Statement of Best Practice
- Classify data according to its use to ensure privacy and confidentiality of the data under our stewardship
Contact
Definitions
Restricted
Data that, if compromised or accessed without authorization, could lead to criminal charges, significant legal penalties, and/or irreparable harm to the University. Examples include but are not limited to:
- Credit Card Information (PCI-DSS)
- Electronic Protected Health Information (ePHI / HIPAA)
- Personally Identifiable Information (PII)
- Export Controlled Research (ITAR, EAR)
- Human Subject Research
- Student Education Records (FERPA PII, Financial Student Aid)
Confidential
Data that requires protection of its confidentiality and specific authorization for access, but would not result in significant legal penalties or more than moderate harm to the University should it become compromised. Examples include by are not limited to:
- Student Education Records (FERPA grades, completed assignments, class schedules)
- Intellectual Property (patent information)
- Sensitive Institutional Information
- Research Data (CUI, animal research)
- Video Recordings
- Financial, Account, Payroll Information
- Attorney Client Privilege (Legal)
- Building access systems
- Personnel Records
- IT Infrastructure / Information Security Information
Internal only
Data that is only accessible internally to those granted access, but is not otherwise regulated or confidential. Examples include but are not limited to:
- Research Data (not including export controlled, human or animal subject, or controlled unclassified information)
- Internal Memos
- Documented Processes and Procedures
- Exams (questions and answers) / Course materials
- Business Plans
Public
Data that is freely accessible to the public. Examples include but are not limited to:
- Directory Information (includes FERPA directory information unless the student has opted out of the directory)
- Public Information (Define terms that have specialized meanings in the policy)
Sensitive
The ISO uses the term "sensitive" to refer to any data classified as non-public and includes the above classifications of Internal only, Confidential, and Restricted.