Data Classifications

This page contains information about how to identify the sensitivity level of a particular set of data and handle its security implications appropriately.

Introduction

One of the most difficult parts of working with sensitive data is knowing just how sensitive the data actually is. CITES Security has worked with many units and departments across the University to develop a central location to provide answers about what can and can't be done with certain types of data. If you have any questions about these classifications, or if you work with data that isn't on this list but think it should be, please contact the Security Group at securitysupport@uiuc.edu.

If this is your first time using our data classifications, please take a moment to review the terminology below so that you understand specific definitions used in the classifications.

Data categories

For ease of use, the different types of data have been broken into six general categories. Clicking on any category will take you to a page with all of the data information that you will need.

Terminology

When classifying sensitive data, certain terms are used to describe when and how information can be shared. Take a moment to familiarize yourself with these terms before you look up a particular type of data.

High Risk: Data that is classified as high risk data is information that is so sensitive that there are state and/or federal regulations saying that releasing it is against the law, unless it is released in an authorized fashion. Losing High Risk data also can cost the University considerable amounts of money in penalities. Examples of high risk data include Social Security Numbers, credit card numbers and certain forms of medical information.

Confidential: Data that is classified as confidential is data that needs to be protected like High Risk data, but its classification as Confidential comes from University policy instead of any kind of state or federal law. An example of confidential information would be university ID cards or UINs.

Public: Information that is classified as public information can be freely shared with the public and posted on publicly viewable web pages.

Legitimate Educational or Business Need: Certain laws such as FERPA, allow the release of particular types of information if there is a legitimate educational need. Other laws allow for the same exception when there is a legitimate business need. There are no concrete rules for what qualifies as either type of legitimate need. If you have any doubts about whether or not the release of certain information would qualify as a legitimate educational or business need, please discuss the issue with your supervisor.

Authorized Individuals: An authorized individual is someone that has been granted access to specific sensitive data either by law, by policy or by the data's custodian. Before you share a copy of sensitive data with someone, it is your responsibility to make sure that individual is authorized to have access to the data.

Encrypted Transport: Most transmissions across the internet and networks (emails, instant messages, etc) are unencrypted. This means that with just a little effort, most hackers can intercept and read those transmissions. By encrypting the message, only the intended recipients can read what you send. Therefore, when sending sensitive data to someone, you need to use an encrypted transport such as NetFiles, PEAR or an encrypted instant messenger service.

Non-University Servers: A server is a computer that stores information that can be accessed by others. Examples of servers include fileshares (such as NetFiles) or an email server that routes and stores all email that is sent to particular addresses. Non-University servers are servers that are not controlled by the University, and therefore, there is an added risk that any sensitive data that is stored on those servers or even passes through those servers, could be lost. Non-University servers are considered a risk, and only more public types of data should be stored or sent through Non-University servers.

Data Custodian: A data custodian is the person, group or unit in charge of protecting and storing particular data. Different types of data have different data custodians. If you are trying to get a copy of a particular piece of data, you should go to the data custodian instead of getting the data from someone else.