Glossary

This glossary defines the special terms used in The New School’s information security and privacy policies, standards, and guidelines. When used in these documents, special terms will be Capitalized and underlined, signifying that they have special meaning.

If a term is not capitalized and underlined, not defined in this glossary, and not defined in the specific document in which it is used, then the industry normative definition and understanding of that term should be assumed.

Anonymization

A data management and de-identification procedure by which Personal Data is irreversibly altered in such a way that a Data Subject can no longer be identified directly or indirectly, either by the Data Controller alone or in collaboration with any other party. Anonymization is the process of either encrypting or removing personally identifiable information from data sets, so that the people whom the data describe remain anonymous. Anonymized data can never be restored to its original state.

See also Pseudonymization.

Application Owner

An individual identified with and widely recognized to have primary authority and decision responsibility over a particular computer system or software application. Typically the senior-level executive or manager of a university organizational unit with primary responsibility for the unit’s business processes that are supported by the system or application. The Application Owner is an individual, not a group, department, or committee. This individual may delegate tasks.

Note: The New School’s IT Resources are considered institutional assets and are ultimately owned by the university. The term “Application Owner” does not imply ownership in a legal sense.

Attorney-Client Privileged Information

Confidential communications between an attorney and client made for the purpose of obtaining or providing legal advice.

Attorney Work Product

Written or oral materials prepared by or for an attorney in the course of legal representation, especially in preparation for litigation.

Availability Level

A Classification representing the degree to which Institutional Information and IT Resources must be accessible and usable by the Workforce Members and business processes that depend on them.

The scale goes from the minimum level of availability (AL-1) to the highest level of availability (AL-4) and is based on how severely the university’s business operations would be impacted if the information or resource were unavailable.

See the Standard for Information and System Classification for definitions of each Availability Level. See the Availability Level Classification Guide for examples.

Cardholder Data

Information related to credit, debit, or other payment cards. Handling of this data is governed by the Payment Card Industry Data Security Standard (PCI DSS), which establishes strict requirements around the collection and storage of this information.

At a minimum, Cardholder Data consists of the full primary account number. Cardholder data may also appear in the form of the full primary account number plus any of the following:

• Cardholder name
• Expiration date
• Service code

PCI DSS establishes strict requirements around the collection and storage of Cardholder Data. Other information, including card validation codes/values, full track data (from the magnetic stripe or equivalent on a chip), PINs, and PIN blocks, is considered “sensitive authentication data” that may be transmitted or processed (but not stored) as part of a payment transaction.

Note: New School organizational units may not request, accept, or process Cardholder Data (or credit card transactions in general) without prior approval from the Office of Finance and Business and the Information Security and Privacy Office.

Classification

Classification, in the context of information security, is the process of categorizing Institutional Information and IT Resources based on their sensitivity and criticality, and the potential impact to the university should their confidentiality, integrity, or availability be compromised. The process is typically driven by legal, regulatory, academic, financial, and operational requirements.

The New School assigns two classifications to each asset: a Protection Level and an Availability Level. These classifications help determine the baseline security controls that should be implemented to safeguard the asset.

See the Standard for Information and System Classification for details of how classifications for Institutional Information and IT Resources are determined.

Contingent Worker

A term used at The New School to identify individuals who are not employees, students, or alumni, but nonetheless must be accounted for, usually for purposes of granting access to buildings and/or technology systems. These individuals may perform services for or on behalf of The New School, but if they are compensated for such services, compensation is by means other than payroll. Contingent Workers include:

• Board members
• Consultants/contractors
• Emeritus professors
• Friend/families/donors (category not currently in use)
• Non-US affiliates (Parsons Paris faculty, etc.)
• Retirees (category not currently in use)
• Unregistered students (category not currently in use)
• Visiting faulty/scholars
• Visitors

Contingent Workers are included in the definition of Workforce Member.

Common Rule

See Federal Policy for the Protection of Human Subjects.

Controlled Unclassified Information

Controlled Unclassified Information (CUI), as defined by Executive Order 13556 (2010), is federal non-classified information that must be safeguarded by implementing a uniform set of requirements and information security controls directed at securing sensitive government information.

