Body
Summary- Table of Contents
Quick Takes
- All institutional data must be classified by sensitivity and handled according to its classification level.
- Higher sensitivity data requires stronger protections such as encryption, access controls, and restricted sharing.
- Personal Data (PD) and Sensitive Personal Data (sPD) have legal and contractual protection requirements.
- When in doubt, treat data as Internal Use or higher and apply appropriate safeguards.
- Classification determines how data can be stored, transmitted, shared, and destroyed.
Back to top
1. Purpose
The purpose of the Data Classification & Handling Guidelines is to ensure that institutional information is protected according to its sensitivity and regulatory requirements. Classification guides the selection of security controls to prevent unauthorized disclosure, loss, or misuse of data and to ensure compliance with legal, regulatory, and contractual obligations.
Back to top
2. Scope
These guidelines apply to all information created, received, stored, processed, or transmitted by SVC, including data handled by employees, contractors, and third parties. The guidelines cover all formats and systems, including electronic, paper, cloud, mobile devices, and physical media.
Back to top
3. Key Requirements
Data Classification
- All information must be classified based on sensitivity and intended audience.
- When combining data, the most restrictive classification applies.
- Unclassified data must be treated as at least Internal Use.
- All data must be assigned one of seven classification levels: CUI-Restricted, Sensitive Personal Data (sPD) Restricted, Personal Data (PD) Restricted, Restricted, Confidential, Internal Use, or Public. See Examples in the attached document.
Data Handling Controls
- Use encryption, access controls, and physical protections appropriate to the classification level.
- Restrict access to sensitive data on a need-to-know basis.
- Apply stricter requirements for transmission, storage, mobile devices, email, and external sharing for higher-risk data.
- Label sensitive documents and systems with classification markings.
- Destroy or sanitize data and storage media according to classification-specific requirements.
Personal Data Protection
- Protect PD and sPD according to privacy notices, regulatory requirements, and contractual obligations.
- Limit collection, storage, and use of personal data to authorized purposes only.
Back to top
4. Roles & Responsibilities
All Users
- Classify and handle data according to its sensitivity level.
- Protect sensitive and personal data from unauthorized access or disclosure.
- Follow approved storage, transmission, and destruction procedures.
Data Owners / Asset Owners
- Determine appropriate classification levels and approve access and sharing.
- Ensure appropriate security controls are applied for classified information.
IT and Security Personnel
- Implement technical and physical safeguards required for each classification level.
- Enforce encryption, access controls, logging, and secure transmission mechanisms.
- Support secure data disposal and media sanitization processes.
Third Parties
- Comply with contractual data protection requirements and NDAs before accessing non-public data.
Back to top
6. Authority
All computer systems at Skagit Valley College are state property. Even if you are using your personal device, by connecting to the wifi, to Canvas, or to any other system provided by the College, you are using state property. State law requires everyone who uses state property to follow certain laws. Here is the chain of authority governing the College's IT policies:
Back to top