Data Classification Levels

Sensitive Data

For purposes of the Data Classification Policy and other Information Security Policies, Sensitive Data includes, but are not limited to:

Personally Identifiable Information (PII): any information about an individual that

(a) can be used to distinguish or trace an individual’s identity, such as name, date, and place of birth, mother’s maiden name, or biometric records,

(b) is linked or linkable to an individual, such as medical, educational, financial, and employment information, which if lost, compromised, or disclosed without authorization, could result in harm to that individual and

A non-exhaustive list of PII is any information concerning a natural person that can be used to identify such natural person, such as name, Jenzabar ID number, Moravian NetID, email address, personal mark, or other identifiers, in combination with any one or more of the following:

Password
Social security number / national identification number
Driver’s license number or non-driver identification card number
Vehicle registration plate number or title number
Visa permit number
Passport number
Bank account number
Credit or debit card number
Human resources information, such as salary and employee benefits information
Non-public personal and financial data about donors
Law enforcement or court records and confidential investigation records
Citizen or immigration status
Device identifier and serial number
Web Universal Resource Locator (URL)
Asset information, such as Internet Protocol (IP) or Media Access Control (MAC) address or other host-specific persistent static identifier that consistently links to a particular person or small, well-defined group of people
Web cookies
Personal characteristics, including x-rays, fingerprints, or other biometric image or template data (e.g., retina scan, voice signature, facial geometry)
Any other unique identifying number, characteristic, code, or combination that allows identification of an individual

Protected Health Information (PHI): any information processed, transmitted, or stored by a Covered Entity or Business Associate that relates to the past, present or future physical or mental health or condition of an individual, the provision of health care to an individual or the past, present or future payment for health care and:

(a) identifies the individual or

(b) for which there is a reasonable basis to believe that the information can be used to identify the individual. The University’s Legal Counsel, Health Center Coordinator, VP of Human Resources, VP of Student Life, and Director of Information Security are responsible for determining whether particular information maintained or disclosed by Moravian constitutes PHI.

Examples of PHI include, but are not limited to, any health information about an individual, in combination with any one or more of the following:

Name
Geographic subdivision smaller than a state
Any element of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, or date of death
Telephone number
Fax number
Electronic mail address
Social security number
Medical record number
Health plan beneficiary number
Account number
Certificate/License number
Vehicle identifier and serial number, including license plate number
Device identifier and serial number
Web Universal Resource Locator (URL)
Internet Protocol (IP) address number
Biometric identifier, including finger and voiceprint
Any other unique identifying number, characteristic, code, or combination that allows identification of an individual

Gramm-Leach-Bliley Act (GLBA): Title IV of the Higher Education Act of 1965 (the HEA, reauthorized and amended by the Higher Education Opportunity Act of 2008, the HEOA) covers the administration of the United States federal student financial aid programs. This includes personal financial information held by financial institutions and higher education organizations as related to student loan and financial aid applications.

Examples of GLBA include, but are not limited to, any personally identifiable information combination with:

FAFSA/ISIR Data
Financial Aid Award Information
Any/all personal or financial information/documents used to verify FAFSA data and/or administer financial aid programs
Loan information
Payment history

Human Subjects Research - research where the researcher (the investigator) observes, interacts, obtains, or creates data that would be considered private. Almost all Human Subjects Research has risk collecting private data, which is or can be linked to Personal Identifying Information.

https://www.moravian.edu/hsirb

Confidential Data

For purposes of the Data Classification Policy and other Information Security Policies, Confidential Data include, but are not limited to:

FERPA - Student education records that are directly related to prior, current, and prospective University students and maintained by Moravian or an entity acting on Moravian’s behalf, but not including (a) “directory information,” such as a student’s name, address, degrees and awards, subject to certain requirements as specified in FERPA and the University’s FERPA policies or (b) such records disclosed to school officials with legitimate educational interests or to organizations conducting certain studies on Moravian’s behalf.

Grades
Course enrollments
Applicant financial and household information
Financial aid eligibility and award amounts

Unpublished research data (non-human subjects research)
Nonpublic intellectual property, including invention disclosures and patent applications
Externally funded research subject to confidentiality requirements
Information received under grants and contracts subject to confidentiality requirements.

Additionally, confidential data includes information pertaining to University operational planning, technical operations, or operational security, including but not limited to:

Unpublished University financial information, strategic plans, and real estate or facility development plans
Information on information technology systems configurations
Information on facilities security systems, including electronic and manual security system operational and configuration documentation

Private Data

Any information that is not contractually protected as confidential or restricted by law or by contract and any other information that is considered by the University as not appropriate for public disclosure.

By default, all Institutional Data that is not explicitly classified as Sensitive, Confidential, or Public data should be treated as Private data.

For purposes of the Data Classification Policy and other Information Security Policies, Private Data include, but are not limited to:

Internal operating procedures and operational manuals
Internal memoranda, emails, reports, and other documents
Facilities technical documents such as floor plans and building systems documentation (non-security systems)

Public Data

For purposes of the Data Classification Policy and other Information Security Policies, Public Data include, but are not limited to:

General access data on sanctioned Moravian-affiliated websites and applications
University financial statements and other reports filed with federal or state governments and generally available to the public
Copyrighted materials that are publicly available
Directory information under FERPA
- Name, local and permanent address, and phone number
- Jenzabar ID number
- Email address
- Major field of study
- Dates of attendance
- Degrees, honors, and awards received
- Participation in officially recognized activities and sports
- Weight and height of members of athletic teams
- The most recent previous educational agency or institution attended by the student
- Enrollment status (undergraduate, graduate, freshman, part-time, full-time)