Data Classification Standard

The purpose of this standard is to establish a framework for classifying institutional data based on its level of sensitivity, value and criticality to the University as required by the University's Information Security Policy. Classification of data will aid in determining the baseline security controls for the protection of University data. The University classifies University Administrative Information as follows:

  1. Confidential Information: Confidential information is sensitive information that must be safeguarded in order to protect the privacy of individuals and the security and integrity of systems and to guard against fraud. Confidential information includes, but is not limited to:
    • Social Security numbers
    • Credit and debit card numbers
    • University ID number
    • Bank account or other financial account numbers
    • Medical or counseling records or information
    • Passwords, passphrases, PIN numbers, security codes, and access codes
    • Tax returns
    • Credit histories or reports
    • Background check reports
  2. Restricted Information: Restricted information includes all data, records, documents or files that contain information that is: (a) required to be maintained confidentially under any applicable law, regulation or University policy; (b) subject to a contractual obligation to maintain confidentially; (c) subject to any applicable legal privilege or protection, such as the attorney-client privilege; and/or (d) deemed by the University to be a trade secret, confidential or proprietary. Restricted information include, but is not limited to:
    • Education records
    • Employment records
    • Financial aid records
    • Date and place of birth
    • Business plans
    • Public relations strategies
    • Information security protocols or systems
    • Financial records (other than audited financial statements published on the University website)
    • Prospective and existing contracts and other business arrangements and/or business plans, procedures, and other strategies
    • Library circulation records
  3. Official Use Only Information: Official Use Only Information is information about individuals that can be shared within the University Community for official purposes but will not be routinely made available to the public except by the Office of Communications. Official Use Information includes, but is not limited to:
    • Name
    • Addresses: permanent, campus, local (off-campus), e-mail and campus computer network (IP) address, NetID
    • Associated telephone numbers
    • School or college
    • Major and/or minor fields of study
    • Degree sought
    • Expected date of completion of degree requirements and graduation
    • Degrees conferred
    • Awards and Honors (e.g., Dean’s list)
    • Full or part time enrollment status
    • Dates of attendance
    • Previous institutions attended
    • Participation in officially recognized activities and sports
    • Weight and height of members of athletic team members
    • Photograph
    • Gender
    • Race
  4. Public Information: Information that the University has made available or published for the explicit use of the general public.