Data Classification Overview

One of the most difficult parts of working with data is knowing the restrictions on that data. When classifying restricted data, certain terms are used to describe when and how information can be shared. Take a moment to familiarize yourself with these terms (High Risk, Sensitive, Internal, and Public) found below before you look up a particular type of data. These terms are defined in DAT01 the data security standard referenced by the information security policy in the Campus Administrative Manual. The data survey available on the side of this page can guide you through the process of classifying your data.

Data Classification Introduction

Data Classification Risk Categories

Data is classified into four categories. The definitions are listed below with links to relevant policies and source documentation. More information about these definitions can be found in the DAT01 and in this knowledge base article https://answers.uillinois.edu/page.php?id=63588  

High Risk: Inappropriate handling of this data could result in criminal or civil penalties, loss of federal funding, reputational damage, identity theft,  financial loss, invasion of privacy, and/or unauthorized access to this type of information by an individual or many individuals.  High Risk data must only be accessed by those specifically authorized. The fines and costs to the university for a data breach can be in the millions of dollars. Examples of High Risk data include:

Sensitive: Because of legal, ethical, or other constraints, this data may not be accessed without specific authorization. Only selective access may be granted. The fines and costs to the university for a data breach of this type can be up to a million dollars. Examples of this type of data include:

  • Student Records (FERPA)
  • Employee personal information such as home address, email address, telephone
  • Information covered by a Non-Disclosure Agreement (NDA)
  • Network and System Diagrams and Configuration Documents

Internal: Inappropriate handling of Internal data could result in reputational damage for the university, as well as loss of competitive advantage and higher costs for university business processes. Even some data that eventually becomes part of the public record is legally Internal, such as while certain negotiations are ongoing. Access restrictions should be applied accordingly. Examples of Internal data include:

  • Unpublished Research Data
  • Intellectual Property
  • Preliminary drafts, notes, recommendations, memorandum and other records in which opinions are expressed, or policies or actions are formulated
  • Other data not listed by any other restricted classification that is exempted from disclosure under the Illinois Freedom of Information Act (FOIA) - (5 ILCS 140/7)

Public: Information that is classified as public information can be freely shared with the public and posted on publicly viewable web pages. All FOIA requests must be submitted via information found here:

 

Is Your Data at Risk?

Data that is high risk or sensitive needs extra care. Use the Data Classification Survey to properly classify your data. Once your data is classified, you will be able to better understand how that data can be used in the safest possible way. If your data is classified as high risk, sensitive, or internal, ask yourself the following questions to help lower the risk of data breach or loss:

  1. Do I  need to make a copy of restricted data?
    • If you can view the restricted data without making a copy on your own computer or making a print copy, do that instead.  Data classified as high risk cannot be stored on your computer unless special permissions are obtained.
  2. Do I need to share restricted data with someone else?
    • In addition to creating more copies, transmitting restricted data creates the risk that it will be intercepted. Data classified as sensitive cannot be emailed without encryption. Data classified as high risk cannot be emailed.
  3. How long do I need to keep a copy of restricted data?
    • Unless you need to use the same restricted data on a regular basis (once a week or more), destroy or securely archive any copies.

Data Survey

Take the Survey

The Data survey helps identify the types of data involved in research, education, and university business. Help with taking the survey can be found here: https://mediaspace.illinois.edu/media/t/1_yi0r4mnb

The survey is provided using technology from:

OneTrust Logo, green background with white text.

Security Program logo featuring the Data Policy and Information Security Policy circling the Information Security standards, control requirements, and job aids.

Cloud Data Tools

The University of Illinois provide several cloud-based storage solutions for working with restricted data.

Learn more about these tools: https://answers.uillinois.edu/illinois/page.php?id=54880