University Policies

Institutional Data Classification Policy

Information Technology Services
Information Technology Services


Purpose:
The University will categorize its data according to a common scheme to ensure compliance with federal, state, and local guidelines.

Statement:
All University data will be assigned one of the following categories:

  • LEVEL 1 Low Sensitivity (“Public”)
  • LEVEL II Moderate Sensitivity (“Non-Public/Internal”)
  • LEVEL III High Sensitivity (“Confidential/Restricted”)

(NB: Use the materials contained in this policy to assess the risks associated with the data that you regularly access)
Assessment Criteria

Level One
Legal Requirements

  • Protection of the data will avoid negative publicity and/or low to moderate embarrassment to the University

Risk

  • Loss of personal data with no impact to the person or university
  • Inaccurate general information
  • Short-term loss of reputation

Data Examples

  • Published “white pages”
  • Directory information
  • Academic course descriptions
  • Campus maps (non-floor plans)
  • Institutionally published public data

Storage Requirements

  • May be stored on local devices, encryption strongly encouraged

Level Two
Legal Requirements

  • Protection of data will prevent poor business decisions, inaccurate research conclusions, potential liability, and moderate to high negative publicity.

Risk

  • Short-term loss of reputation
  • Short-term loss of research funding
  • Increase in regulatory requirements
  • Short-term loss of dept. services
  • Unauthorized tampering of research data

Data Examples

  • Project data
  • Human resources not including sensitive data
  • Research data or results that are not sensitive
  • Business transactions that do not include sensitive data
  • Student grade books
  • Campus Maps w/Floor Plans

Storage Requirements

  • May be stored on local devices, encryption required
  • Storage in campus network share with defined permissions strongly encouraged.

Level Three
Legal Requirements

  • Protection of data is required by law (e.g. HIPAA, FERPA, GLBA data elements, PCI/PII data), reduces liability, severe negative publicity, and loss of reputation of University

Risk

  • Long-term loss of reputation
  • Long-term loss of research funding
  • Increase in regulatory requirements
  • Long-term loss of critical campus or dept. services
  • Unauthorized tampering of research data

Examples

  • Medical records
  • Health related research
  • Personnel info
  • Financial data
  • Credit cards
  • Social security numbers
  • Official transcripts
  • HR Records
  • PCI/PII data

Storage Requirements

  • May not be stored on local devices under any circumstances
  • Storage in campus network share with defined permission required; encryption of data required

Additional Information:
This policy is based on University of Iowa's Institutional Data Classification Guidelines.

2008-04-15
2012-05-05