PRIVACY
Effective February 20, 2026
·
Review February 20, 2027
·
Data Governance Lead
Data Classification and Handling Standard
Organization: Aina Design Corp
Applies To: hawaii.mokunet.us · kuleana.ainadesign.org · huikoeaina.ainadesign.org · ainadesign.org
Version: 1.0
Effective Date: February 20, 2026
Next Review: February 20, 2027
Policy Owner: Data Governance Lead
1. Purpose
This standard defines how Aina Design Corp classifies data based on sensitivity, and the handling requirements that apply to each classification level. Clear classification ensures that student data, district information, and organizational data are protected proportionally to their sensitivity and risk.
2. Data Classification Levels
Level 1 — Restricted (Highest Sensitivity)
Data that, if disclosed inappropriately, could cause significant harm to students, families, or the organization.
Examples:
Student PII (name, student ID, date of birth, address)
Special education records (IEP, 504 plans)
Counseling or health-related records
Disciplinary records
Authentication credentials and secrets
Handling Requirements:
Encrypted in transit and at rest (mandatory)
Access strictly limited by role; individual access logged
No sharing outside authorized platform channels
Retention follows district contract and Data Retention Policy
Breach notification required within 72 hours
Level 2 — Confidential
Data that is sensitive and intended for internal or district use, but not the most sensitive category.
Examples:
Student-created academic work (artifacts, projects, assignments)
Teacher-created instructional content
Aggregate class performance data
District configuration and roster metadata
Handling Requirements:
Encrypted in transit (mandatory); at rest (recommended)
Role-based access; bulk export requires audit log entry
Shared only within the originating school or district, unless explicitly authorized
Level 3 — Internal
Data intended for Aina Design Corp internal use that is not public but poses lower risk.
Examples:
Internal communications and documentation
System configuration (non-secret)
Platform analytics and operational metrics
Handling Requirements:
Access limited to Aina Design Corp staff with a business need
Reasonable security controls applied; not shared publicly
Level 4 — Public
Data explicitly approved for public distribution.
Examples:
Published platform documentation
Public-facing compliance policies (this document)
Press releases and public announcements
Handling Requirements:
No special restrictions; may be shared freely
Must be reviewed and approved before publication
3. Classification Responsibilities
Role
Responsibility
Data Governance Lead
Maintains classification schema; adjudicates edge cases
Engineering Team
Tags data categories in data models; implements classification controls in code
District Partners
Identify data types shared with the platform; confirm classification at project start
All Staff
Apply correct handling based on classification; report unclassified sensitive data
When in doubt, treat data as Level 1 — Restricted until formally classified.
4. Special Categories
The following data types are always treated as Level 1 — Restricted, regardless of other factors:
Any data about a student’s disability, health, or mental health
Immigration status
Biometric data
Financial information
Geolocation data of minors
5. Data Labeling
Where technically feasible:
Database tables containing Level 1 data are labeled in the data dictionary.
API responses containing PII include metadata markers for logging purposes.
Bulk export files include classification headers.
6. Review Cadence
This standard is reviewed annually and whenever new data types are introduced to the platform.
7. Sign-Off
Data Governance Lead: _________________________
Security Lead: _________________________
Date Approved: _________________________