Ƶ

Live now: Board of Curators meeting

UM System

Tools

Data Classification Levels

Data classification at the Ƶ is the categorization of data according it's importance, sensitivity, and potential for misuse.

We use data classification to help select appropriate security controls for storing, processing, transferring, and sharing data. 

UM has created a classification system that divides data into four levels. 

Definitions and examples of each level are provided below. 

Please note these lists are not exhaustive and data may fall into a higher classification due to these factors:

  • Intended use 
  • Combination with other data
  • Federal and state regulations
  • Contract or grant specific considerations such as non-disclosure agreements, confidentiality agreements, and data use agreements

Information Security and IT Compliance will assist in determining the appropriate classification for your data. They also review tools and services to help protect the confidentiality, integrity, and availability of our information assets.

Data Classification Level 1--Public

Information intended and released for public use.

The University intentionally provides this information to the public.

Examples:

  • Published research
  • Course catalogs 
  • Published faculty and staff information 
  • Job postings
  • Name, employment dates, job title, and work address/phone/email
  • Student directory information* 
  • Basic emergency response plans 
  • University-wide policies 
  • Publications 
  • Press releases 
  • Published marketing materials 
  • Regulatory and legal filings 
  • Published annual reports 
  • Code contributed to Open Source 
  • Released patents 
  • Plans of public spaces

*Directory information about students who have requested FERPA blocks must be classified and handled as DCL3

Data Classification Level 2--Sensitive (Internal)

Information that is intended to only be shared within the UM System community. 

Sensitive data or information which is not openly shared with the general public but is not specifically required to be protected by statute, regulation, or policy. Unauthorized disclosure of this information could adversely impact the University, individuals or affiliates.

Examples:

  • Budget and salary information
  • Employee ID
  • Cell phone numbers
  • Departmental policies and procedures
  • Internal memos
  • Incomplete or unpublished research
  • Faculty degrees and certificates
  • Employee web/intranet portals 
  • UM training materials 
  • Pre-release articles 
  • Drafts of research papers 
  • Work papers 
  • Patent applications 
  • Grant applications 
  • Non-public building plans or layouts 
  • Non-confidential administrative survey data
  • De-identified Research Data (Non-clinical)

 

Data Classification Level 3--Restricted

Confidential business or personal information, intended only for those with a “business need to know.”

There are often general statutory, regulatory or contractual requirements that require protection of the data. It is intended for a very specific use and should not be disclosed except to those who have explicit authorization to review such data. Unauthorized disclosure of this information could have a serious adverse impact on the University, individuals or affiliates.

Examples:

  • Non-directory student information
  • Personally identifiable information (PII) such as name, birthdate, address, phone number, email,  etc. where the information is held in combination and could lead to identity theft or other misuse
  • Certain research (e.g. proprietary or otherwise protected)
  • Performance records
  • Gender
  • Ethnicity
  • Race
  • Citizenship
  • Visa/immigration status
  • Disability
  • ADA accommodations
  • Non-published faculty and staff information
  • Personnel records*
  • Donor information 
  • Non-public legal work and litigation information 
  • Budget /financial transactions information 
  • Non-public financial statements 
  • Information specified as confidential by vendor contracts and NDAs 
  • Information specified as confidential by Data Use Agreements 
  • General security findings or reports 
  • Most UM source code 
  • Non-security technical specifications/architecture schema 
  • Library/museum object valuations 
  • IRB records 
  • Sensitive administrative survey data
  • Course feedback, especially if free text response is permitted
  • De-identified health or medical information 
  • De-identified Clinical Research Data
  • Partial Social Security Number (Last 4 digits)

*Employees have the right to discuss terms and conditions of their own employment, including salary and benefits, with each other or with third parties

Data Classification Level 4--Highly Restricted

High-risk information that requires strict controls.

There are often governing statutes, regulations or standards with specific provisions that dictate how this type of data must be protected. It is intended for a very limited use and must not be disclosed except to those who have explicit authorization to view or use the data. Unauthorized disclosure of this information could have a serious adverse impact on the University, individuals or affiliates.

Examples:

  • Passwords and PINs 
  • System credentials 
  • Private encryption keys 
  • Government issued identifiers
    • Passport number or picture
    • Driver’s license information or picture
  • Full Social Security Numbers (SSNs)
  • Individually identifiable financial account information (e.g. bank account, credit or debit card numbers) 
  • Individually identifiable health or medical information
  • Individually identifiable research data 
  • Details of significant security exposures (e.g. vulnerability assessment and penetration test results) 
  • Security system procedures and architectures 
  • Trade secrets 
  • Systems managing critical Operational Technology
  • Biometric Data
  • E-Commerce
  • Export Controlled Data
  • National Security Interest (NSI)
  • Protected Health Information (PHI)
  • Controlled Unclassified Information (CUI)
 

Reviewed 2025-04-10

Sections