CUI requirements do not apply directly to non-federal entities, but can flow down when New School research projects receive, possess or create such information for or on behalf of the U.S. government under the terms of a contract, grant, or other agreement. It is important that researchers review grant and contract language closely to identify CUI or other information security requirements.

Examples

• CUI Registry Categories
• Controlled technical information with military or space application
• Protected critical energy infrastructure information, including nuclear reactors and materials
• Export control information or materials
• Geodetic and geospatial information related to imagery intelligence

Credit Card Data

See Cardholder Data.

CUI

See Controlled Unclassified Information.

Data Controller

A Data Controller determines the purposes for which and the means by which Personal Data will be Processed. An organization is a Data Controller if it decides:

• To collect Personal Data from individuals, and what data to collect
• Where and how to use the data, and for what purpose(s)
• Whether to change or modify the data it collects
• Whether to keep the data in-house or share it with third parties (and which third parties to share it with)
• How long the data will be kept, and when to dispose of it

Data Controllers will frequently Process the Personal Data they collect in-house using their own processes. But in some cases, they may need to work with a third-party service provider to perform the Processing. However, in most of these cases, the Data Controller will not relinquish control of the data to the third party. Rather, the Data Controller will specify (usually by means of a contract) how the Personal Data may and may not be used by the third party. Third parties that Process Personal Data on behalf of a Data Controller are called Data Processors.

In some instances, an organization can be both a Data Controller and a Data Processor. For example, suppose The New School’s website collects email addresses and other personal data provided by visitors for sales and marketing purposes. All the data collected is then sent to Marketing, Inc. for use in email marketing, search engine optimization, and social media campaigns. If The New School provides the data as well as specific instructions on how to use the data to perform the marketing functions, then The New School is the Data Controller and Marketing, Inc. is the Data Processor. However, if The New School only provides the data and leaves the decisions about how to use the data to perform the marketing functions to Marketing, Inc., then The New School and Marketing, Inc. are both Data Controllers, and Marketing, Inc. is also a Data Processor.

Data Owner

An individual identified with and widely recognized to have primary authority and decision responsibility over a particular collection of Institutional Information. Typically the senior-level executive or manager of a university organizational unit with primary responsibility for the unit’s business processes through which Institutional Information is received, created, stored, handled, or discarded. The Data Owner is an individual, not a group, department, or committee. This individual may delegate tasks.

Note: The New School’s Institutional Information is considered an institutional asset and is ultimately owned by the university. The term “Data Owner” does not imply ownership in a legal sense.

Data Processing

See Processing.

Data Processor

A Data Processor Processes Personal Data according to the specific instructions (usually set forth in a contract) of a Data Controller. The Data Processor does not own the data, nor does it have any authority to change the purposes for which or means by which Personal Data is Processed. An organization is a Data Processor if it performs any of the following at the direction of a Data Controller:

• Develop processes and systems to enable the Data Controller to collect Personal Data
• Use tools and techniques to collect Personal Data for the Data Controller
• Store Personal Data collected by the Data Controller
• Implement security measures to safeguard Personal Data
• Transfer Personal Data between the Data Controller and another organization

In some instances, an organization can be both a Data Processor and a Data Controller. For example, suppose The New School hires Analytics, Inc. to provide custom analysis of its student body. The university sends the company a copy of all its students’ Personal Data, and then each time an analysis is needed, Analytics, Inc. will use its expertise to determine which data are needed to conduct the analysis and produce a report. In this case, The New School and Analytics, Inc. are both Data Controllers, and Analytics, Inc. is also a Data Processor.

Data Protection Impact Assessment

A Data Protection Impact Assessment (DPIA) is a privacy-related impact assessment whose objective is to help identify and minimize the risks to Personal Data arising from a project, initiative, system, or business process. A DPIA must be performed for Processing that is likely to result in a high risk to individuals. It must describe the nature, scope, context, and purposes of the Processing; assess necessity, proportionality, and compliance measures; identify and assess risks to individuals; and identify any additional measures to mitigate those risks.

Data Subject

An individual who is the subject of Personal Data. For example, The New School holds Personal Data about students, employees, and alumni, making each of those individuals a Data Subject.

