![[New School IT logo]](/images/tns-it-lockup.png)
Protection Level Classification Guide¶
The Standard for Information and System Classification specifies that all New School Institutional Information and IT Resources must be assigned one of four Protection Levels based on the potential harm resulting from unauthorized access, disclosure, loss of privacy, compromised integrity, or violation of external obligations, with PL-4 requiring the highest level of protection and PL-1 requiring a minimal level of protection. The process outlined in the standard provides guidance on determining Protection Levels.
Data Owners and Application Owners, with the support of the Information Security and Privacy Office, are responsible for determining the Protection Level for Institutional Information and IT Resources under their area of responsibility.
Caution
Be careful when classifying information. Over-classification may result in additional cost and compliance requirements. Under-classification may result in inadequate protections that could lead to data breaches.
Data Owners and Application Owners can refer to the charts below to determine appropriate Protection Levels. If the Institutional Information or IT Resource in question is not included in these charts, consult with the Information Security and Privacy office for guidance.
Protection Level PL-4 – High¶
| INSTITUTIONAL INFORMATION TYPE | JUSTIFICATION |
|---|---|
| Attorney-Client Privileged Information | legal protection (NY CPLR 4503, Fed. R. Evid. 502) |
| Attorney Work Product | legal protection (Fed. R. Civ. P. 26(b)(3)) |
| Bank and other financial account numbers | data breach notification laws |
| Cryptographic materials (private keys, symmetric keys, signing certificates, etc.) | operational integrity |
| Controlled Unclassified Information (CUI) | government contract |
| Credit/debit card cardholder information | PCI DSS |
| Disability information or other medical information collected from students to provide services | Americans with Disabilities Act, FERPA |
| Driver’s license numbers and state identification card numbers | data breach notification laws |
| Electronic or digital signatures | operational integrity |
| Employee medical and benefits records | HIPAA, Americans with Disabilities Act |
| Financial aid information (FAFSA, student loans, grants, payment history, etc.) | GLBA |
| Human Subject Research data with individual identifiers | Common Rule |
| Information with contractual requirements for PL-4-level protection | contract |
| Passwords, PINs, and other authentication secrets that can be used to access PL-2, PL-3, or PL-4 information or to manage IT Resources | operational integrity |
| Payroll information | expectation of privacy |
| Personnel files—confidential documentation (“Central HR”-accessible only) | expectation of privacy |
| Personal Financial Information (PFI) | GLBA, data breach notification laws |
| Protected Health Information (PHI) | HIPAA |
| Research information classified as PL-4 by the IRB or otherwise required to be stored or processed in a high-security environment | academic integrity |
| Safran Center (Clinical Psychology) therapy session notes and recordings | NY state law (NY MHY 33.13), psychologist-patient privilege (NY CPLR 4507) |
| Social Security Numbers and Individual Taxpayer Identification Numbers | NY 26 GBS 399-ddd, GLBA, HIPAA, data breach notification laws |
| Special Categories of Personal Data | GDPR |
Caution
Records that are subject to a litigation hold (“Notice to Hold,” “Notice to Preserve,” etc.) do not necessarily qualify as attorney-client privileged information. Consult with the Office of the General Counsel to determine if a higher Protection Level is required when specific records are subject to a litigation hold. At no time may the Protection Level be lowered.
Protection Level PL-3 – Moderate¶
| INSTITUTIONAL INFORMATION TYPE | JUSTIFICATION |
|---|---|
| Anonymous donor information | expectation of privacy |
| Certain types of federal data (Pre-CUI) | FISMA |
| Directory Information of students who have filed a disclosure withholding request | FERPA |
| Donor information (except name, amount, designation) | expectation of privacy |
| Education Records (except Directory Information) | FERPA |
| Exam questions and answers | academic integrity |
| Information disclosed to or created by the University Ombuds | expectation of privacy |
| IT security information, exception requests, and network/system security plans | operational integrity |
| Library transaction records | expectation of privacy |
| N-numbers (regardless of student / employee / alumni status) | FERPA, GDPR |
| Passport and visa numbers | expectation of privacy |
| Personal Data / Personally Identifiable Information not otherwise classified as PL-4 | federal and state privacy laws and regulations, GDPR |
| Personnel files—job-related documentation (accessible to HR Partners, managers, and supervisors) | expectation of privacy |
| Research information classified as PL-3 by the IRB or otherwise required to be stored or processed in a high-security environment | academic integrity |
| University financial and accounting information | operational integrity |
Protection Level PL-2 – Low¶
| INSTITUTIONAL INFORMATION TYPE | JUSTIFICATION |
|---|---|
| Building plans and information about the university physical plant | operational integrity |
| Directory Information of students who have not filed a disclosure withholding request | FERPA |
| Detailed annual budget information | operational integrity |
| Invoices and internal billing | operational integrity |
| Internal operating procedures of the university that do not contain PL-3 or PL-4 information | operational integrity |
| Research using publicly available data | academic integrity |
| Routine business records and email that does not contain PL-3 or PL-4 information | operational integrity |
| Unpublished research work and intellectual property not classified as PL-3 or PL-4 | academic integrity |
| Vendor contracts | operational integrity |
Protection Level PL-1 – Minimal¶
| INSTITUTIONAL INFORMATION TYPE | JUSTIFICATION |
|---|---|
| Biographical information published by faculty and staff members | intended for public use |
| Campus brochures | intended for public use |
| Campus maps | intended for public use |
| Course catalogs | intended for public use |
| Curricula vitae | intended for public use |
| Published research | intended for public use |
| Student policies and handbooks | intended for public use |
| University blog posts (official) | intended for public use |
| University calendars (academic, public events, etc.) | intended for public use |
| University directory (faculty and staff) information | intended for public use |
| University press releases | intended for public use |
| University publications | intended for public use |
| University social media postings (official) | intended for public use |
| University websites (official) | intended for public use |
References¶
Document history
| Date | Author | Description |
|---|---|---|
| Jun 2020 | D. Curry |
|
Parts of this guideline are adapted from the University of California’s classification framework, coordinated by Robert Smith, the contents of which are used with permission.