5.23.2 Data Security Classification

Responsible Position

Chief Information Officer

RELATED ITEMS

Minnesota State Board Policy

Minnesota State System Procedure

Minnesota Statutes Chapter 13, Minnesota Government Data Practices Act

PROCEDURES

Purpose

This procedure establishes data security classifications for Alexandria Technical and Community College institutional data, data ownership, custodianship, and user roles and responsibilities. To protect the security and confidentiality of Alexandria Technical and Community College data and to comply with applicable Minnesota State board policy and local policy, as well as state and federal laws and regulations, all institutional data must be classified with the appropriate security classification.

 

Applicability

This procedure applies to all institutional data, wherever located, regardless of media type or format (electronic, paper, or other physical form), and to all uses of that data. This procedure and associated operating instructions establish minimum requirements for classifying institutional data.

Nothing in this procedure shall be interpreted to expand, diminish, or alter academic freedom, articulated under Minnesota State board policy and collective bargaining agreements, or the terms of any charter establishing a system library as a community or public library.

 

Definitions

For purposes of this procedure, the following definitions apply:

Data custodian

The data custodian is appointed by the data owner to assign the security classifications for institutional data and ensuring that the appropriate controls are implemented.

Data owner

An individual with authority and accountability for specified information (e.g., a specific business function) or type of institutional data. Included in this authority is the ability to grant and deny access to data or portions of institutional data under his or her authority. This individual shall assign responsibility to the appropriate data custodian(s) to ensure the protection of institutional data. The data owner is typically in a senior or high-level leadership position. There may be more than one data owner, depending on the authority and accountability for specified information (e.g., a specific business function) or type of institutional data.

Institutional data

Data collected, manipulated, stored, reported, or presented in any format, on any medium, by any unit of the college that are created, received, or maintained by the institution.

Not public data

“Not public data” are any data classified by statute, federal law, or temporary classification as confidential, private, nonpublic, or protected nonpublic as defined in the Minnesota Government Data Practices Act (MGDPA) or equivalent classification in any other relevant state or federal statute or regulation.

 

Procedures

Authorizing administrators are expected to implement and oversee this procedure for business-related purposes in accordance with Minnesota State board policy, other applicable system procedures and law.

Data security classification

All institutional data must be classified in one of the following security classifications:

  1. Highly restricted: Institutional data that are not public data (1) the disclosure of which may compromise a person’s identity in financial transactions; or (2) which by law, regulation, or contract requires high-level security controls; or (3) when the loss of confidentiality could cause significant personal or institutional harm.
  2. Restricted: Not public data that are not classified as highly restricted.
  3. Low: Institutional data that by law are available to the public upon request.
Data security classification roles and responsibilities
  1. Data owners:
    1. The ATCC president shall designate a data owner for all departments and/or administrative units that collect, create, or maintain institutional data. Data owners may assign administrative responsibilities to data custodians in regards to management of data under their control. The president shall have ultimate responsibility for data practices compliance at ATCC.
    2. The data owner shall maintain an inventory of private and confidential data sufficient to ensure compliance with Minn. Stat. § 13.025, subd. 1. The data owner shall ensure implementation of appropriate security controls to limit access to institutional data classified as highly restricted or restricted to those individuals whose work responsibilities require access.
  2. Data custodians: Data custodians are appointed by the data owner and shall work at the direction of the data owners to assign the appropriate data security classification to institutional data and identify to the data owner the appropriate information security controls. Data custodians must also communicate the data security classifications to affected groups and individuals.
  3. Data users:
    Data users shall access or use highly restricted or restricted data only for business purposes that reasonably require access and follow all applicable laws and policies, procedures, and operating instructions related to data classification and access.
Data reclassification

The data custodian shall reevaluate the classification of institutional data to ensure the assigned classification remains appropriate based on changes to legal and contractual obligations. The data custodian will determine what frequency is most appropriate based on available resources. If at any time a data custodian determines that the data has changed such that it warrants reclassification, an analysis of existing security controls must be performed and controls changed if necessary.

Disputes
Disputes as to the classification of institutional data must be referred to the appropriate administrator at ATCC. The ATCC Chief Information Officer, working with Minnesota State legal counsel, may be called upon to make a final determination in any data classification dispute.

Related ATCC Documents:

 

Approved by: Leadership Council

Effective Date: 7/20/2022

Next Review Date: July 2025

Archive: