Data Classification Policy
Last Updated: December 2, 2020
The first step in establishing the safeguards that are required for a particular type of PCMR Data is to determine the level sensitivity applicable to such Data. Data classification is a method of assigning such levels and thereby determining the extent to which the PCMR Data need to be controlled and secured.
The effective date of this Policy is December 2, 2020.
Data security measures must be implemented commensurate with the sensitivity of PCMR Data and the risk to PCMR if such Data is compromised. It is the responsibility of the applicable Data Owner to evaluate and classify PCMR Data for which he/she is responsible according to the classification system adopted by PCMR and described below. If PCMR Data of more than one level of sensitivity exists in the same System or Endpoint, such Data shall be classified at the highest level of sensitivity.
PCMR has adopted the following four classifications of PCMR Data:
1. Sensitive Data: any information protected by federal, state, or local laws and regulations or industry standards, such as HIPPA, FERPA, PCI-DSS, and other similar laws and regulations.
For purposes of this Policy and other Information Security Policies, Sensitive Data include, but are not limited to, Personally Identifiable Information as defined below:
Personally Identifiable Information or PII: any information about an individual that (1) can be used to distinguish or trace an individual's identity, such as name, data and place of birth, mother's maiden name or biometric records, (2) is linked or linkable to an individual, such as medical, educational, financial, and employment information, which if lost, compromised or disclosed without authorization, could result in harm to that individual and (3) is protected by federal, state or local laws and regulations or industry standards.
2. Confidential Data: any information that is contractually protected as confidential by law or by contract and any other information that is considered by PCMR appropriate for confidential treatment.
For purposes of this Policy and the other Information Security Policies, Confidential Data include, but are not limited to:
Human resources information, such as salary and employee benefits information
Non-public personal and financial data about donors
Information received under grants and contracts subject to confidentiality requirements
Law enforcement or court records and confidential investigation records
Citizen or immigrations status
Unpublished research data
Unpublished financial information, strategic plans and real estate or facility development plans
Information on facilities security systems
Nonpublic intellectual property, including invention disclosures and patent applications
Applicant financial information
3. Internal Data: any information that is proprietary or produced only for use by members of PCMR or the customer who have legitimate purpose to access such data.
For purposes of this Policy and the other Information Security Policies, Internal Data include, but are not limited to:
Internal operating procedures and operational manuals
Internal memoranda, emails, reports, and other documents
Technical documents such as system configurations and floor plans
4. Public Data: any information that may or must be made available to the general public, with no legal restrictions on its access or use.
For purposes of this Policy and other Information Security Policies, Public Data include, but are not limited to:
General access data on or client's website
Documents and reports filed with federal or state governments and generally available to the public
Copyrighted materials that are publicly available