Privacy and Information Security | University of Illinois

Data Classification Guide

Introduction

One of the most difficult parts of working with sensitive data is knowing just how sensitive the data actually is. CITES Security has worked with many units and departments across the University to develop a central location to provide answers about what can and can't be done with certain types of data. If you have any questions about these classifications, or if you work with data that isn't on this list but think it should be, please contact the Security Group at securitysupport@illinois.edu.

If this is your first time using our data classifications, please take a moment to review the terminology below so that you understand specific definitions used in the classifications.

Data categories

For ease of use, the different types of data have been broken into six general categories. Clicking on any category will take you to a page with all of the data information that you will need.

Terminology

When classifying sensitive data, certain terms are used to describe when and how information can be shared. Take a moment to familiarize yourself with these terms before you look up a particular type of data.

Highly Sensitive: Highly sensitive data is defined as "Information that if disclosed or modified without authorization would have severe adverse effect on the operations, assets, or reputation of the University, or the University's obligations concerning information privacy." This includes, but is not limited to, credit card data, social security numbers, and medical records. Highly Sensitive Data may not be shared.

Sensitive: Sensitive data is defined as "Information that if disclosed or modified without authorization would have serious adverse effect on the operations, assets, or reputation of the University, or the University's obligations concerning information privacy." This includes, but is not limited to, information such as FERPA protected data and information covered by Non-Disclosure Agreements. There are specific regulatory requirements governing the sharing of FERPA protected data, which are detailed by the University of Illinois Registrar and in the University of Illinois Student Code. Other Sensitive Data can be shared with the owning unit, other units, other schools, and the government as long as there is a legitimate and documented business need for said parties to see the data in question, but may not be shared with the media.

Internal: Internal Data is defined as "Information that if disclosed or modified without authorization would have moderate adverse effect on the operations, assets, or reputation of the University, or the University's obligations concerning information privacy." This includes, but is not limited to, information such as research data prior to publication. Internal Data can be shared with the owning unit, other units, other schools, and the government as long as there is a legitimate and documented business need for said parties to see the data in question, but may not be shared with the media.

Public: Information that is classified as public information can be freely shared with the public and posted on publicly viewable web pages.

Legitimate Educational or Business Need: Certain laws such as FERPA, allow the release of particular types of information if there is a legitimate educational need. Other laws allow for the same exception when there is a legitimate business need. There are no concrete rules for what qualifies as either type of legitimate need. If you have any doubts about whether or not the release of certain information would qualify as a legitimate educational or business need, please discuss the issue with your supervisor.

Authorized Individuals: An authorized individual is someone that has been granted access to specific sensitive data either by law, by policy or by the data's custodian. Before you share a copy of sensitive data with someone, it is your responsibility to make sure that individual is authorized to have access to the data.

Encrypted Transport: Most transmissions across the internet and networks (emails, instant messages, etc) are unencrypted. This means that with just a little effort, most hackers can intercept and read those transmissions. By encrypting the message, only the intended recipients can read what you send. Therefore, when sending sensitive data to someone, you need to use an encrypted transport such as PEAR or an encrypted instant messenger service.

Non-University Servers: A server is a computer that stores information that can be accessed by others. Examples of servers include fileshares or an email server that routes and stores all email that is sent to particular addresses. Non-University servers are servers that are not controlled by the University, and therefore, there is an added risk that any sensitive data that is stored on those servers or even passes through those servers, could be lost. Non-University servers are considered a risk, and only more public types of data should be stored or sent through Non-University servers.

Data Custodian: A data custodian is the person, group or unit in charge of protecting and storing particular data. Different types of data have different data custodians. If you are trying to get a copy of a particular piece of data, you should go to the data custodian instead of getting the data from someone else.