Home
LITS

Data Classification & Handling

In today’s data-driven world, managing information securely and efficiently is critical. These guides are designed to help you understand best practices for classifying and handling data across our institution. Whether you're dealing with sensitive personal information, proprietary college data, or public records, following the right procedurs can ensure compliance, mitigate risks, and safeguard privacy.

Learn how to categorize data properly, apply appropriate security measures, and comply with regulations. By following these guidelines, you'll help maintain the integrity of your organization’s data and contribute to a culture of responsible information management.

Quick Reference Guide: Data Classifications with Administrative Examples

CLASSIFICATION

Level 1:

Information intended and released for public use.

Level 2:

Information that may be shared only within the Trinity community.

Level 3:

Confidential and sensitive information intended only for those with a “business need to know.”

Level 4:

High-risk information that requires strict controls.

The College intentionally provides this information to the public.

The College keeps this information private, but its disclosure would not cause material harm.

Disclosure of this information beyond intended recipients might cause material harm to individuals or the College.

Disclosure of this information beyond specified recipients would likely cause serious harm to individuals or the College.

Examples

  • Published research
  • Course catalogs
  • Published faculty and staff information
  • Student directory information*
  • Basic emergency response plans (life safety)
  • College-wide policies
  • Trinity publications
  • Press releases
  • Published marketing materials
  • Regulatory and legal filings
  • Published annual reports
  • Code contributed to Open Source
  • Released patents
  • Plans of public spaces

 

*Directory information about students who have requested FERPA blocks must be classified and handled as Level 3, at minimum.

Examples

  • Department policies and procedures
  • Employee web/intranet portals
  • Trinity training materials
  • Pre-release articles
  • Drafts of research papers
  • Work papers
  • Patent applications
  • Grant applications
  • Non-public building plans or layouts (excluding L3 or L4 items)
  • Information about the physical plant (excluding L3 or L4 items)
  • Non-sensitive administrative survey data

Examples

  • Non-directory student information
  • Non-published faculty and staff information
  • HUID tied to an individual
  • Personnel records
  • Donor information (excluding L4 data points or special handling)
  • Non-public legal work and litigation information
  • Budget /financial transactions information
  • Non-public financial statements
  • Information specified as confidential by vendor contracts and NDAs
  • Information specified as confidential by Data Use Agreements
  • General security findings or reports (e.g., SSAE16)
  • Most Trinity source code
  • Non-security technical specifications/architecture schema
  • Library/museum object valuations
  • IRB records
  • Sensitive administrative survey data, such as performance reviews or course feedback, especially if free text response is permitted.

Examples

  • Passwords and PINs
  • System credentials
  • Private encryption keys
  • Government-issued identifiers (e.g., Social Security Number, Passport number, driver’s license)
  • Individually identifiable financial account information (e.g., bank account, credit or debit card numbers)
  • Individually identifiable health or medical information*
  • Individually identifiable research data
  • Details of significant security exposures at Trinity (e.g., vulnerability assessment and penetration test results)
  • Security system procedures and architectures
  • Trade secrets
  • Systems managing critical Operational Technology

*Trinity business units or programs that qualify as “covered entities” under the Health Insurance Portability and Accountability Act (HIPAA) must comply with HIPAA’s data security rules.

  • Know the policies: The full Data Classification Standard can be found here, and additional policies are at https://www.trincoll.edu/policies/
  • Seek Guidance: If you have any questions or concerns regarding this policy or are aware of any items that may not comply, please get in touch with your manager for guidance.
  • Exercise Discretion: The lists above are intended as examples and should not be considered definitive classifications. Please rely on your good judgment when assessing compliance.

Quick Reference Guide: Data Handling Reference Guide

HANDLING

Activity by Data Level

Level 2

Level 3

Level 4

Printing

Do not leave unattended on copiers/printers

Do not leave unattended on copiers/printers

Send to the printer using Trinity’s ID swipe printing system. Swipe your ID at the machine to print.

Mailing paper-based info

Put it in a closed mailing envelope/box and send it via Interoffice or US mail.

Put it in a sealed envelope/box and send it via interoffice or US mail.

Put in a sealed envelope or box and send via FedEx/UPS/USPS mail with tracking/delivery confirmation where feasible.

Storing electronic files on work or personal computer (including portable devices)

Devices must have current patches, encryption, and remote wiping.

Trinity College-provided devices must be in compliance. Have anti-virus, current patches, encryption, and remote wiping.

Never copy/store L4 data onto your work or personal computer. Data should remain within Trinity’s secure, managed, encrypted storage location.

Storing files on external portable storage media

No specific requirements

 USB sticks, CDs/DVDs, backup tapes, etc. must be encrypted and password protected. USB sticks, CDs/DVDs, backup tapes, etc. must be encrypted and password protected.

Sharing files with authorized individuals

Use approved collaboration tools and share with specific individuals, not anonymous or guest links.

 Use approved collaboration tools and share with specific individuals, not anonymous or guest links. Use only security-cleared L4 SharePoint or network locations to share files with named individuals.

Sending data/files to authorized individuals

Use email and send it only to those authorized to view it.

 Encrypt data when transmitting it both internally and externally: Use a School-supported Secure File Transfer method (e.g., OneDrive, SharePoint, etc.). On website forms, use HTTPS. Encrypt data when transmitting internally and externally: Use a College-supported Secure File Transfer method (e.g., L4 SharePoint). On website forms, use HTTPS.

Engaging vendors to store/process data

Written contracts are strongly recommended.

 Ensure the written college contract includes appropriate technology addendums or rider(s).

Engage LITS for a review and include Trinity’s Technology addendum in the vendor/hosting agreement.

Deleting electronic files

Use standard Delete/“X” commands and empty trash bin.

 Use standard Delete/“X” commands and empty trash bin.

Use a secure overwrite or removal tool.

 

How to dispose of/recycle paper:

How to dispose of devices:

L1 Data only for single-stream recycling

L2-L4 Data to be shredded and recycled

Shred CD/DVDs

Contact local IT Support for pick-up or drop-off: they will remove data and recycle

Revision Date: 01/29/2025