Data Classification Overview

One of the most difficult parts of working with data is knowing the restrictions on that data. When classifying restricted data, certain terms are used to describe when and how information can be shared. Take a moment to familiarize yourself with these terms (High Risk, Sensitive, Internal, and Public) found below before you look up a particular type of data. These terms are defined in DAT01 the data security standard referenced by the information security policy in the Campus Administrative Manual. The data survey available on the side of this page can guide you through the process of classifying your data.

Data Classification Introduction


Data Classification Risk Categories

Data is classified into four categories. The definitions are listed below with links to relevant policies and source documentation. More information about these definitions can be found in the DAT01 and in this knowledge base article https://answers.uillinois.edu/page.php?id=63588  

High Risk: High Risk data is defined as "Disclosure or modification of High Risk Data without authorization would have severe adverse effect on the operations, assets, or reputation of the University, or the University's confidentiality obligations." The fines and cost to the university for a data breach can be in the millions of dollars. Examples of High Risk data include:

Sensitive: Sensitive data is defined as "Disclosure or modification of Sensitive Data without authorization would have serious adverse effect on the operations, assets, or reputation of the University, or the University's confidentiality obligations." There are specific regulatory requirements governing the sharing of FERPA protected data, which are detailed by the University of Illinois Registrar and in the University of Illinois Student Code. Other Sensitive Data can be shared with the owning unit, other units, other schools, and the government as long as there is a legitimate and documented business need for said parties to see the data in question, but may not be shared with the media. Examples of Sensitive data include:

  • Student Records (FERPA)
  • Employee personal information such as home address, email address, telephone
  • Information covered by a Non-Disclosure Agreement (NDA)
  • Network and System Diagrams and Configuration Documents

Internal: Internal Data is defined as "Disclosure or modification of Internal Data without authorization would have moderate adverse effect on the operations, assets, or reputation of the University, or the University's confidentiality obligations." This includes, but is not limited to, information such as research data prior to publication. Internal Data can be shared with the owning unit, other units, other schools, and the government as long as there is a legitimate and documented business need for said parties to see the data in question, but may not be shared with the media.

  • Unpublished Research Data
  • Intellectual Property
  • Preliminary drafts, notes, recommendations, memorandum and other records in which opinions are expressed, or policies or actions are formulated
  • Other data not listed by any other restricted classification that is exempted from disclosure under the Illinois Freedom of Information Act (FOIA) - (5 ILCS 140/7)

Public: Information that is classified as public information can be freely shared with the public and posted on publicly viewable web pages.

Is Your Data at Risk?

Data that is high risk or sensitive needs extra care. Use the Data Classification Survey to properly classify your data. Once your data is classified, you will be able to better understand how that data can be used in the safest possible way. If your data is classified as high risk, sensitive, or internal, ask yourself the following questions to help lower the risk of data breach or loss:

  1. Do I  need to make a copy of restricted data?
    • If you can view the restricted data without making a copy on your own computer or making a print copy, do that instead.  Data classified as high risk cannot be stored on your computer unless special permissions are obtained.
  2. Do I need to share restricted data with someone else?
    • In addition to creating more copies, transmitting restricted data creates the risk that it will be intercepted. Data classified as sensitive cannot be emailed without encryption. Data classified as high risk cannot be emailed.
  3. How long do I need to keep a copy of restricted data?
    • Unless you need to use the same restricted data on a regular basis (once a week or more), destroy or securely archive any copies.

Data Survey

Take the Survey

The Data survey helps identify the types of data involved in research, education, and university business. Help with taking the survey can be found here: https://mediaspace.illinois.edu/media/t/1_yi0r4mnb

The survey is provided using technology from:

OneTrust Logo, green background with white text.

Security Program logo featuring the Data Policy and Information Security Policy circling the Information Security standards, control requirements, and job aids.

Cloud Data Tools

The University of Illinois provide several cloud-based storage solutions for working with restricted data.

Learn more about these tools: https://answers.uillinois.edu/illinois/page.php?id=54880