Skip to main content

Boise State University Using Data Classification Labels

Purpose

Data classification labels are critical to the effective management and protection of information based on its sensitivity and the potential impact of disclosure. These labels enable the University to systematically categorize documents, ensuring appropriate handling, safeguarding, and compliance with applicable regulations. This document serves to guide members of the Boise State community in the proper use of data classification labels and to articulate their significance.

The data covered by these guidelines include any type of Protected Information as defined in the Boise State Information Privacy and Data Security Policy (Policy 8060).

Why to use data classification labels

  • Data Security: Classification labels help safeguard sensitive information by preventing unauthorized access and reducing the risk of data breaches.
  • Compliance: Labels support adherence to applicable legal, contractual, and regulatory requirements.
  • Risk Management: Proper classification enables the timely identification and mitigation of risks associated with data exposure.
  • Efficient Data Management: Labels enhance document organization and retrieval, supporting effective management of large volumes of information.

Understanding the classification labels

  • Restricted Data is sensitive data intended for limited, specific use and must be protected as specifically guided by law (e.g., HIPAA, FERPA, Sarbanes-Oxley, Gramm-Leach-Bliley), industry regulation (PCI-DSS), government controls (CUI, ECI, FISMA, CDI), Non-Disclosure Agreements (NDA) in the research and creative activity space, or University rules and regulations. This is the most sensitive Data of the university and must be safeguarded in accordance with its individual requirements (i.e., some Restricted Data require more rigorous controls than other Restricted Data).
  • Confidential Data is intended for limited University business use only, with access restricted to personnel with a legitimate need, even though that need may constitute a small group (e.g., only designated security personnel) or a large group (e.g., all student advisors or all faculty). This classification also includes Data that is not subject to public disclosure and that the University is required to keep confidential per legal agreements, policies, third party agreements such as a vendor contracts and MOUs
  • Internal Data is information used for official University business and must be safeguarded due to proprietary, ethical, or privacy considerations and protected from unauthorized Access, modification, transmission, storage, or other use. This Data is not intended to be shared with the public; however, it is generally releasable in accordance with the Idaho Public Records Act. This Data includes potentially sensitive information and applicable privacy laws will be considered before release of Data.
  • Public information not classified as Restricted, Confidential, or Internal and carries a (Low) security risk and is not required to be secured.

For information on how to classify data, please reference the Boise State Data Use Guidelines.

Adding a data classification label to an open document

  1. Open the document you wish to label in Google Docs, Sheets, or Slides.
  2. From the top menu, select “File” and then choose “Labels”.
  3. A document details should appear.
  4. You may then choose the appropriate label (Restricted, Confidential, Internal, or Public).
Image of Data Classification Label Options

Adding a data classification label without opening the file

  1. From Google Drive, right click any document, select “Labels” and then “View labels”.
  2. From there, select the appropriate label for your document.

Further Information on Data Sensitivity and Classification

Data types not specified in Boise State Information Privacy and Data Security Policy (Policy 8060) or other policies should be evaluated on a case-by-case basis. If unauthorized access or disclosure of data could cause financial or reputational harm to an individual or Boise State, DO NOT post or store such data to web-based applications or services.
Questions about whether certain data should or should not be stored on specific web-based applications, services or systems, should be directed to the Chief Information Security Officer at CISO@boisestate.edu or (208) 426-4127.