Data Handling Standards

Classification LabelPublicInternalRestricted
Confidentiality Low Moderate High
Description All university data acceptable for public consumption. All data used for conducting university business that is not meant for distribution beyond the university. All university data is considered "Internal" until classified otherwise. All university data for which an unauthorized disclosure may result in identity theft or university liability for costs or damages, under laws, government regulations or contract.
Electronic data (server, desktop workstation, laptop, USB drive, handheld, etc.)  
  • Not publically accessible
Non-electronic data (paper documents, white or black boards, photographs, etc.)  
  • Secure location with appropriate physical controls
  • Data owner's approval
  • Secure location with appropriate physical controls
  • Labeled at data owner's discretion
Campus Mail    
  • Secured and labeled at data owner's discretion
External Mail      
Telephone (POTS)      
Other Electronic Transmission (internal and external* e-mail, file transfers, VoIP, etc.)    
  • Encryption required
Electronic data
  • Delete
  • Delete
  • Redact
Non-electronic data
  • Recycle
  • Redact
  • Shred with cross-cut shredder
  • Redact
  • Shred with cross-cut shredder (see Virginia Administrative CodeNote: Although you may not have a cross-cut shredder, as long as the shredded records are pulped or incinerated, it meets the requirements of the regulations that Social Security Numbers in the records be made, "...unreadable or undecipherable by any means."

*External e-mail containing Social Security Numbers (SSN) and/or Credit Card Numbers (CCN) are prohibited.

Revised and approved by CIO, May 2, 2011.
Revised and approved by CIO, September 2, 2011.