Data Classification

Understanding Data and Data Classification

Data is classified into four categories. The definitions are listed below with links to relevant policies and source documentation. More information about these definitions can be found in the DAT01 and in this knowledge base article 

Knowing how to work with data safely, securely, and appropriately before engaging in a new project or effort is empowering for you, your peers, and to those who have entrusted us with their data.   

The University data classification standards help us have better understand data types, potential risks, and best practices we should take when working with data.  

Data Categories

HIGH RISK DATA

Disclosure or modification of High Risk Data without authorization would have severe adverse effect on the operations, assets, or reputation of the University, or the University’s confidentiality obligations. (University Information Security Standards – DAT01.1.1)

Inappropriate handling of this data could result in criminal or civil penalties, loss of federal funding, reputational damage, identity theft,  financial loss, invasion of privacy, and/or unauthorized access to this type of information by an individual or many individuals. High Risk data must only be accessed by those specifically authorized. Fines and costs to the university for a data breach can be in the millions of dollars. Examples of High Risk data include:

SENSITIVE DATA

Disclosure or modification of Sensitive Data without authorization would have serious adverse effect on the operations, assets, or reputation of the University, or the University’s confidentiality obligations. (University Information Security Standards – DAT01.1.1)

Because of legal, ethical, or other constraints, this data may not be accessed without specific authorization. Only selective access may be granted. The fines and costs to the university for a data breach of this type can be up to a million dollars. Examples of this type of data include:

  • Student Records (FERPA)
  • Employee personal information such as home address, email address, telephone
  • Information covered by a Non-Disclosure Agreement (NDA)
  • Network and System Diagrams and Configuration Documents

INTERNAL DATA

Disclosure or modification of Internal Data without authorization would have moderate adverse effect on the operations, assets, or reputation of the University, or the University’s confidentiality obligations. (University Information Security Standards – DAT01.1.1)

Inappropriate handling of Internal data could result in reputational damage for the university, as well as loss of competitive advantage and higher costs for university business processes. Even some data that eventually becomes part of the public record is legally Internal, such as while certain negotiations are ongoing. Access restrictions should be applied accordingly. Examples of Internal data include:

  • Unpublished Research Data
  • Intellectual Property
  • Preliminary drafts, notes, recommendations, memorandum and other records in which opinions are expressed, or policies or actions are formulated
  • Personal information (“PI”) that is not specified as Sensitive or High Risk.
  • Other data not listed by any other restricted classification that is exempted from disclosure under the Illinois Freedom of Information Act (FOIA) – (5 ILCS 140/7)

PUBLIC DATA

Information that is classified as public information can be freely shared with the public and posted on publicly viewable web pages.

All FOIA requests must be submitted via information found here:

Is Your Data at Risk?

High risk or sensitive data needs extra care. Once your data is classified, you will understand how that data can be used in the safest possible way. If your data is high risk, sensitive, or internal, ask yourself questions to help reduce the risk of data breach or loss.

Copying or Sharing Data

DO I NEED TO MAKE A COPY OF RESTRICTED DATA?

  • If you can view the restricted data without making a copy on your own computer or making a print copy, do that. Data classified as high risk cannot be stored on your computer unless special permissions are obtained.

DO I NEED TO SHARE RESTRICTED DATA WITH SOMEONE ELSE?

  • Transmitting restricted data creates more copies and increases the risk that it will be intercepted. The university has not approved email as a method to send Sensitive (in particular, student data) or High Risk data because it does not guarantee encryption outside the illinois.edu mail domain.
  • To transfer Sensitive or High Risk data, use a tool approved for that purpose: 
    High Risk data = Box Health Data folder or a Box High Risk Data folder
    Student data = a standard Box folder
  • Take care so that individuals only see data they are authorized to see. Place data for each recipient in a separate folder. (For research collaborators, each project/protocol should be in a separate folder). Send each recipient an invitation to only the folder with their data.
  • PEAR (Protected Email Attachment Repository) is another tool approved for this purpose when Sensitive (not High Risk) data is being sent within the Illinois system. It is a secure file delivery tool operated by AITS. (https://www.aits.uillinois.edu/services/application_services/PEAR)

HOW LONG DO I NEED TO KEEP A COPY OF RESTRICTED DATA?

  • Unless you need to use the same restricted data on a regular basis (once a week or more), destroy or securely archive any copies.
     

If you need assistance with data classification and risk, send an email to the Governance, Risk and Compliance Team: digitalrisk@illinois.edu

If working with data also means disclosing it to third parties, such as placing University data inside a cloud vendor service, there could also be legal requirements to be met in order to place the data there. You can engage the GRC (Governance, Risk and Compliance) subject matter experts to help you navigate the privacy law requirements. GRC can help you see your project to a successful conclusion.