Data Labeling Guide

Governance: 

By applying consistent labels, WSU can gain insight into what type of data we possess, how it is used and where it is stored. This will help stakeholders make decisions about data handling, access controls and data lifecycle management. 

Risk: 

Labeling helps identify and prioritize sensitive information for protection and access control. Limiting unauthorized access and assisting with data loss prevention. 

Compliance: 

Document labeling supports compliance efforts by ensuring that sensitive information is handled in accordance with applicable laws, regulations and standards such as FERPA, HIPPA, ITAR, PCI-DSS  among others. 

Technical Requirements 

• WSU connected device or application (i.e. Outlook for mobile) 

• Microsoft Office 2019 or later 

WSU Data Policy

WSU PUBLIC 

WSU Public Data generally has a very low sensitivity, but it still warrants protection since the integrity and protection of the data can be important. WSU Public Data is explicitly or implicitly approved for distribution to the public without restriction. Examples of WSU Public Data include, but are not limited to, the following:

Examples:

• Information provided on the University's public website;
• Information approved for release by the Registrar's Office that has been deemed "Directory Information," as defined by the University in accordance with the Family Educational Rights and Privacy Act (FERPA);
• Course descriptions;
• Semester course schedules; or
• Press releases and openly accessible publications.

 

WSU PRIVATE 

WSU Private Data is information that has low to moderate sensitivity and that is intended for internal University business use only, with access restricted to a specific workgroup, department, group of individuals, or affiliates with a legitimate need to use or access the information. Unauthorized disclosure could adversely impact the University, Controlled Affiliate Organizations, third parties, or individuals. Examples of WSU Private Data include, but are not limited to, the following:

INTERNAL USE ONLY 

WSU Private data that should only be sent internal to the organization to WSU personnel. (Cannot be shared externally) 

 

Examples: 

• Financial accounting data that does not also contain WSU Restricted Data;
• Departmental intranet;
• Information technology transaction logs;
• MyWSU ID;
• Information security logs;
• Directory information for students, faculty, and staff who have requested non-disclosure, such as students opting out under FERPA; or
• Non-directory information or student records that are protected under FERPA, which includes information that is directly related to a student and maintained by an educational institution or by a party acting for the agency or institution.

 

WSU RESTRICTED 

WSU Restricted Data is highly sensitive information maintained, collected, or recorded by WSU that is intended for limited, specific use by a workgroup, department, group of individuals, or third party (typically pursuant to a contract or agreement) with a legitimate need to use or access the data. Explicit authorization by the designated Data Owner is required for access to WSU Restricted Data because of legal, contractual, privacy, or other constraints. Unauthorized disclosure could have a serious adverse impact on the business or research functions of the University, affiliates, or external parties and violate the personal privacy of individuals, federal or state laws and regulations, or contractual obligations of the University. Examples of WSU Restricted Data include, but are not limited to, the following:

Sensitive Personally Identifiable Information (SPII)

There are two classes of SPII. The first class includes SPII that is sensitive regardless of whether any other identifier is paired with it ("Stand-Alone"). The second class of SPII becomes sensitive when it is combined with other types of Personally Identifiable Information (PII). The following are examples of each type of SPII:

Stand-Alone SPII:

1. 1. Social Security, driver's license, state ID, alien registration, or passport numbers;
   2. Financial Account Number or credit/debit card numbers;
   3. Identifiable Genetic Information and Biometric Identifiers;
   4. Data of a known child (less than 13 years of age); or Federal Tax Information

SPII when paired with other PII (such as a name or identification number):

• 1. Medical Records (personal health information not covered under HIPAA; identifiable FERPA treatment records);
  2. Citizenship or immigration status;
  3. Racial or ethnic origin;
  4. Religious or philosophical beliefs;
  5. Sexual orientation;
  6. Criminal records;
  7. Employment records;
  8. Date of birth;
  9. Precise geolocation or Internet Protocol addresses (IP addresses);
  10. Last four digits of Social Security Number;
  11. Mother's maiden name;
  12. Union Membership;
  13. Text Messages (unless the business holding them is the intended recipient of the text message); or
  14. Videos, audio, or pictures of a person taken when the person would have an expectation of privacy (i.e., treatment videos taken in a clinic, etc.).
• Protected Health Information (PHI) (including Designated Record Sets) held by Covered Entities or researchers at WSU;
• Controlled Unclassified Information (CUI);
• Information or data classified as "For Official Use Only" (FOUO);
• Information or data subject to federal export control regulations; or
• Facilities and Technology Control Plans

INTERNAL USE ONLY 

WSU Restricted information that should only be sent internal to the organization to WSU personnel. (Cannot be shared externally) 

 

 Effect:

• Emails with any WSU RESTRICTED label applied will be encrypted 

WSU PROPRIETARY 

Proprietary Data is either (1) University Data provided to a third party or (2) third-party data created, received, and/or maintained by the University on behalf of a third party such as an individual, corporation, or government agency. Proprietary Data will vary depending on contractual agreements and/or relevant laws or regulations. 

INTERNAL USE ONLY 

WSU Proprietary information that should only be sent internal to the organization to WSU personnel. (Cannot be shared externally) 

 

Examples: 

• Research Data 
  
  

Effect: 

• Emails with any WSU PROPRIETARY label applied will be encrypted 

Document Labeling 

Options to apply a sensitivity label to a document: 

1. Selecting the Sensitivity dropdown from the Ribbon and selecting a label  

 

 

2.Selecting the ‘Select a Label’ option at the top of the document, and then choosing a label. This will also appear when a document is saved without a label applied. 

 

 

 

• Selecting a label will automatically mark the document or e-mail with that label’s header and footer.  

 

Options to apply a sensitivity label to an email: 

1. Selecting the Sensitivity dropdown from the Ribbon and selecting a label 

2.Using the ‘Select a Label’ option next to the subject line 

3. Clicking ‘Send’ on an email that does not contain a label 

Sending an Encrypted Email Message  

Encrypting emails is a good step in ensuring that WSU data is not viewed or accessed by unintended parties. 

To encrypt an email message, select any WSU Restricted label or any label with a padlock symbol over the shield icon. 

Users who receive an encrypted email outside of the organization will be prompted to authenticate with their own email account or receive a one-time passcode in order to authenticate. This link will only be accessible for 30 days from the time the email was sent. 

Additional labels exist for those users and departments that have specific compliance needs.  

If you handle the type of information highlighted below, please send an email to AskInfoSec@Wichita.edu so that we may supply you with more descriptive labels.