Best Practice: Data Classification

Statement of Best Practice

  • Classify data according to its use to ensure privacy and confidentiality of the data under our stewardship


  • CISO



Data that, if compromised or accessed without authorization, could lead to criminal charges, significant legal penalties, and/or irreparable harm to the University. Examples include but are not limited to:

  • Credit Card Information (PCI-DSS)
  • Electronic Protected Health Information (ePHI / HIPAA)
  • Personally Identifiable Information (PII)
  • Export Controlled Research (ITAR, EAR)
  • Human Subject Research
  • Student Education Records (FERPA PII, Financial Student Aid)



Data that requires protection of its confidentiality and specific authorization for access, but would not result in significant legal penalties or more than moderate harm to the University should it become compromised. Examples include by are not limited to:

  • Student Education Records (FERPA grades, completed assignments, class schedules)
  • Intellectual Property (patent information)
  • Sensitive Institutional Information
  • Research Data (CUI, animal research)
  • Video Recordings
  • Financial, Account, Payroll Information
  • Attorney Client Privilege (Legal)
  • Building access systems
  • Personnel Records
  • IT Infrastructure / Information Security Information


Internal only

Data that is only accessible internally to those granted access, but is not otherwise regulated or confidential. Examples include but are not limited to:   

  • Internal Memos
  • Documented Processes and Procedures
  • Exams (questions and answers) / Course materials
  • Business Plans



Data that is freely accessible to the public. Examples include but are not limited to:

  • Directory Information (includes FERPA directory information unless the student has opted out of the directory)
  • Public Information(Define terms that have specialized meanings in the policy)



The ISO uses the term "sensitive" to refer to any data classified as non-public and includes the above classifications of Internal only, Confidential, and Restricted.


Print Article


Article ID: 146800
Fri 9/23/22 4:21 PM
Wed 5/29/24 11:03 AM
Supported Office or Community
University Community of Students, Staff, and Faculty