Data Classifications: Data Services
Fordham Provided Services
Non-Fordham Provided Services
- Personal desktop and laptop
- Personal equipment (tablet, smartphone, removable media/USB drive)
- Personal third-party email services (e.g., personal Gmail, Hotmail™, Yahoo®)
- Text Messaging
- Cloud storage services not covered by University agreements (e.g., Evernote®, Dropbox™, personal Google Drive, iCloud™, Amazon S3™, personal Office 365, personal OneDrive, personal Microsoft Azure, personal Smartsheet, and personal Reclaim Hosting services)
- Free or personal web-accessible platforms not covered under University agreements (e.g., ChatGPT, DALL-E, Bard, LLaMA, Make-A-Video, Claude, Stable Diffusion, Hugging Face, BLOOM, NeMo, Reddit, Instagram™, Facebook™, Twitter™, TikTok™, Github™, Picasso®, Flickr®, SmuHug, Forums, Public IT Support).
- Third-party survey tools not covered by University agreements (e.g., SurveyMonkey®, Constant Contact®)
Data Classification Grid Legend
1 - Service can only be used when care is taken to limit access to authorized individuals.
2 - To protect this class of data, removable media or a mobile device must be used in conjunction with a sanctioned encryption product. For guidance, contact [email protected].
3 - This service may be used with the approval of the identified Data Owner. For questions, contact [email protected].
4 - Emailing or sharing data stored from these cloud services must be encrypted before transmitting or sharing. To review your use of this technology, contact [email protected].
5 - This service may be used with the approval of the identified data owner. Any communication beyond that must follow rule number 4.
6 - Limited use of non-Fordham provided services may be used for data protected under this class. Any communication beyond that is prohibited.
7 - To protect this class of data, videoconferencing may only be used if Chat, Recording, and Transcript Generation features are disabled.
Gmail™/Contacts Account
(@fordham.edu)
Description
Gmail™ is the official email service for all Fordham University students, faculty, staff, alumni, guests, and friends. Using an AccessIT ID and password, Gmail is available through the University Portal, My Pages, or gmail.fordham.edu. Fordham offers an email encryption service to secure messages to people outside of Fordham (non-Fordham email addresses). Email communication within the Fordham domains, fordham.edu and law.fordham.edu is automatically secured while in transit.
Google Contacts, providing organization and storage for contact information, is integrated with Gmail.
Links
Data Retention and Recoverability
Email is retained for eight years and then deleted in compliance with the Email Retention Policy. Unless otherwise required by legal counsel, you may delete messages in Gmail at any time. Otherwise, email is retained until deleted, and there is no additional backup.
Deleted data is placed in a Google trash folder for 30 days and is then purged. You may expedite this purge by emptying the trash manually. While email is in the trash, you may recover it at any time within the 30-day period. Please reference the following Google provided documentation for instructions on deleting email and recovering it from the trash: Delete or recover deleted Gmail messages
After the message is deleted from the trash, Fordham IT may assist in recovering it if notified before 25 days has elapsed. Note: This provision does not apply to data deleted in compliance with the email retention policy. If assistance is needed, please contact IT Service Desk.
Permitted Data
Public Data
Data permitted with restrictions
Student Educational Records – FERPA (5)
Student Loan Application Information – GLBA/CUI (4)
Personally Identifiable Information – PII (4)
Attorney-Client Privileged Information (5)
Fordham Sensitive Data (5)
Prohibited Data
Protected Health Information - PHI/HIPAA/RHI
Credit Card/PCI
Text Messaging
Description
Text messages must not contain any Fordham Protected or Fordham Sensitive data. This includes the use of MMS (Multimedia Messaging Service) to send pictures or files containing Fordham Protected or Fordham Sensitive information.
The use of text messages is only permitted to communicate Fordham-related information for which there is no expectation of privacy or confidentiality (public data).
Data Retention and Recoverability
The recipient is responsible for all data retention and recovery.
Permitted Data
Public Data
Data permitted with restrictions
None
Prohibited Data
Student Educational Records - FERPA
Student Loan Application Information - GLBA/CUI
Personal Identifiable Information - PII
Protected Health Information - PHI/HIPAA/RHI
Credit Card/PCI
Attorney-Client Privileged Information
Fordham Sensitive Data
Google Drive
Description
Google Drive is used to create, share, and store files, enabling file access from any computer. Google Drive can be accessed via drive.google.com or from Google Workspace under the My Apps menu on the Fordham website. Google Drive allows real-time collaboration and sharing of text documents, spreadsheets, presentations, forms, and storage of images, PDFs, and Microsoft Word and Excel files.
