Data Security Classifications for IT Projects
SGA’s IT Board has adopted the following data security classifications from Harvard University’s Information Security Policy.
Information that is considered public.
- Research data that has been de-identified in accordance with applicable rules;
- Published research data; published information about Georgia Tech;
- Course catalogs;
- Directory information about students who have not requested a FERPA block;
- Faculty and staff directory information.
Level 2 is information the IT Board has chosen to keep confidential but the disclosure of which would not cause material harm.
Level 2 information includes unpublished research work and intellectual property not in Level 3 or 4. Level 2 also includes information classified as Level 2 by an Institutional Review Board (IRB).
- Patent applications and work papers
- Drafts of research papers
- Building plans
Level 3 information could cause risk of material harm to individuals, IT Board, SGA, or Georgia Tech if disclosed.
Level 3 information includes individually identifiable information which if disclosed could reasonably be expected to be damaging to reputation or to cause legal liability. Level 3 also includes research information classified as Level 3 by an Institutional Review Board (IRB).
- Information protected by the Family Educational Rights and Privacy Act (FERPA), to the extent such information is not covered under Level 4, including non-directory student information and directory information about students who have requested a FERPA block
- HUIDs when associated with names or any other information that could identify individuals;
- Georgia Tech personnel records
- Georgia Tech institutional financial records
- Individual donor information
- Other personal information protected under state, federal and foreign privacy laws and not classified in Level 4 or 5
Data use agreements, research consent forms and other contracts under which IT Board personnel receive confidential information from outside parties often state specific data use and protection requirements. IT Board personnel working with such information must comply with such requirements. Use of such information must also comply with the applicable IT Board data security requirements if the contract calls for lesser levels of protection than the IT Board rules.
Level 4 information would likely cause serious harm to individuals, IT Board, SGA, or Georgia Tech if disclosed.
Level 4 information includes High Risk Confidential Information (HRCI), as defined below, and research information classified as Level 4 by an Institutional Review Board (IRB). Level 4 also includes other individually identifiable information which if disclosed would likely cause risk of serious social, psychological, reputational, financial, legal or other harm to an individual or group.
“High Risk Confidential Information” means an individual’s name together with any of the following data about that individual: social security number, bank or other financial account numbers, credit or debit card numbers, driver’s license number, passport number, other government-issued identification numbers, biometric data, health and medical information, or data about the individual obtained through a research project.
- Individually identifiable financial or medical information
- Information commonly used to establish identity that is protected by state, federal or foreign privacy laws and regulations, such as Georgia law protecting personal information, and not classified in Level 5
- Individually identifiable genetic information that is not in Level 5
- National security information (subject to specific government requirements)
- Passwords and PINs that can be used to access confidential information.
Level 5 information would cause severe harm to individuals, IT Board, SGA, or Georgia Tech if disclosed.
Level 5 information includes individually identifiable information which if disclosed would create risk of criminal liability, loss of insurability or employability, or severe social, psychological, reputational, financial or other harm to an individual or group.
Level 5 includes research information classified as Level 5 by an Institutional Review Board (IRB).
- Information covered by a regulation or agreement that requires that data be stored or processed in a high security environment and on a computer not connected to the Georgia Tech data networks
- Information required to be handled in the same manner as Georgia Tech’s most sensitive data
- Certain individually identifiable medical records and identifiable genetic information categorized as extremely sensitive