Emergency Management Information Classification Standard

Title

University of North Carolina at Chapel Hill Standard on Emergency Management Information Classification

Introduction

Purpose

This Standard defines a structure for information developed under, and in support of, the University of North Carolina at Chapel Hill’s (“UNC-Chapel Hill” or “University”) Emergency Management Policy, and Data Governance Policy. This Standard is intended to apply specific and stringent handling and information control procedures and practices for Emergency Management Information, aligned with the University’s Information Classification Standard.

This Standard considers both the information-sharing priorities of the University's academic mission and the importance of controlling access to sensitive Emergency Management Information. This Standard establishes additional controls for information and documentation that contains information about sensitive emergency management activities beyond those established in the University’s related Data Governance and Information Security Policies and Standards.

Scope

This Standard applies to all University faculty, staff, students, and affiliates; most principally to personnel with responsibilities in the University’s Emergency Management Program and Emergency Coordination, as well as business units with roles outlined in the Core Plans and Programs listed in the Emergency Management Policy.

The Standard covers information from both day-to-day administrative functions and activities, as well as from the operational components of campus-wide Incident and Major Event coordination.

Standard

The University’s Emergency Management Program covers a broad spectrum of plans, programs, and other activities that include and involve a significant amount of information with implications for campus safety operations. Everyone with access to information related to the University’s Emergency Management Program must treat that information with particular care to minimize harm to campus safety operations and increase the University’s ability to safeguard its students, faculty, staff, affiliates, and property.

The classifications described in this document are not static. As circumstances change and time passes, an Authorized Party may reclassify/request reclassification of information at any time as appropriate.

The Office of Emergency Management and Planning (OEMP), acting in its capacity both under the University’s Emergency Management Policy and Emergency Support Function 5: Information and Planning (ESF-5) within the University’s Emergency Operations Plan (EOP), is the unit responsible for making classification and reclassification decisions for all Emergency Management Information.

Units with responsibilities under the University’s Emergency Management Policy may also voluntarily utilize this Standard to classify related information. Units must adhere to the controls as established here whenever documents are labeled as outlined in this Standard.

Classification Types:

Because Emergency Management Information appears throughout Tiers 0-3 of the University’s Information Classification Standard, the University utilizes a Traffic Light Protocol (TLP) model for classifying Emergency Management Information to identify information that requires additional controls to those established in the information’s corresponding Tier. This model uses four (4) lights (Red, Amber, Green, and White), with each light generally corresponding with one (1) tier as established in the University’s Information Classification Standard.

TLP:RED

TLP:RED is the most restrictive classification and corresponds to Tier 3: Restricted Information under the University’s Information Classification Standard.Information classified as TLP:RED includes highly sensitive campus safety operational information, information related to legal proceedings (or reasonably related to the same), and information required to be held in the strictest confidence under legal, regulatory, or contractual obligations.

If you have access to TLP:RED information, you must not share that information with any parties outside of the specific meeting, exchange, or conversation in which it initially was shared. The only exception is if the Campus Safety Leader with jurisdiction over the information has, in writing, approved of you sharing the information.

Examples of information included in TLP:RED are:

• Sensitive information on developing Major Incidents, Incidents, Major Events, or Events as defined in the Emergency Management Policy;
• Draft versions of documents with Emergency Management Information where a determination of official classification cannot be made until a final version is established
• Information protected under HIPAA, FERPA, and related legislation; and
• Information that has a reasonable potential of increasing danger to the University Community or significantly impacting campus safety operations if released without due evaluation by the Authorized Parties.

TLP:AMBER

TLP:AMBER corresponds to Tier 2: Confidential Information under the University’s Information Classification Standard and includes information that could be reasonably expected to impair campus safety and campus safety operations if released to the broader University community or the general public.  This includes information that must be kept confidential due to law, regulation, contract, policy, or other governing requirements.

