Policies

Data Classification Policy

Overview

School Data includes information generated by, owned, or otherwise managed by The Seattle School that is related to the School’s educational, administrative, and operational activities. School Data encompasses all academic and operational data, as well as the computing infrastructure and program code that supports the business of The Seattle School.

This policy defines three categories into which all School Data can be classified:

  1. Public
  2. Internal
  3. Restricted

School Data classified as Public may be disclosed to any person regardless of their affiliation with the School. All other School Data is considered Sensitive Information and must be protected appropriately. This document provides definitions and examples for each of the three categories. Additional policies within our Data Protection Standards specify the security controls required for each data category.

The various departments at The Seattle School handle diverse types of documents and data. For documents or data types not explicitly addressed in this policy, each department should classify its data by considering the potential harm to individuals or the School in the event of unintended disclosure, modification, or loss. Departments should be particularly mindful of protecting sensitive personal information, such as financial account numbers or personal life stories collected for therapeutic purposes, disclosure of which may violate privacy or create other risks. The Information Technology department may assist with the classification process to ensure consistency across the School.

The Seattle School is committed to complying with all relevant data protection regulations, including the Family Educational Rights and Privacy Act (FERPA), the Gramm-Leach-Bliley Act (GLB), and the General Data Protection Regulation (GDPR). This policy aims to support these compliance efforts while protecting the privacy and security of our school community.

Classification Levels

Public

Public data is information that may be freely shared with the general public without any adverse impact on the school or individuals. While the integrity of this data should be maintained, no special measures are required to protect its confidentiality.

Examples of Public data include: press releases, directory information (not subject to a Family Educational Rights and Privacy Act (FERPA) block), course catalogs, public event information, contact information for the School, and other general information that is openly shared. The type of information a department would choose to post on its website is a good example of Public data.

Internal

Internal data is information intended for use within The Seattle School of Theology & Psychology. While not strictly confidential, this data is potentially sensitive and should not be shared outside the school community without appropriate authorization.

Examples of Internal data include, internal memos and correspondence, meeting minutes, operational procedures and documentation, student applications, employment applications, personnel files, and contact lists that contain information that is not publicly available.

Restricted

Restricted data is highly sensitive information that requires the strongest safeguards. Unauthorized access, disclosure, or loss of this data could have severe adverse effects on the school, its students, or employees. This classification also includes data that the School is required to keep confidential, either by law or under a confidentiality agreement with a third party, such as a vendor. Confidential data should be used only when necessary for business and should be protected both when in use and when being stored or transported.

Restricted data should be used only when no alternative exists and must be carefully protected. Any unauthorized disclosure, unauthorized modification, or loss of Restricted Use data must be reported to the Information Technology Department via help@theseattleschool.edu.

Examples of Restricted data include:

  • Student records protected by the Family Educational Rights and Privacy Act (FERPA), including demographics and academic records.
  • Personally identifiable information (PII) entrusted to our care that is not otherwise categorized as Restricted Use data, such as information regarding applicants, alumni, donors, potential donors, or parents of current or former students, and information covered by the European Union’s General Data Protection Regulation (GDPR).
  • Financial information protected by the Gramm-Leach-Bliley Act (GLB), including tuition transactions and financial aid data.
  • Individual employment information, including salary, benefits and performance appraisals for current, former, and prospective employees.
  • Information related to personal life stories collected for therapeutic purposes.
  • Information that is the subject of a confidentiality agreement.
  • Login credentials and passwords.