Links
Data Retention and Recoverability
Data contained in Google Drive is manually retained. Those using Google Drive should delete documents as per the Records Retention and Disposal Policy. Google stores data until it is deleted. There are no additional backups.
You may delete Google Drive files by moving them to a Google trash folder. The files are automatically deleted forever after they've been in the trash folder for 30 consecutive days. You may expedite this purge by emptying the trash manually. While a Google Drive file is in the trash, you may recover it at any time within the 30-day period. Please reference the following Google provided documentation on deleting and restoring files in Google Drive: Delete and restore files in Google Drive
Google allows you to delete files if they meet the following criteria:
-
You created the file.
-
You uploaded the file to Google Drive.
-
You accepted ownership of the file from someone.
After a file is deleted from the trash, Fordham IT may assist in recovering it if notified before 25 days has elapsed. If assistance is needed, please contact IT Service Desk.
Permitted Data
Public Data
Data permitted with restrictions
Student Educational Records – FERPA (1)
Personally Identifiable Information – PII (1)
Attorney-Client Privileged Information (1)
Fordham Sensitive Data (1)
Prohibited Data
Student Loan Application Information - GLBA/CUI
Protected Health Information - PHI/HIPAA/RHI
Credit Card/PCI
Core Google™ Apps: Calendar, Chat/Meet, Classroom, Docs, Groups, Jamboard, Sheets, and Sites
Description
The Core Google™ Apps provided to Fordham University students, faculty, staff, alumni, and guests include:
- Calendar – a time management application used to keep track of events, allows for calendar sharing with others
- Chat/Meet – for chat and online meetings (formerly Hangouts)
- Classroom – used by instructors to create and organize assignments, provide feedback, and communicate with students
- Docs – a word processor for the creation of documents, allows real-time collaboration
- Groups – creates a set of people with whom you can share Google resources, as a mailing list or for security on Google Docs, Sites, or Sheets
- Jamboard – a collaborative, digital whiteboard
- Sheets – for creation and update of spreadsheets, allows real-time collaboration
- Sites – a website creation tool
Links
Data Retention and Recoverability
Data contained on Google Core Apps is manually retained. Those using Google Core Apps should delete documents as per the Records Retention and Disposal Policy. Google Docs, Sheets (for spreadsheets), and Slides (for presentations) store their documents in Google Drive. Please reference the Google Drive section for additional information regarding retention using that product. Other data stored on Google Core Apps is currently not backed up.
Permitted Data
Public Data
Data permitted with restrictions
Student Educational Records – FERPA (1)
Personally Identifiable Information – PII (1)
Attorney-Client Privileged Information (1)
Fordham Sensitive Data (1)
Prohibited Data
Student Loan Application Information - GLBA/CUI
Protected Health Information - PHI/HIPAA/RHI
Credit Card/PCI
Non-Core Google Apps (e.g., Photo, Maps, YouTube)
Description
Non-core Google Apps™, such as Photo, Maps, and YouTube, are not covered by Fordham's Google Apps for Education agreement with Google and may only be used to share or maintain data for which there is no expectation of privacy or confidentiality (public data). Any Google App not listed in Core Google Apps, as well as other Google services, extensions, or add-ons, are classified as Non-Core.
Links
Data Retention and Recoverability
Data contained in Google Non-Core Apps is manually retained. Those using Google Non-Core Apps should delete documents as per the Records Retention and Disposal Policy. Data stored on Google Non-Core Apps is not backed up.
Permitted Data
Public Data
Data permitted with restrictions
None
Prohibited Data
Student Educational Records - FERPA
Student Loan Application Information - GLBA/CUI
Personal Identifiable Information - PII
Protected Health Information - PHI/HIPAA/RHI
Credit Card/PCI
Attorney-Client Privileged Information
Fordham Sensitive Data
File Shares and Managed Servers
Description
Managed Servers are secure file shares (e.g., S:\drive, storage.fordham.edu) provided by Fordham’s Office of Information Technology to individuals and departments. Folders on these file shares may be securely accessed when off-campus via Fordham's Virtual Private Network (VPN).
Data Retention and Recoverability
PC's local C:\ or Macintosh HD drives may not be automatically backed up; see the Local Drive Usage Advisory for details. Those using file shares are responsible for deleting documents per the Records Retention and Disposal Policy. Data stored on file shares and other servers managed by the Office of Information Technology are backed up daily with a 90-day retention period. These files can be restored, if necessary, by request.
