Trinity College is committed to safeguarding the privacy of its students, alumni, faculty, and staff, and to ensuring the confidentiality, integrity, and availability of the information that supports and advances its educational mission.
To uphold these commitments, Trinity classifies institutional information and data according to their risk level, enabling the implementation of appropriate handling, access, and protection measures in accordance with its legal, regulatory, and ethical responsibilities.
This framework supports a culture of information security and responsible data stewardship across all members of the College community.
Trinity College has classified its information assets into risk-based categories to determine who is authorized to access the information and what security measures must be taken to protect it against unauthorized access.
Data and systems are classified as Low Risk when they do not fall under the Moderate or High Risk categories and meet at least one of the following criteria:
The information is intended for public access or distribution.
A loss of confidentiality, integrity, or availability would result in no measurable impact on Trinity College’s mission, operations, safety, finances, or reputation.
Data and systems are classified as Moderate Risk when they are not deemed High Risk and meet one or more of the following criteria:
The information is not publicly available and is intended for internal use only.
Unauthorized access, alteration, or unavailability could cause limited or short-term impact on the College’s mission, operations, safety, finances, or reputation.
Examples may include internal communications, data not subject to regulatory controls, or student work not governed by the Family Educational Rights and Privacy Act (FERPA).
Data and systems are classified as High Risk if they meet any of the following conditions:
Protection of the information is required by law or regulation (e.g., FERPA, HIPAA, GDPR).
Trinity College would be legally obligated to notify individuals or authorities in the event of unauthorized access or disclosure.
A breach or failure affecting confidentiality, integrity, or availability could result in significant harm to the College’s mission, safety, finances, legal standing, or reputation.
Examples include social security numbers, health records, financial account information, and other sensitive personally identifiable information (PII).
Use the examples below to help determine the appropriate risk classification for specific types of data or systems. When handling datasets that include multiple types of information, always apply the highest applicable risk classification to ensure appropriate protection.
This approach helps safeguard data integrity, supports compliance with legal and institutional requirements, and reinforces Trinity College’s commitment to responsible data management.
Data intended for public use, where unauthorized access would pose no impact on Trinity College’s operations, compliance, or reputation.
Examples include:
Trinity IDs or equivalent identifiers (when not linked to sensitive data)
Information publicly available on Trinity’s website without authentication
Policy or procedure manuals explicitly marked for public distribution
Job postings
College contact information not marked as private by the individual
Content in the public domain
Data not intended for public access, where unauthorized disclosure could cause limited or short-term impact to Trinity’s operations, reputation, or compliance posture.
Examples include:
Unpublished research data (at the discretion of the data owner)
Student academic records and admission applications
Faculty/staff employment applications, personnel files, salary data, benefits information, date of birth, and personal contact details
Internal (non-public) policies and administrative documents
Non-public contracts and agreements
Internal communications, reports, budgets, and planning documents
Institutional or employee ID numbers
Engineering, design, or operational data related to campus infrastructure
Sensitive or regulated data, where unauthorized access or disclosure could result in significant harm to individuals or Trinity College, or where protection is required by law or regulation.
Examples include:
Medical or health-related data, including Protected Health Information (PHI)
Health insurance policy numbers
Social Security numbers
Credit card or debit card numbers
Bank account numbers and financial routing information
Export-controlled research or data
Government-issued identification numbers (e.g., driver’s license, passport, visa)
Donor contact information and confidential gift-related records
Systems that store or process only public information, and where a compromise would have no impact on Trinity College’s operations, compliance obligations, or reputation.
Examples include:
Research computing servers used exclusively with publicly available or low-risk data
File servers hosting publicly released datasets or documents
Systems that store or process Moderate Risk data, where unauthorized access could cause limited or temporary harm to individuals or institutional operations.
Examples include:
Servers managing internal or restricted (non-public) college data
Databases containing confidential but non-regulated documents, such as internal contracts
File servers storing non-public procedures, planning documents, or operational manuals
Application or database servers housing student academic or admissions records
Systems that store or provide access to high-risk or regulated data, or are considered critical infrastructure. Compromise could result in significant institutional, legal, financial, or reputational harm.
Examples include:
Servers storing or processing High Risk data such as PHI, Social Security numbers, or financial account information
Authentication servers or systems that control access to high-risk applications or data
College-wide or departmental email systems handling sensitive communications
Core infrastructure systems essential to Trinity’s operations (e.g., identity and access management, network backbone, enterprise resource planning)
Applications that process or display public information, where compromise would have no adverse effect on Trinity College’s mission, operations, or reputation.
Examples include:
Applications handling only low-risk data
Online campus maps
Public academic catalog displaying course descriptions
Transit or shuttle schedule applications
Applications that process non-public but unregulated information, where unauthorized access could cause a limited or temporary impact to individuals or the College.
Examples include:
Applications handling Moderate Risk data
Human Resources applications storing salary, job titles, or contact information
Internal directory tools with employee phone numbers, email addresses, and positions
Campus emergency alert systems
Online application portals for student admissions or enrollment
Applications that store or process High Risk or legally regulated data, or where a breach could cause significant harm to individuals or to Trinity College’s operations, finances, or legal standing.
Examples include:
Applications handling high-risk data
Human Resources systems storing Social Security numbers or protected health information
Applications storing or managing sensitive network infrastructure details
Systems collecting or storing confidential donor, alumni, or constituent information
Payment processing systems that handle credit card or banking data
