The University’s data classification standard helps each of us have better awareness and understanding of types of data, potential risks, legal requirements, and best practices.
Understanding Data and Data Classification
Data is classified into four categories. The definitions are listed below with links to relevant policies and source documentation. More information about these definitions can be found in the DAT01 and in this knowledge base article https://answers.uillinois.edu/page.php?id=63588
Data Categories
High Risk Data
Inappropriate handling of this data could result in criminal or civil penalties, loss of federal funding, reputational damage, identity theft, financial loss, invasion of privacy, and/or unauthorized access to this type of information by an individual or many individuals. High Risk data must only be accessed by those specifically authorized. Fines and costs to the university for a data breach can be in the millions of dollars. Examples of High Risk data include:
- Personal Health Information (HIPAA)
- Credit Card Information (PCI-DSS)
- Banking Information (GLBA)
- Export Control (EAR/ITAR)
- Social Security Number (PIPA)
- Drivers License Number (PIPA)
- Student Health Information (PIPA)
- Genetic Information (GINA, PIPA)
- Biometric Information (PIPA)
- Personal (PII and Online Tracking) Data of individuals in the European Union (GDPR)
- Personal (PII and Online Tracking) Data of individuals in the Republic of China (PIPL)
- Government Classified
- Passwords, Encryption Keys, other authentication and authorization codes
Sensitive Data
Because of legal, ethical, or other constraints, this data may not be accessed without specific authorization. Only selective access may be granted. The fines and costs to the university for a data breach of this type can be up to a million dollars. Examples of this type of data include:
- Student Records (FERPA)
- Employee personal information such as home address, email address, telephone
- Information covered by a Non-Disclosure Agreement (NDA)
- Network and System Diagrams and Configuration Documents
Internal Data
Inappropriate handling of Internal data could result in reputational damage for the university, as well as loss of competitive advantage and higher costs for university business processes. Even some data that eventually becomes part of the public record is legally Internal, such as while certain negotiations are ongoing. Access restrictions should be applied accordingly. Examples of Internal data include:
- Unpublished Research Data
- Intellectual Property
- Preliminary drafts, notes, recommendations, memorandum and other records in which opinions are expressed, or policies or actions are formulated
- Other data not listed by any other restricted classification that is exempted from disclosure under the Illinois Freedom of Information Act (FOIA) - (5 ILCS 140/7)
Public Data
Information that is classified as public information can be freely shared with the public and posted on publicly viewable web pages. All FOIA requests must be submitted via information found here: