Sign up

Data Classification Policy

The purpose of this policy is to categorize, describe, and determine the level of protection required for various types of Nested Knowledge data.

Scope #

Nested Knowledge Data: company data is information generated by or for, owned by, or otherwise in Nested Knowledge’s possession. Company data includes, but is not limited to, research data, business data, and computer programs.

Data Classification Policy #

Nested Knowledge classifies data as public, internal, confidential, restricted-use, and sensitive. The precautions required before processing data is dependent on the data classification.

Public Data: #

Data classified as public may be disclosed to anyone, regardless of their affiliation with Nested Knowledge.

Internal Data #

Internal data is information that is potentially sensitive and is not intended to be shared with the public. Internal data generally should not be disclosed outside of Nested Knowledge without the permission of the person or group that created the data.

Confidential Data #

Confidential data is information that, if made available to unauthorized parties, may adversely affect individuals, partner organizations, or Nested Knowledge. This classification also includes data that Nested Knowledge is required to keep confidential, either by law (e.g., FERPA) or under a confidentiality agreement with a third party, such as a vendor. This information should be protected against unauthorized disclosure or modification. Confidential data should be used only when necessary for business purposes and should be protected both when it is in use and when it is being stored or transported.

Confidential information should be stored in secure, encrypted environments. Employees are prohibited from storing confidential information on their personal mobile devices. Employees may not share confidential information through unauthorized means, such as messaging via SMS or WhatsApp, posting on social medial, or uploading to removable media. Any unauthorized disclosure or loss of confidential data must be reported to the Incident Response Team via email, slack, phone (507-271-7051), or via the incident report form.

Restricted-Use Data #

Sensitive data includes any information that Nested Knowledge has a contractual, legal, or regulatory obligation to safeguard in the most stringent manner. In some cases, unauthorized disclosure or loss of this data would require Nested Knowledge to notify the affected individual and state or federal authorities. In some cases, modification of the data would require informing the affected individual. Nested Knowledge’s obligations will depend on the particular data and the relevant contract or laws. It may include:

  • Personally Identifiable Information (PII), including an individual’s name or driver’s license number.
  • Unencrypted data used to authenticate or authorize individuals to use electronic resources, such as passwords, keys, and other electronic tokens.

Nested Knowledge DOES NOT process any personal health information (PHI) or criminal background data.

Sensitive Personal Data #

Potential sensitive data types we may encounter in the future include the following:

  • Information on employee health and/or disability status.
  • Information on employee ethnicity, race, religion, sexuality, or political beliefs.
  • User location data and online behavior

Nested Knowledge currently does not collect or process any sensitive client data.

Other Regulations #

Some data may be subject to specific protection requirements under a contract or grant, or according to a law or regulation not described here. In those circumstances, the most restrictive protection requirements should apply. If you have questions, please contact the Data Protection Officer, 507-271-7051.

Compliance #

Failure to comply with data protection may result in harm to individuals, organization, or the company. The unauthorized or unacceptable use of Nested Knowledge Data may subject the User to revocation of the privilege to use Nested Knowledge Data or Information Technology. Users may be subject disciplinary action, up to and including termination of employment.

Review and Update #

This data classification policy will be updated at least on an annual basis, or when a significant change in data processing occurs.

Revision History #

AuthorDate of Revision/ReviewComments
K. Cowie10/14/2024Revised
K. Kallmes11/19/2021Draft approved
P. Olaniran09/18/2022Revisions completed
K. Cowie09/18/2022Revisions approved
Updated on October 15, 2024
Did this article help?

Have a question?

Send us an email and we’ll get back to you as quickly as we can!