Security, Data Classification

Security information from Technology Services Privacy and Information Security team.


One of the most difficult parts of working with sensitive data is knowing just how sensitive the data actually is.  When classifying sensitive data, certain terms are used to describe when and how information can be shared. Take a moment to familiarize yourself with these terms before you look up a particular type of data.


High Risk: Highly sensitive data is defined as "Information that if disclosed or modified without authorization would have severe adverse effect on the operations, assets, or reputation of the University, or the University's obligations concerning information privacy." This includes, but is not limited to, credit card data, social security numbers, and medical records. Highly Sensitive Data may not be shared.

Sensitive: Sensitive data is defined as "Information that if disclosed or modified without authorization would have serious adverse effect on the operations, assets, or reputation of the University, or the University's obligations concerning information privacy." This includes, but is not limited to, information such as FERPA protected data and information covered by Non-Disclosure Agreements. There are specific regulatory requirements governing the sharing of FERPA protected data, which are detailed by the University of Illinois Registrar and in the University of Illinois Student Code. Other Sensitive Data can be shared with the owning unit, other units, other schools, and the government as long as there is a legitimate and documented business need for said parties to see the data in question, but may not be shared with the media.

Internal: Internal Data is defined as "Information that if disclosed or modified without authorization would have moderate adverse effect on the operations, assets, or reputation of the University, or the University's obligations concerning information privacy." This includes, but is not limited to, information such as research data prior to publication. Internal Data can be shared with the owning unit, other units, other schools, and the government as long as there is a legitimate and documented business need for said parties to see the data in question, but may not be shared with the media.

Public: Information that is classified as public information can be freely shared with the public and posted on publicly viewable web pages.

Legitimate Educational or Business Need: Certain laws such as FERPA, allow the release of particular types of information if there is a legitimate educational need. Other laws allow for the same exception when there is a legitimate business need. There are no concrete rules for what qualifies as either type of legitimate need. If you have any doubts about whether or not the release of certain information would qualify as a legitimate educational or business need, please discuss the issue with your supervisor.

Authorized Individuals: An authorized individual is someone that has been granted access to specific sensitive data either by law, by policy or by the data's custodian. Before you share a copy of sensitive data with someone, it is your responsibility to make sure that individual is authorized to have access to the data.

Encrypted Transport: Most transmissions across the internet and networks (emails, instant messages, etc) are unencrypted. This means that with just a little effort, most hackers can intercept and read those transmissions. By encrypting the message, only the intended recipients can read what you send. Therefore, when sending sensitive data to someone, you need to use an encrypted transport such as PEAR or an encrypted instant messenger service.

Non-University Servers: A server is a computer that stores information that can be accessed by others. Examples of servers include fileshares or an email server that routes and stores all email that is sent to particular addresses. Non-University servers are servers that are not controlled by the University, and therefore, there is an added risk that any sensitive data that is stored on those servers or even passes through those servers, could be lost. Non-University servers are considered a risk, and only more public types of data should be stored or sent through Non-University servers.




Keywords:security, privacy, information   Doc ID:63588
Owner:Security S.Group:University of Illinois Technology Services
Created:2016-05-23 11:42 CSTUpdated:2016-12-19 16:10 CST
Sites:University of Illinois Technology Services
Feedback:  0   0