Best Practice: Data Classification

Statement of Best Practice

  • Classify data according to its use to ensure privacy and confidentiality of the data under our stewardship


  • CISO



Data that if compromised or accessed without authorization could lead to criminal charges, significant legal penalties, and/or irreparable harm to the University. Examples include but are not limited to:

  • Credit Card Information (PCI-DSS)
  • Electronic Protected Health Information (ePHI / HIPAA)
  • Personally Identifiable Information (PII)
  • Export Controlled Research (ITAR, EAR)
  • Human Subject Research
  • Student Education Records (FERPA), Financial Aid



Data which requires protection of it's confidentiality and specific authorization for access, but would not result in significant legal penalities or harm to the University should it become compromised. Examples include by are not limited to:

  • Intellectual Property (patent information)
  • Sensitive Instituitional Information
  • Research Data (CUI, animal research)
  • Video Recordings
  • Financial, Account, Payroll Information
  • Attorney Client Privilege (Legal)
  • Building access systems
  • Personnel Records
  • IT Infrastructure / Information Security Information


Internal only

Data that is only accessible internally to those granted access, but is not otherwise regulated or confidential. Examples include but are not limited to:   

  • Internal Memos
  • Documented Processes and Procedures
  • Exams (questions and answers) / Course materials
  • Business Plans



Data that is freely accessible to the public. Examples include but are not limited to:

  • Directory Information
  • Public Information(Define terms that have specialized meanings in the policy)



Article ID: 146800
Fri 9/23/22 4:21 PM
Thu 10/6/22 10:27 AM
Supported Office or Community
University Community of Students, Staff, and Faculty