Data Governance

Information that may be freely disclosed to anyone without causing harm to Lewis-Clark State College, its students, or employees.

Examples:

• Course catalog, academic calendar, campus map
• Public press releases, marketing materials, social media posts
• Published research articles and abstracts
• Directory information (when a student has not requested suppression)

Institutional information not intended for general public release. Unauthorized disclosure would cause minimal risk but could hamper operations or create confusion.

Examples:

• Draft policies and meeting minutes
• Departmental budgets, purchase requisitions, and vendor quotes (pre-award)
• Building floor plans, internal phone lists
• Non-public statistical reports, device inventory exports
• Organizational charts containing degree levels, years of service

Data protected by law, contract, or College policy where unauthorized disclosure could harm individuals or the institution, lead to regulatory penalties, or damage reputation.

Examples:

• Student birthdates
• Student directory information for those who have opted for privacy
• Donor profiles, gift agreements, alumni records containing contact details
• Research data covered by non-disclosure agreements or involving human subjects
• Student demographic information

Information subject to strict federal or state regulation (FERPA, GLBA, PCI-DSS, etc.). Loss or exposure could cause severe harm, identity theft, or significant fines.

Examples:

• Social Security numbers, driver's license / passport numbers, full tax IDs
• Credit card data, bank account or routing numbers, payroll direct deposit files
• Financial aid records (student IRS data, FAFSA details)
• FERPA-protected records: grades, transcripts, class rosters
• Employee personnel files, performance evaluations, background checks

LC State will be implementing automatic encryption for all data labeled as Level 3 (Confidential) and Level 4 (Restricted). This means:

• Documents labeled as Level 3 or 4 will be automatically encrypted to protect them from unauthorized access
• If a document containing Level 3 or 4 data is mislabeled as Level 2, it will not receive this critical encryption protection
•  Proper labeling ensures that sensitive information receives the security controls it requires

As we roll out Microsoft Copilot and other AI-powered productivity tools, data classification will determine what information these tools can access:

• Copilot will be restricted from accessing Level 3 and Level 4 data to protect sensitive information
• If sensitive data is incorrectly labeled as Level 1 or 2, it could inadvertently become accessible to AI tools
• Correct labeling ensures we can use AI tools safely while protecting confidential information

• Many data types (FERPA records, financial information, personal identifiers) are protected by federal and state laws
• Proper classification helps ensure we're meeting our legal obligations
• Accurate labeling reduces the risk of data breaches and the associated financial and reputational costs

A list of examples can be found here.

Start with the people who know your work best:

• Co-workers: Colleagues working with similar data may have already encountered and resolved the same question
• Your supervisor: Your immediate supervisor often has broader context about data handling requirements
• Department director: Directors can provide guidance on departmental data practices and policies

If your department team is unsure or if the situation is complex, reach out to the Data Working Group. They're here to help with challenging classification decisions and can provide authoritative guidance.

• When uncertain between two levels, temporarily use the higher classification until you get clarification
• Don't delay labeling—apply your best judgment and seek guidance promptly
• Keep a record of classification questions that come up repeatedly so they can be addressed in training or policy updates

This is the more serious risk. When you label sensitive data at a lower level than it should be:

• Lack of encryption: Documents containing Level 3 or Level 4 data that are mislabeled as Level 2 or 1 will not be encrypted, leaving sensitive information vulnerable to unauthorized access
• Inappropriate AI access: Confidential or restricted data mislabeled as Level 1 or 2 could become accessible to Microsoft Copilot, potentially exposing sensitive information
• Compliance violations: Failing to properly protect regulated data (FERPA, GLBA, etc.) could result in regulatory penalties, legal liability, and damage to LC State's reputation
• Data breaches: Inadequately protected sensitive data is at higher risk of being compromised in a security incident

While less risky from a security standpoint, over-classification can create operational challenges:

• Restricted collaboration: Over-classified data may be harder to share with appropriate colleagues, slowing down work (for example, when committee materials cannot be easily shared with all members)
• Reduced efficiency: Public or internal documents labeled as confidential may be unnecessarily excluded from productivity tools that could help you work more effectively
• Classification fatigue: If everything is labeled as highly sensitive, it becomes harder to identify what truly needs extra protection