Data Classification Overview

One of the most difficult parts of working with data is knowing the restrictions on that data. When classifying restricted data, certain terms are used to describe when and how information can be shared. Take a moment to familiarize yourself with these terms (High Risk, Sensitive, Internal, and Public) found below before you look up a particular type of data. These terms are defined in DAT01, the data security standard referenced by the information security policy in the Campus Administrative Manual.

Data Classification Introduction

Data is everywhere at the university. It is used in academics to record student personal information as well as their progress and work inside a course, and maintain their transcript.  It is used in Human Resources to maintain employee personal information in its records, and ensure the payroll goes to the correct peopl.  data is the lifeblood of researchers--it helps them reach conclusions that are published in their scholarly papers. Some data is riskier than other data. The university is subject to state and federal regulatory requirements about how certain types of data are stored, collected, used, and disclosed.  There is data that emerges from research that is intellectual property, or is under a Non-Disclosure Agreement with the organization funding the research. Disclosure, alteration or removal of the data without approval could bring legal complications as well as potentially damage the researcher's professional reputation. The university deliberates on many things for which decisions need to be made--most of those deliberations are eventually subject to public disclosure, but some are not. Data classification  represents the levels of risk of the confidentiality, integrity and availability of that information.

Data Classification Risk Categories

Data is classified into four categories. The definitions are listed below with links to relevant policies and source documentation. More information about these definitions can be found in the DAT01 and in this knowledge base article https://answers.uillinois.edu/page.php?id=63588  

High Risk: Inappropriate handling of this data could result in criminal or civil penalties, loss of federal funding, reputational damage, identity theft,  financial loss, invasion of privacy, and/or unauthorized access to this type of information by an individual or many individuals.  High Risk data must only be accessed by those specifically authorized. The fines and costs to the university for a data breach can be in the millions of dollars. Examples of High Risk data include:

• Personal Health Information (HIPAA)
• Credit Card Information (PCI-DSS)
• Banking Information (GLBA)
• Export Control (EAR/ITAR)
• Social Security Number (PIPA)
• Drivers License Number (PIPA)
• Student Health Information (PIPA)
• Genetic Information (GINA, PIPA)
• Biometric Information (PIPA)
• Personal (PII and Online Tracking) Data of individuals who are physically located in the European Union (GDPR)
• Personal (PII and Online Tracking) Data of individuals who are physically located in the Republic of China (PIPL)
• Government Classified
• Passwords, Encryption Keys, other authentication and authorization codes

Sensitive: Because of legal, ethical, or other constraints, this data may not be accessed without specific authorization. Only selective access may be granted. The fines and costs to the university for a data breach of this type can be up to a million dollars. Examples of this type of data include:

• Student Records (FERPA)
• Employee personal information such as home address, email address, telephone
• Information covered by a Non-Disclosure Agreement (NDA)
• Network and System Diagrams and Configuration Documents

Internal: Inappropriate handling of Internal data could result in reputational damage for the university, as well as loss of competitive advantage and higher costs for university business processes. Even some data that eventually becomes part of the public record is legally Internal, such as while certain negotiations are ongoing. Access restrictions should be applied accordingly. Examples of Internal data include:

• Unpublished Research Data
• Intellectual Property
• Preliminary drafts, notes, recommendations, memorandum and other records in which opinions are expressed, or policies or actions are formulated
• Other data not listed by any other restricted classification that is exempted from disclosure under the Illinois Freedom of Information Act (FOIA) - (5 ILCS 140/7)

Public: Information that is classified as public information can be freely shared with the public and posted on publicly viewable web pages. All FOIA requests must be submitted via information found here:

• https://www.uillinois.edu/foia

Is Your Data at Risk?

Data that is high risk or sensitive needs extra care. Once your data is classified, you will be able to better understand how that data can be used in the safest possible way. If your data is classified as high risk, sensitive, or internal, ask yourself the following questions to help lower the risk of data breach or loss:

1. Do I  need to make a copy of restricted data?
   • If you can view the restricted data without making a copy on your own computer or making a print copy, do that instead.  Data classified as high risk cannot be stored on your computer unless special permissions are obtained.
2. Do I need to share restricted data with someone else?
   • In addition to creating more copies, transmitting restricted data creates the risk that it will be intercepted. Data classified as sensitive cannot be emailed without encryption. Data classified as high risk cannot be emailed.
3. How long do I need to keep a copy of restricted data?
   • Unless you need to use the same restricted data on a regular basis (once a week or more), destroy or securely archive any copies.