Security, Data Classification

Security information from Technology Services Privacy and Information Security team.

One of the most difficult parts of working with sensitive data is knowing just how sensitive the data actually is.  When classifying sensitive data, certain terms are used to describe when and how information can be shared. Take a moment to familiarize yourself with these terms before you look up a particular type of data.

Data Classifications

High Risk: Highly sensitive data is defined as "Information that if disclosed or modified without authorization would have severe adverse effect on the operations, assets, or reputation of the University, or the University's obligations concerning information privacy." This includes, but is not limited to, credit card data, social security numbers, drivers license numbers, and medical records. 

Sensitive: Sensitive data is defined as "Information that if disclosed or modified without authorization would have serious adverse effect on the operations, assets, or reputation of the University, or the University's obligations concerning information privacy." This includes, but is not limited to, information such as FERPA protected data and information covered by Non-Disclosure Agreements. There are specific regulatory requirements governing the sharing of FERPA protected data, which are detailed by the University of Illinois Registrar and in the University of Illinois Student Code. Other Sensitive Data can be shared with the owning unit, other units, other schools, and the government as long as there is a legitimate and documented business need for said parties to see the data in question, but may not be shared with the media.

Internal: Internal Data is defined as "Information that if disclosed or modified without authorization would have moderate adverse effect on the operations, assets, or reputation of the University, or the University's obligations concerning information privacy." This includes, but is not limited to, information such as research data prior to publication. Internal Data can be shared with the owning unit, other units, other schools, and the government as long as there is a legitimate and documented business need for said parties to see the data in question, but may not be shared with the media.

Public: Information that is classified as public information can be freely shared with the public and posted on publicly viewable web pages.

Information about specific types of data that fall under these classifications may be found at https://cybersecurity.uillinois.edu/data_classification 

Other Information

Sharing and Disclosure of Data: Certain laws such as FERPA and HIPAA, allow the release or disclosure of particular types of information only in specifically defined situations.  If you have any doubts about whether or not the release of certain information is permitted in a given situation, please discuss the issue with your supervisor, the Privacy and Security team, or the campus officer responsible for legal compliance for that type of data.

Authorized Individuals: An authorized individual is someone that has been granted access to specific sensitive data either by law, by policy or by the data's custodian. Before you share a copy of sensitive data with someone, it is your responsibility to make sure that individual is authorized to have access to the data.

Encrypted Transport: Most transmissions across the internet and networks (emails, instant messages, etc) are unencrypted. This means that with just a little effort, most hackers can intercept and read those transmissions. Therefore, when sending restricted data to someone, you must use an encrypted transport such as PEAR or an encrypted instant messenger service.

Non-University Servers: A server is a computer that stores information that can be accessed by others. Examples of servers include fileshares or an email server that routes and stores all email that is sent to particular addresses. Non-University servers are servers that are not controlled by the University, and therefore, there is an added risk that any sensitive data that is stored on those servers or even passes through those servers, could be lost. Non-University servers are considered a risk, and only more public types of data should be stored or sent through Non-University servers.



Keywords:
security, privacy, information 
Doc ID:
63588
Owned by:
Security S. in University of Illinois Technology Services
Created:
2016-05-23
Updated:
2022-03-03
Sites:
University of Illinois Technology Services