Permitted Data
Student Educational Records - FERPA
Student Loan Application Information - GLBA/CUI
Personal Identifiable Information - PII
Attorney-Client Privileged Information
Fordham Sensitive Data
Public Data
Data permitted with restrictions
None
Prohibited Data
Protected Health Information - PHI/HIPAA/RHI
Credit Card/PCI
Equipment (Desktop, Laptop, Tablet, Smartphone)
Description
Use of Fordham-provided laptops, tablets, and smartphones (mobile devices) that access University data must comply with the following security measures:
-
All devices, where possible, must be secured using a PIN (6-digit minimum) or other password protection.
-
All devices, where possible, must enable automatic lockout for idle devices for 5 or fewer minutes.
-
All devices, where possible, must have remote wipe capability installed and enabled.
-
Any lost, stolen, or compromised device must immediately be reported to the IT Service Desk at 718-817-3999. To protect the integrity and security of Fordham University data, all users of mobile devices that access University data will be subject to remote locking or data-wiping of lost, stolen, or otherwise compromised devices.
For assistance in implementing these security requirements, users should contact IT Service Desk at 718-817-3999 or [email protected].
Data Retention and Recoverability
Data on equipment and not on the S:\ drive is manually retained by the individual to whom the device is allocated. Those using equipment and not using the S:\ drives should delete documents as per the Records Retention and Disposal Policy. Data stored on equipment and not on the S:\ drives is currently not backed up.
Permitted Data
Student Educational Records - FERPA
Personal Identifiable Information - PII
Attorney-Client Privileged Information
Fordham Sensitive Data
Public Data
Data permitted with restrictions
Student Loan Application Information – GLBA/CUI (2)
Prohibited Data
Protected Health Information - PHI/HIPAA/RHI
Credit Card/PCI
Fordham-Provided Removable Media (USB drives)
Description
Removable media is a component that can be inserted into and removed from a system and used to store data or information (e.g., text, video, audio, image data). Such components are typically implemented on magnetic, optical, or solid-state devices (e.g., CDs, DVDs, flash/USB drives, external hard disk drives, and flash memory cards/drives that contain non-volatile memory).
Removable media may only be used in conjunction with a sanctioned encryption product to protect the data at rest. Please contact Information Security and Assurance at [email protected] for guidance before copying any Fordham Protected or Fordham Sensitive data to a removable device.
Permitted Data
Public Data
Data permitted with restrictions
Student Educational Records – FERPA (2)
Student Loan Application Information – GLBA/CUI (2)
Personally Identifiable Information – PII (2)
Protected Health Information - PHI/HIPAA/RHI (2)
Attorney-Client Privileged Information (2)
Fordham Sensitive Data (2)
Prohibited Data
Credit Card/PCI
Devices on PCI-Compliant Network
Description
The PCI-compliant network is a network provided by Fordham IT that is compliant with the payment card industry's Data Security Standards (DSS). The only devices that should reside on this network are those that process credit card transactions on behalf of the University. Devices on this network include but are not limited to the Aramark payment devices located in all food service areas at Rose Hill and Lincoln Center and the Ram Van ticketing machines at both Rose Hill and Lincoln Center. Any department that wishes to utilize this network will need to contact the Office of Treasury Operations at 718-817-4940 for further information.
Data Retention and Recoverability
Storage of credit card information is prohibited. Any other data contained on the PCI-compliant network is manually retained. Those utilizing the PCI-compliant network should delete documents as per the Records Retention and Disposal Policy. Data stored on the PCI-compliant network is currently not backed up.
Permitted Data
Student Educational Records - FERPA
Personal Identifiable Information - PII
Credit Card/PCI
Fordham Sensitive Data
Public Data
Data permitted with restrictions
None
Prohibited Data
Student Loan Application Information - GLBA/CUI
Protected Health Information - PHI/HIPAA/RHI
Attorney-Client Privileged Information
Blackboard®
Description
Blackboard® is an online learning management solution. Faculty and students in on- and off-campus courses may use this application as a repository for course material, online course instruction, and sharing and storing information.
Links
Data Retention and Recoverability
Any data contained in Blackboard is manually retained. Those utilizing Blackboard are responsible for deleting documents as per the Records Retention and Disposal Policy. Data stored on Blackboard is currently not backed up.