Directory Information

Directory Information is information contained in the Education Records of a student that would not generally be considered harmful or an invasion of privacy if disclosed. The New School may disclose Directory Information to third parties without the consent of the student unless the student has filed a Request to Withhold Disclosure of Directory Information with the Office of the Registrar.

The New School has designated the following as Directory Information:

• Student name
• Major field of study
• Dates of attendance
• Full-time or part-time enrollment status
• Year level
• Degrees and awards received, including naming to the Dean’s List
• The most recent previous educational agency or institution attended
• Addresses, phone numbers, photographs, and email addresses
• Date and place of birth

DPIA

See Data Protection Impact Assessment.

Education Records

Records that contain information directly related to a student and are maintained by an educational institution or by a party acting for the institution. Examples are enrollment and grade records, applications for university scholarships, financial aid records, bursar records, and information contained in the student information system.

Education Records do not include sole possession documents (such as personal notes or “memory joggers” created and maintained by individual faculty or staff), law enforcement records, employment records where employment is not tied to student status, medical records, and records containing information about an individual that are created after they are no longer a student at the institution (i.e., alumni records).

Education records can exist in any medium, including typed copy, computer-generated copy, videotape, audiotape, film, microfilm, microfiche, and email, among others.

The privacy of Education Records is governed by the Family Educational Rights and Privacy Act (FERPA).

Family Educational Rights and Privacy Act

The Family Educational Rights and Privacy Act (FERPA) is a federal law that protects the privacy of student Education Records. It grants students the right to access their own educational records as well as limiting, for privacy reasons, the release of those same records to anyone other than the student and/or the student’s designee. FERPA applies to all current and former students of the university.

Federal Policy for the Protection of Human Subjects

The Federal Policy for the Protection of Human Subjects (the “Common Rule”) is a rule of ethics regarding biomedical and behavioral research involving human subjects in the United States. The Common Rule is the baseline standard of ethics by which any government-funded research in the US is held; nearly all academic institutions hold their researchers to these statements of rights regardless of funding.

FERPA

See Family Educational Rights and Privacy Act.

Federal Information Security Management Act

The Federal Information Security Management Act (FISMA) requires federal agencies and those providing services on their behalf to develop, document, and implement security programs for information technology systems and store the data on U.S. soil. This means that, under some federal contracts or grants, information the university collects or information systems that the university uses to process or store research data need to comply with FISMA.

Whether data is regulated by FISMA is typically called out in a Request for Proposal (RFP) or in contract or grant language. It is important that researchers review grant and contract language closely to identify FISMA or other information security requirements.

Examples

Examples of research work that might be regulated by FISMA include research in which data is provided by federal organizations such as:

• Department of Veterans Affairs
• National Institutes of Health
• National Aeronautics and Space Administration (NASA)

FISMA

See Federal Information Security Management Act.

Functional Account

An account that can be accessed by multiple individuals within a department or organizational unit to allow them to appear as a single business entity or to accomplish a single shared function (e.g., registrar, advising, hrhelp, itcentral). These accounts are manually created in Active Directory and, when email access is required, Google. They are manually “attached” to a responsible person within the identity and access management system to track ownership and allow for password management. Historically, The New School IT organization has referred to these as “non-person accounts.”

GDPR

See General Data Protection Regulation.

General Data Protection Regulation

Regulation (EU) 2016/679 of the European Parliament and the Council of the European Union of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing directive 95/46/EC (General Data Protection Regulation). Adopted April 27, 2016. Effective May 25, 2018.

The General Data Protection Regulation (GDPR) standardizes data protection law across all 28 European Union (EU) countries, superseding the European Union Data Protection Directive 95/46/EC. The GDPR aims primarily to give control to individuals over their Personal Data and contains provisions and requirements relating to the Processing of that information.

Controllers of Personal Data must put in place appropriate technical and organizational measures to implement the data protection principles of the regulation. Business processes that handle Personal Data must be designed and built with consideration of the principles and provide safeguards to protect data (for example, using Pseudonymization or full Anonymization where appropriate), and use the highest-possible privacy settings by default, so that the datasets are not publicly available without explicit, informed consent, and cannot be used to identify a Data Subject without additional information (which must be stored separately). No Personal Data may be Processed unless this processing is done under a lawful basis specified by the regulation, or unless the Data Controller or Processor has received an unambiguous and individualized affirmation of consent from the Data Subject. The Data Subject has the right to revoke this consent at any time.