If you have access to information classified as TLP:AMBER, you should only share that information with members of the involved business unit(s) and supporting groups as necessary. You are expected to share TLP:AMBER information discreetly and with the fewest possible number of people while accomplishing the goal of sharing the information, even within the involved business unit(s) and supporting groups.

Examples of information included in TLP:AMBER are:

• Post-Incident Debriefs, Hot Washes, and After-Action Reports;
• Situation Reports;
• Incident Action Plans; and
• The University’s Emergency Operations Plan and supporting documents.

TLP:GREEN

Information classified as TLP:GREEN includes information about the general state of campus safety operations and corresponds with Tier 1: Business Information, under the University’s Information Classification Standard.

Documents with TLP:GREEN information may be shared amongst University’s Campus Safety Community, regardless of the recipient’s involvement in the document’s creation and the document’s intended use, provided they are able to express a demonstrable and/or communicable need. 

While you may share information classified as TLP:GREEN within and amongst any of the members of the University’s Campus Safety Community, you should only share information with fellow University Campus Safety Community members based on a demonstrated and/or communicable need.  Recipients of TLP:GREEN information who are outside of the Campus Safety Community should not share such information with anyone without the written approval of the originating unit.  Requests for access to TLP:GREEN information should be made to the originating unit or OEMP.  Requests made to OEMP will be shared with the originating unit before any approval is issued.

OEMP may reclassify TLP:GREEN information for dissemination to units acting in a non-campus safety capacity under the following circumstances:

• Upon request, either by the originating unit or another unit with a demonstrable/communicable need,
• Following an evaluation of all relevant circumstances,
• Following consultation with the responsible unit(s), and
• After implementing any necessary redactions.

Examples of information included in TLP:GREEN are:

• General/Broad-Scope Situation Reports; and
• Redacted versions of After-Action Reports, Debriefs, and Hotwashes.

TLP:WHITE

Information classified as TLP:WHITE includes information intended to instruct and inform the broader University community and the general public on campus safety risks, actions, and activities, as well as general instruction and preparatory information. TLP:WHITE corresponds with Tier 0: Public Information, under the University’s Information Classification Standard. TLP:WHITE information may be released to the University community and general public at large by individuals with job responsibilities that involve sharing such information. Once published, the information may be shared without restriction, subject to copyright controls.

Examples of information classified as TLP:WHITE are:

• Alert Carolina Notifications,
• Media Releases,
• Instructional Materials, and
• Promotional Materials.

Utilizing the Emergency Management Information Classification Standard

Applying this Classification Standard

OEMP is responsible for determining the initial classification level for all documents produced under the University’s Emergency Management Policy. Additionally, OEMP is responsible for coordinating the reclassification of all documents/information that falls under this Standard. As certain documents produced under the Emergency Management Policy may already be subject to the information and/or access controls of the responsible unit, OEMP must consider any such controls and classifications when classifying a document under this Standard. OEMP must not classify any document under this Standard in any manner that detracts from the restrictions established by the responsible unit. Classifications applied through this Standard must meet or exceed the security level established by the responsible unit. OEMP will work with the Data Governance Oversight Group to ensure alignment with the University tier classification if questions arise.

Documents classified under this Standard must be classified in accordance with the most sensitive information included in the document. If a document contains a single piece of information that meets the criteria of TLP:RED, the entire document must be classified as TLP:RED so long as it contains said information. Alternative versions of the document may be prepared without such information and reclassified accordingly.

Denoting Classifications in a Document

OEMP recommends that any document classified under this model contain the classification level within the document name and that authors refer to the University’s Information Classification Standard to further ensure information classification compliance. OEMP has also established four (4) classification icons to be used at the top of all classified documents. Each icon contains an image of a three (3)-light traffic light surrounded by a circle colored in accordance with the classification represented.  The lights inside of each traffic light are blacked out to indicate the color being represented (ex: the top two (2) circles in the TLP:GREEN icon are black, while the bottom circle is green).  In the TLP:WHITE icon, all three (3) circles are blacked out.  Each icon is also accompanied by a bold text label of the classification written in the color of the classification on a black background.  Units that would like to utilize this Standard for internal documentation should contact OEMP for copies of these icons or guidance in creating their own. All documents classified under this Standard must contain the appropriate icon at the top of the document, prior to the presentation of any sensitive information.

