As part of Data Governance, CCA seeks to classify all of our data according to sensitivity and level of risk. Classification of data helps inform decisions and policies around data management and data sharing.

Below is a preliminary set of classification levels. The Data Stewards will continue to develop a comprehensive set of data classification standards and guidance for how to apply those standards over the coming months.

Data that is intended for public access or widely distributed within CCA. The loss of confidentiality, integrity, or availability of the data would have minimal to no adverse impact on the mission of CCA, or the safety, finances, or reputation of CCA and our staff, faculty and students.

Examples:

• Directory information for employees (e.g. name, title, work contact information)
• Directory information for students, unless the student has requested to not be included in directory (e.g. name, class level, program enrolled, degrees earned)
• Public websites
• Course listings and pre-requisites
• Policy and procedure manuals (unless designated as private)
• Job postings
• Facilities information
• Enrollment statistics

Data that is intended for release only on a need-to-know basis, including personal information not otherwise classified as low or high risk, and data protected or restricted by contract, grant, or other agreement terms and conditions. The loss of confidentiality, integrity, or availability of moderate risk data would have moderate impact on the mission of CCA, or the safety, finances, or reputation of CCA and our staff, faculty and students.

Examples:

• FERPA-protected student records (e.g. student ID, transcripts, financial aid records)
• Student admission applications
• Staff and faculty personnel records (e.g. employee ID, salary information, personnel files, benefits, personal contact and demographic information)
• Date of birth
• Licensed software/software license keys
• Non-public CCA policies and policy manuals
• Non-public contracts
• CCA internal memos and email, non-public reports, budgets, plans, financial info
• CCA student faculty and employee ID numbers
• Engineering, design, and operational information regarding CCA infrastructure
• Donor contact information and non-public gift information

Data for which protection is required by law/regulation. CCA is required to self-report to the government and/or provide notice to the individual if the data is inappropriately accessed. The loss of confidentiality, integrity, or availability of high risk data could have a significant adverse impact on CCA's mission, or the safety, finances, or reputation of CCA or our staff, faculty or students.

Examples:

• Social security number
• Driver's license number, California identification number
• Financial account numbers, credit or debit card numbers and
• Account security codes, access codes, or passwords
• Personal medical information
• Personal health insurance information, including policy ID numbers
• Passport and visa numbers