GDPR applies to all organizations holding and Processing EU residents’ Personal Data, regardless of geographic location. If an organization offers goods or services to, or monitors the behavior of EU residents, it must meet GDPR compliance requirements.

Gramm-Leach-Bliley Act

The Gramm-Leach-Bliley Act (GLBA) requires financial institutions—companies that offer consumers financial products or services like loans, financial or investment advice, or insurance—to explain their information-sharing practices to their customers and to safeguard sensitive data. At The New School, Student Financial Services is subject to GLBA regulations because it processes student financial information associated with financial aid (student loans, grants, etc.).

Examples

New School information subject to GLBA includes:

• Student loan information
• Student financial aid grant information
• Payment history

GLBA

See Gramm-Leach-Bliley Act.

Health Insurance Portability and Accountability Act

The Health Insurance Portability and Accountability Act (HIPAA) contains two parts relevant to information security and privacy:

1. The Privacy Rule requires healthcare providers and organizations, as well as their business associates, to develop and follow procedures that ensure the confidentiality and security of Protected Health Information (PHI) when it is transferred, received, handled, or shared. This applies to all forms of PHI, including paper, oral, electronic, etc. Furthermore, only the minimum health information necessary to conduct business is to be used or shared.
2. The Security Rule operationalizes the Privacy Rule’s protections by addressing the technical and nontechnical safeguards that covered entities must put in place to secure individuals’ electronic PHI.

Although The New School is generally not subject to HIPAA, researchers should be aware that health and medical information about research subjects may be regulated by HIPAA.

HIPAA

See Health Insurance Portability and Accountability Act.

Human Subject Research

Human subject research data is regulated by the Federal Policy for the Protection of Human Subjects (also called the “Common Rule”). Among other requirements, the Common Rule mandates that researchers protect the privacy of subjects and maintain confidentiality of human subject data. A human subject is defined by federal regulations as a “living individual about whom an investigator (whether professional or student) conducting research obtains (1) data through intervention or interaction with the individual, or (2) identifiable private information.” “Identifiable” means the information contains one or more data elements that can be combined with other reasonably available information to identify an individual (for example, Social Security Number, health care record). Personally identifiable data is sensitive if disclosure of such data would pose increased social/reputational, legal, employability, or insurability risk to subjects.

Examples

Sensitive identifiable information may include research data referring to

• Illegal behaviors
• Drug or alcohol abuse
• Sexual behavior
• Mental health or other sensitive health or genetic information

Any data collected under a National Institutes of Health (NIH) Certificate of Confidentiality is considered sensitive.

Information Security Incident

An occurrence that actually or potentially jeopardizes the confidentiality, integrity, or availability of an IT Resource or the Institutional Information the system processes, stores, or transmits or that constitutes a violation or imminent threat of violation of university security, privacy, or data protection policies, standards, or procedures, or acceptable use policies.

Common types of Information Security Incidents include:

• Unauthorized or accidental disclosure, modification, or deletion of Institutional Information
• Theft or loss of IT Resources containing Institutional Information
• Unauthorized access to university IT Resources
• Compromised user accounts (e.g., through phishing)
• Malicious software (malware) infections
• Denial of Service (DoS) attacks

See also Personal Data Breach.

Information Security Risk Assessment

An Information Security Risk Assessment (ISRA) is a security-related impact assessment whose objective is to help identify and minimize risks to the confidentiality, integrity, and availability of IT Resources and Institutional Information. The process identifies threats and vulnerabilities that apply to the information asset being assessed, determines the likelihood that each threat will actually materialize, and the potential impact if it does. This information is used to identify and implement security controls to mitigate the most serious risks, reducing the overall risk to an acceptable level.

