Data Classification and Handling Standard
Organization: Aina Design Corp
Applies To: hawaii.mokunet.us · kuleana.ainadesign.org · huikoeaina.ainadesign.org · ainadesign.org
Version: 1.0
Effective Date: February 20, 2026
Next Review: February 20, 2027
Policy Owner: Data Governance Lead
This standard defines how Aina Design Corp classifies data based on sensitivity, and the handling requirements that apply to each classification level. Clear classification ensures that student data, district information, and organizational data are protected proportionally to their sensitivity and risk.
2. Data Classification Levels
Level 1 — Restricted (Highest Sensitivity)
Data that, if disclosed inappropriately, could cause significant harm to students, families, or the organization.
•
Student PII (name, student ID, date of birth, address)
•
Special education records (IEP, 504 plans)
•
Counseling or health-related records
•
Authentication credentials and secrets
•
Encrypted in transit and at rest (mandatory)
•
Access strictly limited by role; individual access logged
•
No sharing outside authorized platform channels
•
Retention follows district contract and Data Retention Policy
•
Breach notification required within 72 hours
Data that is sensitive and intended for internal or district use, but not the most sensitive category.
•
Student-created academic work (artifacts, projects, assignments)
•
Teacher-created instructional content
•
Aggregate class performance data
•
District configuration and roster metadata
•
Encrypted in transit (mandatory); at rest (recommended)
•
Role-based access; bulk export requires audit log entry
•
Shared only within the originating school or district, unless explicitly authorized
Data intended for Aina Design Corp internal use that is not public but poses lower risk.
•
Internal communications and documentation
•
System configuration (non-secret)
•
Platform analytics and operational metrics
•
Access limited to Aina Design Corp staff with a business need
•
Reasonable security controls applied; not shared publicly
Data explicitly approved for public distribution.
•
Published platform documentation
•
Public-facing compliance policies (this document)
•
Press releases and public announcements
•
No special restrictions; may be shared freely
•
Must be reviewed and approved before publication
3. Classification Responsibilities
Maintains classification schema; adjudicates edge cases
Tags data categories in data models; implements classification controls in code
Identify data types shared with the platform; confirm classification at project start
Apply correct handling based on classification; report unclassified sensitive data
When in doubt, treat data as Level 1 — Restricted until formally classified.
The following data types are always treated as Level 1 — Restricted, regardless of other factors:
•
Any data about a student’s disability, health, or mental health
•
Geolocation data of minors
Where technically feasible:
•
Database tables containing Level 1 data are labeled in the data dictionary.
•
API responses containing PII include metadata markers for logging purposes.
•
Bulk export files include classification headers.
This standard is reviewed annually and whenever new data types are introduced to the platform.
Data Governance Lead: _________________________
Security Lead: _________________________
Date Approved: _________________________