Permitted Data
Student Educational Records - FERPA
Fordham Sensitive Data
Public Data
Data permitted with restrictions
None
Prohibited Data
Student Loan Application Information - GLBA/CUI
Personally Identifiable Information - PII
Protected Health Information - PHI/HIPAA/RHI
Credit Card/PCI
Attorney-Client Privileged Information
Zoom™
Description
Zoom™ is an application for online video and audio conferencing, collaboration, chat, and webinars across mobile devices, desktops, and telephones. All active Fordham University employees and students are eligible to log in to Zoom with their Fordham credentials.
Links
Data Retention and Recoverability
Recordings stored in Zoom's cloud environment are automatically deleted after 30 days.
Permitted Data
Student Educational Records - FERPA
Public Data
Data permitted with restrictions
Student Loan Application Information – GLBA/CUI (7)
Personal Identifiable Information – PII (7)
Protected Health Information - PHI/HIPAA/RHI (7)
Attorney-Client Privileged Information (7)
Fordham Sensitive Data (7)
Prohibited Data
Credit Card/PCI
Panopto®
Description
Panopto® is a cloud-based lecture capture service available to all Fordham University faculty, staff, and students. Panopto is used to record lectures for asynchronous viewing, while Zoom™ and Blackboard® Collaborate are used for live classes / synchronous viewing.
Links
Permitted Data
Student Educational Records - FERPA
Public Data
Data permitted with restrictions
None
Prohibited Data
Student Loan Application Information - GLBA/CUI
Personal Identifiable Information - PII
Protected Health Information - PHI/HIPAA/RHI
Credit Card/PCI
Attorney-Client Privileged Information
Fordham Sensitive Data
OnBase® by Hyland
Description
OnBase® by Hyland, Fordham University's enterprise content management system, stores documents and data that have been captured and indexed according to individual departments' business rules, records management guidelines, and retrieval needs.
This information is accumulated and managed as a system of record in a secure central repository where the documents can be easily retrieved via a line of business applications (e.g., Banner, PowerFAIDS®, Fordham Connect, FSA Atlas) or via the OnBase Web and Unity clients. Rules-based workflows move documents from point A to point B by placing documents in queues, thus eliminating the tedious and risky part of a process. Additionally, workflows route documents based on established process rules (rules-based routing) or based on a user decision (decision-based routing). Finally, each step in every process is tracked and scribed to the audit trail for each transaction to ensure compliance requirements and accountability.
OnBase provides the ability to:
-
Capture documents, including paper, electronic documents, email, system reports, e-forms
-
Manage content according to business rules
-
Store, organize, and track content
-
Create workflows to deliver documents to processes as soon as they are needed
-
Preserve and protect documents in compliance with internal and external standards
Data Retention and Recoverability
Data contained in Hyland/OnBase is manually retained. Those using Hyland/OnBase should delete documents per the Records Retention and Disposal Policy. We are in the process of implementing a records management module, which will manage the retention and disposition of stored documents according to predefined business rules. Data stored on Hyland/OnBase is backed up at Hyland data centers. Additionally, deleted documents are sent to a document maintenance queue and can be recovered if needed.
Permitted Data
Student Educational Records - FERPA
Student Loan Application Information - GLBA/CUI
Personally Identifiable Information - PII
Protected Health Information - PHI/HIPAA/RHI
Attorney-Client Privileged Information
Fordham Sensitive Data
Public Data
Data permitted with restrictions
None
Prohibited Data
Credit Card / PCI
ServiceNow™
Description
ServiceNow is an IT Service Management (ITSM) tool used at Fordham University for incident management, service request management, asset management, problem management, configuration management, change management, and Knowledge Management.
Data Retention and Recoverability
Those using ServiceNow must adhere to the Records Retention and Disposal Policy. IT Service Desk assists with data deletion from ServiceNow.
Permitted Data
Student Educational Records - FERPA
Public Data
Data permitted with restrictions
None
Prohibited Data
Student Loan Application Information - GLBA/CUI
Personally Identifiable Information - PII
Protected Health Information - PHI/HIPAA/RHI
Credit Card/PCI
Attorney-Client Privileged Information
Fordham Sensitive Data
MailChimp®, Acoustic Marketing Automation (Fordham Messaging Platform / FMP)
Description
MailChimp® and Acoustic Marketing Automation (Fordham Messaging Platform / FMP) – formerly IBM Watson Marketing and SilverPop – are email marketing tools used for targeted marketing campaigns and the email distribution of newsletters and automated messages.
Links
Data Retention and Recoverability
MailChimp and Acoustic Marketing Automation data is stored and backed up by the vendor. Those downloading data from these services should delete this data as per the Records Retention and Disposal Policy.