Institutional Information

A term that broadly describes all data and information created, received, and/or collected by The New School. Institutional Information may exist in many forms, both electronic (e.g., computer hard drives and any removable and/or transportable digital memory medium, such as magnetic tape or disk, optical disc, “flash” drive, or digital memory card) and non-electronic (e.g., paper, photograph, microfilm, microfiche). It may be stored on university premises (e.g., in a file cabinet or data center) or off-site (e.g., in a paper records storage facility or a cloud computing provider’s data center).

Examples

• Employee personnel records or records pertaining to student enrollment, tuition, and grades
• Applications from prospective students or resumes of job applicants
• Emails sent and received pertaining to New School business
• Contracts with vendors, invoices, and internal billing records
• Official social media accounts and university-created content
• Minutes from committee meetings
• Privileged data in the Office of the General Counsel
• Instrument measurements from academic research, collected manually or electronically
• Activity log data from a server application or network device
• Electrical use data collected by a building automation system

ISPO

The New School Information Security and Privacy Office. The ISPO is responsible for developing, implementing, maintaining, and operating the New School Information Security and Privacy Program.

ISPP

The New School Information Security and Privacy Program. The ISPP has been established to promote a university-wide approach to implementing and managing information and information technology security and privacy in a manner that respects the privacy rights of individuals, ensures the confidentiality, integrity, and availability of information resources, and complies with applicable laws and regulations.

IT Resource

A term that includes all electronic equipment, facilities, technologies, and data used for information processing, transfer, storage, display, printing, and communications by The New School. These include, but are not limited to, computer hardware and software, computer labs, classroom technologies such as computer-based instructional management systems, and computing and electronic communications devices and services, modems, email, networks, telephones, voice mail, facsimile transmissions, video, multi-function printing devices, mobile computer devices, data, multimedia, and instructional materials. This definition also includes services that are owned, leased, operated, provided by, or otherwise connected to New School resources, such as cloud computing, Software-as-a-Service (SaaS), or any other connected/hosted service provided now or in the future.

Legal Basis

Whenever the university Processes Personal Data it must have a valid reason for doing so.

There are six legal bases for Processing Personal Data:

• consent
• performance of a contract
• compliance with a legal obligation
• vital interests (of the Data Subject)
• public interest
• legitimate interests (of the university)

Additional conditions apply to the Processing of Special Categories of Personal Data.

A full description of these legal bases together with examples for their use can be found in the Legal Basis for Data Processing Guide.

Non-Person Account

See Functional Account.

Payment Card Industry Data Security Standard

The Payment Card Industry Data Security Standard (PCI DSS) was developed to encourage and enhance Cardholder Data security and facilitate the broad adoption of consistent data security measures globally. PCI DSS provides a baseline of technical and operational requirements designed to protect account data. PCI DSS applies to all entities involved in payment card processing—including merchants, processors, acquirers, issuers, and service providers. PCI DSS also applies to all other entities that store, process or transmit Cardholder Data and/or sensitive authentication data.

PCI DSS

See Payment Card Industry Data Security Standard.

Personal Data

A term that includes any information relating to an identified or identifiable natural person (Data Subject). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

An individual is “directly identifiable” if they can be identified solely from the information being processed. An individual is “indirectly identifiable” if they can be identified by combining the information being processed with other information The New School has (or can obtain from a third party). Similarly, a third party could use information The New School processes and combine it with other information available to them.

Information that is sufficient on its own to identify an individual includes a person’s full name, Social Security Number (or Individual Taxpayer Identification Number), email address containing the personal name, biometric identifiers (fingerprints, facial image, voice patterns, iris scan, hand geometry, or manual signature), and genetic information.

Other information that may be used to identify an individual includes a postal address, phone number, vehicle registration number, bibliographic citation of a publication by the individual, email address not in the form of the personal name, web address to a web page containing personal data, unusual job title, very rare disease, or position held by only one person at a time (e.g. chairperson in an organization). A rare event can also reveal the identity of an individual.

Indirect identifiers are the kind of information that on their own are not enough to identify someone but, when linked with other available information, could be used to deduce the identity of a person. Indirect identifiers include, for instance, age, gender, education, employment status, economic activity and occupational status, socio-economic status, household composition, income, marital status, languages spoken, ethnic background, place of work or study, and regional variables. Indirect identifiers relating to a person’s residence include, for example, postal code, neighborhood, city, and state.

