Understanding Data and Data Classification
Data is classified into four categories. The definitions are listed below with links to relevant policies and source documentation. More information about these definitions can be found in the DAT01 and in this knowledge base article
Knowing how to work with data safely, securely, and appropriately before engaging in a new project or effort is empowering for you, your peers, and to those who have entrusted us with their data.
The University data classification standards help us have better understand data types, potential risks, and best practices we should take when working with data.
HIGH RISK DATA
Inappropriate handling of this data could result in criminal or civil penalties, loss of federal funding, reputational damage, identity theft, financial loss, invasion of privacy, and/or unauthorized access to this type of information by an individual or many individuals. High Risk data must only be accessed by those specifically authorized. Fines and costs to the university for a data breach can be in the millions of dollars. Examples of High Risk data include:
- Banking Information (GLBA)
- Drivers License Number (PIPA)
- Student Health Information (PIPA)
- Genetic Information (GINA, PIPA)
- Biometric Information (PIPA)
- Personal (PII and Online Tracking) Data of individuals in the Republic of China (PIPL)
- Government Classified
- Passwords, Encryption Keys, other authentication and authorization codes
Because of legal, ethical, or other constraints, this data may not be accessed without specific authorization. Only selective access may be granted. The fines and costs to the university for a data breach of this type can be up to a million dollars. Examples of this type of data include:
- Employee personal information such as home address, email address, telephone
- Information covered by a Non-Disclosure Agreement (NDA)
- Network and System Diagrams and Configuration Documents
Inappropriate handling of Internal data could result in reputational damage for the university, as well as loss of competitive advantage and higher costs for university business processes. Even some data that eventually becomes part of the public record is legally Internal, such as while certain negotiations are ongoing. Access restrictions should be applied accordingly. Examples of Internal data include:
- Preliminary drafts, notes, recommendations, memorandum and other records in which opinions are expressed, or policies or actions are formulated
- Other data not listed by any other restricted classification that is exempted from disclosure under the Illinois Freedom of Information Act (FOIA) – (5 ILCS 140/7)
Information that is classified as public information can be freely shared with the public and posted on publicly viewable web pages. All FOIA requests must be submitted via information found here:
Is Your Data at Risk?
High risk or sensitive data needs extra care. Once your data is classified, you will understand how that data can be used in the safest possible way. If your data is high risk, sensitive, or internal, ask yourself questions to help reduce the risk of data breach or loss.
Copying or Sharing Data
DO I NEED TO MAKE A COPY OF RESTRICTED DATA?
- If you can view the restricted data without making a copy on your own computer or making a print copy, do that. Data classified as high risk cannot be stored on your computer unless special permissions are obtained.
DO I NEED TO SHARE RESTRICTED DATA WITH SOMEONE ELSE?
- Transmitting restricted data creates more copies and increases the risk that it will be intercepted. The university has not approved email as a method to send Sensitive (in particular, student data) or High Risk data because it does not guarantee encryption outside the illinois.edu mail domain.
- To transfer Sensitive or High Risk data, use a tool approved for that purpose:
High Risk data = Box Health Data folder or a Box High Risk Data folder
Student data = a standard Box folder
- Take care so that individuals only see data they are authorized to see. Place data for each recipient in a separate folder. (For research collaborators, each project/protocol should be in a separate folder). Send each recipient an invitation to only the folder with their data.
- PEAR (Protected Email Attachment Repository) is another tool approved for this purpose when Sensitive (not High Risk) data is being sent within the Illinois system. It is a secure file delivery tool operated by AITS. (https://www.aits.uillinois.edu/services/application_services/PEAR)
HOW LONG DO I NEED TO KEEP A COPY OF RESTRICTED DATA?
- Unless you need to use the same restricted data on a regular basis (once a week or more), destroy or securely archive any copies.
If you need assistance with data classification and risk, send an email to the Governance, Risk and Compliance Team: firstname.lastname@example.org
If working with data also means disclosing it to third parties, such as placing University data inside a cloud vendor service, there could also be legal requirements to be met in order to place the data there. You can engage the GRC (Governance, Risk and Compliance) subject matter experts to help you navigate the privacy law requirements. GRC can help you see your project to a successful conclusion.