Data Classification

Understanding data and data classification

Data is classified into four categories. More information about these definitions can be found in the University Information Security Standards – DAT01.1.1 and in this KnowledgeBase article.

Knowing how to work with data safely, securely and appropriately before engaging in a new project or effort is empowering for you, your peers and those who have entrusted us with their data. The university data classification standards help us to better understand potential risks and to use best practices we should take when working with data.  

If you need assistance with data classification and risk, send an email to digitalrisk@illinois.edu.

If working with data also means disclosing it to third parties, such as placing university data inside a cloud vendor service, there could also be legal requirements to be met in order to place the data there. You can engage subject matter experts to help you navigate requirements. The Governance, Risk and Compliance team can help you see your project to a successful conclusion.

High risk data

Disclosure or modification of high risk data without authorization would have severe adverse effect on the operations, assets or reputation of the university or the university’s confidentiality obligations. See University Information Security Standards – DAT01.1.1

Inappropriate handling of this high risk data could result in criminal or civil penalties, loss of federal funding, reputational damage, identity theft, financial loss, invasion of privacy and/or unauthorized access to this type of information by an individual or many individuals. High risk data must only be accessed by those specifically authorized. Fines and costs to the university for a data breach can be in the millions of dollars. Examples include:

Sensitive data

Disclosure or modification of sensitive data without authorization would have serious adverse effect on the operations, assets or reputation of the University, or the University’s confidentiality obligations. (University Information Security Standards – DAT01.1.1)

Because of legal, ethical or other constraints, this data may not be accessed without specific authorization. Only selective access may be granted. The fines and costs to the university for a data breach of this type can be up to a million dollars. Examples of this type of data include:

  • Employee personal information such as home address, email address, telephone
  • Information covered by a Non-Disclosure Agreement
  • Network and system diagrams and configuration documents

Internal data

Disclosure or modification of internal data without authorization would have moderately adverse effects on the operations, assets or reputation of the University, or the University’s confidentiality obligations. (University Information Security Standards – DAT01.1.1)

Inappropriate handling of internal data could result in reputational damage for the university, as well as loss of competitive advantage and higher costs for university business processes. Even some data that eventually becomes part of the public record is legally internal, such as while certain negotiations are ongoing. Access restrictions should be applied accordingly. Examples of Internal data include:

  • Preliminary drafts, notes, recommendations, memorandum and other records in which opinions are expressed, or policies or actions are formulated
  • Personal information that is not specified as sensitive or high risk.
  • Other data not listed by any other restricted classification that is exempted from disclosure under the Illinois Freedom of Information Act – (5 ILCS 140/7)

Public data

Information that is classified as public information can be freely shared with the public and posted on publicly viewable web pages.

All FOIA requests must be submitted via information found here:


Ask questions about your data to use it safely

High risk or sensitive data needs extra care. Once your data is classified, you will understand how that data can be used in the safest possible way. If your data is high risk, sensitive or internal, ask yourself questions to help reduce the risk of data breach or loss.

Do I need to make a copy of restricted data?

  • If you can view the restricted data without making a copy on your own computer or making a print copy, do that. Data classified as high risk cannot be stored on your computer unless special permissions are obtained.

Do I need to share restricted data with someone else?

  • Transmitting restricted data creates more copies and increases the risk that it will be intercepted. The university has not approved email as a method to send sensitive (in particular, student data) or high risk data because it does not guarantee encryption outside the illinois.edu mail domain.
  • To transfer sensitive or high risk data, use a tool approved for that purpose: 
    High risk data = Box Health Data folder or a Box High Risk Data folder
    Student data = a standard Box folder
  • Take care so that individuals only see data they are authorized to see. Place data for each recipient in a separate folder. (For research collaborators, each project/protocol should be in a separate folder). Send each recipient an invitation to only the folder with their data.
  • The Protected Email Attachment Repository is another tool approved for this purpose when sensitive (not high risk) data is being sent within the Illinois system. It is a secure file delivery tool operated by AITS. (https://www.aits.uillinois.edu/services/application_services/PEAR)

How long do I need to keep a copy of restricted data?

  • Unless you need to use the same restricted data on a regular basis (once a week or more), destroy or securely archive any copies.
     

If you need assistance with data classification and risk, send an email to digitalrisk@illinois.edu.

If working with data also means disclosing it to third parties, such as placing university data inside a cloud vendor service, there could also be legal requirements to be met in order to place the data there. You can engage subject matter experts to help you navigate the privacy law requirements. The Governance, Risk and Compliance team can help you see your project to a successful conclusion.