The Harvard Information Security Quick Reference Guide provides a good overview of the security classification levels in a handout form, with links to further details. For completeness' sake, the BU's Data Classification Policy has corresponding levels.
For Server projects, the Harvard University Security Policy: Working with Servers document captures security requirements. BU's Minimum Security Standards provide comparable details.
Based on Scott's feedback above the data we are discussing is HDSL level 2.
The specific details for working with servers broadly are here Information Security Policy-Working with Servers (2 pages) and these apply for Servers with Level 2 Data.
As per BU's FERPA FAQ and HU's FERPA FAQ email adresses are not protected. This is different, potentially then GDPR.