Permitted Data
Public Data
Data permitted with restrictions
Student Educational Records – FERPA (3)
Fordham Sensitive Data (3)
Prohibited Data
Student Loan Application Information - GLBA/CUI
Personally Identifiable Information - PII
Protected Health Information - PHI/HIPAA/RHI
Credit Card/PCI
Attorney-Client Privileged Information
Qualtrics®
Description
Qualtrics® is a web-based survey tool provided for free to all Fordham students, faculty, and staff.
Links
Data Retention and Recoverability
Qualtrics data is stored and backed up by the vendor. Those downloading survey results data for analysis should delete this data as per the Records Retention and Disposal Policy.
Permitted Data
Student Educational Records - FERPA
Student Loan Application Information - GLBA/CUI
Personally Identifiable Information - PII
Protected Health Information - PHI/HIPAA/RHI
Fordham Sensitive Data
Public Data
Data permitted with restrictions
none
Prohibited Data
Credit Card/PCI
Attorney-Client Privileged Information
Microsoft Azure™ Cloud Computing Platform
Description
The Microsoft Azure™ Cloud Computing Platform, which uses your Fordham-issued account, provides a suite of computing and storage services.
Links
Data Retention and Recoverability
Azure content is stored and backed up by Microsoft. Please contact IT Service Desk to discuss how Azure services should be set up to meet your backup and recoverability needs. Those using Microsoft Azure storage should delete data as per the Records Retention and Disposal Policy.
Permitted Data
Public Data
Data permitted with restrictions
Student Educational Records – FERPA (4)
Student Loan Application Information – GLBA/CUI (4)
Personally Identifiable Information – PII (4)
Protected Health Information - PHI/HIPAA/RHI (4)
Attorney-Client Privileged Information (4)
Fordham Sensitive Data (4)
Prohibited Data
Credit Card/PCI
Microsoft OneDrive™ for Business
Description
OneDrive™ is used to create, share, sync, and store files. As part of Fordham University's Office 365™ subscription, files can be saved in OneDrive and then accessed and modified from a browser or mobile device. To use Fordham OneDrive for Business or sync your files, sign in to your Fordham-issued account with your AccessIT ID.
Links
Data Retention and Recoverability
Data contained in OneDrive for Business is manually retained. Those using Fordham OneDrive for Business should delete documents as per the Records Retention and Disposal Policy. Note that Fordham Office 365 documents may be stored on OneDrive, and users are responsible for adherence to the Data Retention and Recoverability and Data Classification Guidelines covering those documents.
Permitted Data
Public Data
Data permitted with restrictions
Student Educational Records – FERPA (1)
Student Loan Application Information – GLBA/CUI (1)
Personally Identifiable Information – PII (1)
Protected Health Information - PHI/HIPAA/RHI (1)
Attorney-Client Privileged Information (1)
Fordham Sensitive Data (1)
Prohibited Data
Credit Card/PCI
Microsoft Office 365™
Description
Office 365™ provides cloud-based versions of Microsoft productivity applications such as Word, Excel, PowerPoint, and Teams.
Links
Data Retention and Recoverability
Office 365 documents may be placed on storage platforms such as local drives, Fordham OneDrive for Business, Fordham Google Drive, Fordham File Shares (S:\ drive), and Managed Servers. Please refer to the Data Retention and Recoverability and Data Classification Guidelines for the selected storage platform.
Permitted Data
Public Data
Data permitted with restrictions
Student Educational Records – FERPA (1)
Student Loan Application Information – GLBA/CUI (1)
Personally Identifiable Information – PII (1)
Protected Health Information – PHI/HIPAA/RHI (1)
Attorney-Client Privileged Information (1)
Fordham Sensitive Data (1)
Prohibited Data
Credit Card / PCI
Reclaim Hosting
Description
Reclaim Hosting provides hosting for digital projects and web-based applications, including WordPress®.
Links
Data Retention and Recoverability
Reclaim-hosted content is not automatically backed up at Fordham. Users of this service are responsible for data backup and data recovery. Those using Reclaim storage should delete data as per the Records Retention and Disposal Policy.
Permitted Data
Public Data
Data permitted with restrictions
Student Educational Records – FERPA (1)
Prohibited Data
Student Loan Application Information – GLBA/CUI
Personal Identifiable Information – PII
Protected Health Information – PHI/HIPAA/RHI
Credit Card / PCI
Attorney-Client Privileged Information
Fordham Sensitive Data