Dates can also be indirect identifiers. Date of birth is the most common example, but dates of death and dates of newsworthy events may also be indirect identifiers when combined with other information. In health and medical research, treatment and sampling dates may also occasionally be indirect identifiers when linked to other information.

The term Personal Data comes from the European Union General Data Protection Regulation (and its relatives). In the United States, most privacy laws and regulations use the term Personally Identifiable Information (or a narrower term, such as Protected Health Information or Personal Financial Information). To avoid confusion and ensure that individuals’ privacy rights are properly protected, New School information security and privacy policies, standards, and guidelines will consider the term Personally Identifiable Information to be equivalent to Personal Data unless explicitly stated otherwise.

See the Categories of Personal Data Chart for a comprehensive list of direct and indirect identifiers.

See also Special Categories of Personal Data.

Personal Data Breach

An Information Security Incident leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored, or otherwise Processed.

Personal Financial Information

Used by many state data breach notification laws, and also associated with the Gramm-Leach-Bliley Act (which uses the term Nonpublic Personal Information (NPI)), Personal Financial Information (PFI) is any information that a consumer provides to a financial institution that would not be available publicly. It may also be called Personally Identifiable Financial Information (PIFI).

Examples

Depending on the specific law or regulation in question, Personal Financial Information usually refers to some combination of an individual’s:

• Social Security Number or Individual Taxpayer Identification Number
• Credit or debit card number
• Checking or savings account number
• Other personal financial account numbers (brokerage accounts, retirement accounts, etc.)
• Willingness to pay scores, risk scores, complexity scores, credit scores or any other scores, index or composite

Personally Identifiable Information

The US National Institute of Standards and Technology’s Guide to Protecting the Confidentiality of Personally Identifiable Information (PII) defines Personally Identifiable Information (PII) as “any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual‘s identity, such as name, social security number, date and place of birth, mother‘s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.”

This definition is not universal, however. FERPA uses a definition that is similar to the above, but broader in scope, including not only information about the student, but also the student’s parents. On the other hand, some other federal privacy laws use terms with narrower scope such as HIPAA’s Protected Health Information or GLBA’s Personal Financial Information.

Most states’ data breach notification laws use the term “Personal Information,” usually defined as an individual’s name combined with one or more of the

• Social Security Number or Individual Taxpayer Identification Number
• Driver’s license or state identification number
• Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account

or something similar.

To avoid confusion and ensure that individuals’ privacy rights are properly protected, New School information security and privacy policies, standards, and guidelines will consider Personally Identifiable Information to be equivalent to Personal Data unless explicitly stated otherwise.

PFI

See Personal Financial Information.

PHI

See Protected Health Information.

PII

See Personally Identifiable Information.

Privileged Account

An account used to configure or significantly change the behavior of a computing system, device, application, or other aspect of the IT infrastructure. Privileged Accounts include, but are not limited to, the Windows Administrator account, the UNIX/Linux root account, application admin or administrator accounts, and device configuration accounts.

Information Technology Workforce Members often have a Privileged Account whose username is their User Account NetID prefaced with adm_. The “adm account” is used for privileged access on Linux (via the sudo command) and Windows (via membership in the Administrators or Domain Administrators groups).

Processing

Any operation or set of operations performed on data, manually or via automated methods, including (but not limited to):

• Collection
• Recording
• Storage and/or retrieval
• Consultation and/or use
• Alignment and/or combination
• Adaptation and/or alteration
• Organization and/or structuring
• Disclosure by transmission, dissemination, or otherwise making available
• Restriction
• Erasure or destruction

Profiling

Any form of automated processing of Personal Data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.

Organizations obtain personal information about individuals from a variety of different sources. Internet searches, buying habits, lifestyle and behavior data gathered from mobile phones, social networks, video surveillance systems, and the Internet of Things are examples of the types of data organizations might collect. They analyze this information to classify people into different groups or sectors. This analysis identifies correlations between different behaviors and characteristics to create profiles for individuals. This profile will be new personal data about that individual.

Organizations use profiling to:

• find something out about individuals’ preferences;
• predict their behavior; and/or
• make decisions about them.