Exceptions

• Documents created by non-University entities and distributed without modification are not required to include a classification icon within the document.  Information on classification restrictions should be included in the document title and in any communication sharing the document. If the document received a classification restriction from the originating agency, such restrictions should be communicated to the recipients as it relates to this standard, when possible.
• Documents and information that originate as TLP:WHITE are not required to include references to such classification, or to this standard in general.  This primarily applies to the examples specified in this standard: Alert Carolina Notifications, Media Releases, and Promotional and Instructional Materials.
• Nothing in this Standard is intended to supersede or supplement the North Carolina Public Records Act.  That Act, its exceptions, and other laws governing the confidentiality of records apply regardless of TLP classification.

Definitions

Authorizing Party: The unit that has principal ownership of specific Emergency Management Information and, as a result of that ownership, is the unit primarily responsible for decisions regarding granting/denying information access requests from units and advising OEMP on classification/reclassification of information.

Campus Safety Community: Comprised of all University units with responsibilities that are critical to the safety of the University’s physical infrastructure and any persons on property the University owns or otherwise controls. All units within the immediate Campus Safety Community are assigned roles and/or responsibilities within the University’s Emergency Operations Plan and/or its supporting documents.

Campus Safety Units: The business units within Campus Safety and Risk Management which are primarily responsible for campus safety and emergency response. These units are:

• Office of Emergency Management and Planning (OEMP);
• Department of Environment, Health and Safety (EHS); and
• UNC Police Department (UNC Police).

Campus Safety Leadership/Leaders: Refers to the administrative heads of each of the Campus Safety Units and the Associate Vice Chancellor for Campus Safety and Risk Management, who oversees the Campus Safety Units collectively.

Emergency Management Program: The day-to-day administrative function of fulfilling the mission of Emergency Management for the University, facilitated by the OEMP director and staff, as established in the University’s Emergency Management Policy.

Emergency Management Information: Any information produced in support of the Emergency Management Program and/or produced during operations conducted under the purview of the Emergency Management Policy.

Related Requirements

External Regulations

• U.S. Department of Health and Human Services - Federal Policy for the Protection of Human Subjects ("Common Rule")
• U.S. Department of Health and Human Services - Health Information Privacy
• U.S. Public Law 93-288: Robert T. Stafford Disaster Relief and Emergency Assistance Act (“Stafford Act”)
• U.S. Public Law 106-102: Gramm-Leach-Bliley Act (GLBA)
• U.S. International Trade Administration - U.S. Export Regulations
• Family Educational Rights and Privacy Act (FERPA)
• Jeanne Clery Disclosure of Campus Security Policy and Campus Crime Statistics Act
• North Carolina General Statutes, Chapter 75, Article 2A - N.C. Identity Theft Protection Act
• North General Statute § 126-23 - Certain Records to be Kept by State Agencies Open to Inspection
• North Carolina General Statutes, § 126 - N.C. Human Resources Act
• North Carolina General Statutes, § 132 – Public Records
  • N.C.G.S. § 132-1.4A – Law Enforcement Agency Recordings
  • N.C.G.S. § 132-1.6 – Emergency Response Plans
  • N.C.G.S. § 132-1.7 – Sensitive Public Security Information

University Policies, Standards, and Procedures

• Emergency Management Policy
• University Data Governance Policy
• Information Classification Standard
• Records Management Policy
• Public Records Requests Policy
• Export Controls Policy
• General Records Retention and Disposition Schedule
• Privacy of Protected Health Information Policy
• Policies and Procedures Under the Family Educational Rights and Privacy Act of 1974 (“FERPA”)

Contact Information

Primary Contact

Unit: Office of Emergency Management and Planning

Telephone: 919-445-1730

Email: oemp@unc.edu

Other Contacts