Policy Number: 12-011
Data Classification Policy
Category: Information Technology
Responsible Executive: Vice President and Chief Information Officer
Responsible Office: Vice President and Chief Information Officer
- Purpose To provide the basis for protecting the confidentiality of data at the University of Florida by establishing a data classification system. Further policies and standards will specify handling requirements for data based on their classification.
- Applicability This standard applies to all data or information that is created, collected, stored or processed by the University of Florida, in electronic or non-electronic formats.
- Definitions University of Florida Data: Data in any format collected, developed, maintained or managed by or on behalf of the University, or within the scope of University activities. The terms ‘data’ and ‘information’ are used interchangeably in the context of the information security program.
- Policy Statement All data at the University of Florida shall be assigned one of the following classifications. Collections of diverse information should be classified as to the most secure classification level of an individual information component with the aggregated information.
- Restricted: Data in any format collected, developed, maintained or managed by or on behalf of the university, or within the scope of university activities, that are subject to specific protections under federal or state law or regulations or under applicable contracts. Examples include, but are not limited to medical records, social security numbers, credit card numbers, Florida driver licenses, non-directory student records and export controlled technical data.
- Sensitive: Data whose loss or unauthorized disclosure would impair the functions of the university, cause significant financial or reputational loss or lead to likely legal liability. Examples include, but are not limited to, research work in progress, animal research protocols, financial information, strategy documents and information used to secure the university’s physical or information environment.
- Open: Data that does not fall into any of the other information classifications. This data may be made generally available without specific information owner’s designee or delegate approval. Examples include, but are not limited to, advertisements, job opening announcements, university catalogs, regulations and policies, faculty publication titles and press releases.
Additional Resources
DATA CLASSIFICATION GUIDELINES
The Data Classification Policy specifies that all university data must be assigned one of three levels based upon confidentiality requirements: Open, Sensitive or Restricted. Data trustees are given the responsibility of appropriately classifying data in accordance with policy
The classification should be a list of specific data types used within a unit, corresponding classifications, and any special handling specifications. The task of preparing the classification may be delegated, but the data owner must explicitly approve the final document. This classification must be documented and communicated with data users and custodians. Data custodians then apply appropriate controls based on these classifications, and data users comply with the use requirements.
Controls appropriate to the different data classifications are specified in information security policies and standards. Data classifications, including ‘Open’, are not related to the applicability of public records laws to specific data. All requests for public records are to be forwarded to the University General Council, regardless of the classification of requested data.
Initial Classification
Data owners can use the table below as an initial classification of data within their unit. Data types that have classifications mandated (due to applicable laws, regulations or contracts) and those that are in common use throughout the university are included. Data owners must add any other data types used in the unit.
Data Type | Classification | Justification |
---|---|---|
Student records (non-directory) | Restricted | FERPA |
Patient health or dental records (identifiable) | Restricted | HIPAA |
Patient billing records | Restricted | HIPAA |
Export Controlled data | Restricted | ITAR, EAR |
Credit card cardholder data | Restricted | PCI, FISA (F.S. 501.171) |
Social Security Numbers1 | Restricted | FIPA (F.S. 501.171) Fla. Stat. 119.071 |
Personally Identifiable Information (PII defined by FIPA) | Restricted | FIPA (F.S. 501.171) |
Animal research protocols | Sensitive | Competitive and commercial potential, security concerns |
De-identified patient information2 | Sensitive | HIPAA |
System security plans | Sensitive | Protective information |
Unpublished research results | Sensitive | Competitive and commercial potential |
Exams (question banks and answer keys) | Sensitive | Exam integrity |
Employee data (not including SSN) | Sensitive | Employee privacy |
UF Directory (students & staff) | Open | FERPA |
University regulations | Open | Intended for public use |
Course catalog | Open | Intended for public use |
Public web sites | Open | Intended for public use |
1. Use and/or storage of social security numbers must be approved by the UF Privacy Office. See http://privacy.ufl.edu/SSNPrivacy.html↩
2. In order to be considered de-identified, data must meet requirements in the UF Privacy Office Operational Guidelines http://privacy.ufl.edu/uf-health-privacy/policies-procedures/operational-guidelines/↩
Definitions
Data owner: Senior leadership, typically at the dean, director or department chair level, with the ultimate responsibility for the use and protection of university data.
Data custodian: The staff member, typically one primarily responsible for IT, that is responsible for implementation of security controls for university data.
Data user: Any member of the university community that has access to university data, and thus is entrusted with the protection of that data.
References
- UF Data Classification Policy
- HIPAA
- FERPA
- PCI
- FIPA (Florida Information Protection Act of 2014), Florida Statute 501.171 Security of confidential
- ITAR
- EAR
More Information
Data Classification Guidelines
History
HISTORY
Revision Date | Description |
---|---|
April 26, 2012 | Policy originally adopted |
Policy updated |