Profiling can use algorithms. An algorithm is a sequence of instructions or set of rules designed to complete a task or solve a problem. Profiling uses algorithms to find correlations between separate datasets. These algorithms can then be used to make a wide range of decisions, for example to predict behavior or to control access to a service. Artificial intelligence (AI) systems and machine learning are increasingly used to create and apply algorithms.

All of the following are considered types of profiling:

• collecting and analyzing personal data on a large scale, using algorithms, AI or machine-learning;
• identifying associations to build links between different behaviors and attributes;
• creating profiles that are applied to individuals; and
• predicting individuals’ behavior based on their assigned profiles.

Although many people think of marketing as being the most common reason for profiling, this is not the only application.

Protected Health Information

Protected Health Information (PHI) is regulated by the Health Insurance Portability and Accountability Act (HIPAA). PHI is individually identifiable health information that relates to the

• Past, present, or future physical or mental health or condition of an individual.
• Provision of health care to the individual by a covered entity (for example, hospital or doctor).
• Past, present, or future payment for the provision of health care to the individual.

Researchers should be aware that health and medical information about research subjects may also be regulated by HIPAA.

Examples

The following individually identifiable data elements, when combined with health information about that person, make such information Protected Health Information:

• Names
• Telephone numbers
• Fax numbers
• Email addresses
• Social Security Numbers
• Medical record numbers
• Health plan beneficiary numbers
• License plate numbers
• URLs
• Full-face photographic images
• Any other unique identifying number, characteristic, code, or combination that allows identification of an individual

Protection Level

A Classification representing the degree to which the confidentiality and integrity of Institutional Information and IT Resources must be protected.

The scale goes from the minimum level of protection (PL-1) to the highest level of protection (PL-4) and is based on the potential harm resulting from unauthorized access, disclosure, loss of privacy, compromised integrity, or violation of external obligations.

See the Standard for Information and System Classification for definitions of each Protection Level. See the Protection Level Classification Guide for examples.

Pseudonymization

A data management and de-identification procedure by which Personal Data is altered to make the data record less identifiable while remaining suitable for data analysis and data processing. Personal Data is separated from direct identifiers by replacing them with one or more artificial identifiers, or pseudonyms, so that linkage to an identity is no longer possible without the original direct identifier information, which is held separately. Pseudonymized data can be restored to its original state by reversing the process, which then allows individuals to be re-identified, while anonymized data can never be restored to its original state.

See also Anonymization.

Restriction of Processing

The marking of stored Personal Data with the aim of limiting Processing in the future.

Sanitization

A process that renders Institutional Information stored on physical or logical media inaccessible for a certain level of effort. Sanitization is typically performed on digital media before its disposal or release for reuse, to prevent unauthorized individuals from gaining access to and using the information contained on the media.

Sensitive

When used to describe Institutional Information or IT Resources, Sensitive refers to those assets assigned Protection Levels PL-3 and PL-4 collectively.

Service Account

An account created for use by an automated process or a software application rather than a person. Service Accounts can be used to run batch jobs, or to execute background services (Windows) or daemons (Linux) instead of running them from privileged accounts. Service Accounts are also used to give applications access to LDAP (Active Directory or Luminis); in this case the account name will normally begin with ldap_ followed by the name of the application.

Special Categories of Personal Data

Some privacy laws and regulations, including the GDPR, prohibit the Processing of Personal Data that reveals particularly sensitive information about a Data Subject, such as:

• Racial or ethnic origin
• Political opinions
• Religious or philosophical beliefs
• Trade union membership

or any data in these categories:

• Genetic data
• Biometric data for the purpose of uniquely identifying a natural person
• Physical or mental health
• Sex life or sexual orientation

except under very specific circumstances.

User Account

An account that is assigned to, and under the control of, a single individual and not accessible by others. User accounts are automatically created (and removed) by the identity and access management system based on user roles. The account is identified by a NetID (username) that is unique to an individual, and is generally used to access all resources at The New School that the user is authorized to use.

Workforce Member

A faculty member, administrative employee, Contingent Worker, temporary employee, student worker, volunteer, or any other person working for The New School in any capacity or through any other augmentation of university staffing levels.