All breaches of sensitive or confidential data are reported to the District Risk Manager.
4. Data Ownership
The state of Washington owns all District information technology, including all systems, applications, files, and communications created using District-provided equipment or services, or stored on a District computer, network server, cloud service or external storage, with the exception noted below. Data files created while conducting official business at the District must not be altered, damaged, or erased without authorization or in accordance with the Washington State Record Retention schedule.
4.1 Any saved files or data created while conducting District business, whether generated using District-owned or personally owned software, may be District intellectual property as work for hire.