UW-Madison - IT - Data Classification Policy
The Data Classification Policy applies to anyone handling UW-Madison data.
There are four data classifications. From highest to lowest risk they are: Restricted (significant risk), Sensitive (moderate risk), Internal (some risk), and Public (little or no risk).
UW-Madison is adjusting the data classifications. A revision of the policy is in progress. In the meantime, here are the classifications as defined by the Data Stewardship Council.
Data should be classified as Restricted when the unauthorized disclosure, alteration, loss or destruction of that data could cause a significant level of risk to the University, affiliates or research projects. Data should be classified as Restricted if:
- protection of the data is required by law or regulation, or
- UW Madison is required to self-report to the government and/or provide notice to the individual if the data is inappropriately accessed.
Data should be classified as Sensitive when the unauthorized disclosure, alteration, loss or destruction of that data could cause a moderate level of risk to the University, affiliates or research projects. Data should be classified as Sensitive if the loss of confidentiality, integrity or availability of the data could have a serious adverse effect on university operations, assets or individuals.
Data should be classified as Internal when the unauthorized disclosure, alteration, loss or destruction of that data could result in some risk to the University, affiliates, or research projects. By default, all Institutional Data that is not explicitly classified as Restricted, Sensitive or Public data should be treated as Internal data.
Data should be classified as Public prior to display on web-sites or once published without access restrictions; and when the unauthorized disclosure, alteration, loss or destruction of that data would result in little or no risk to the University and its affiliates.
The current policy identifies many specific data elements as being Sensitive, of which six of are identified as Restricted. These are still accurate as a starting point for classification. It is the process of classifying data that has changed.
The most significant change to the policy is to use the default classifications of data elements as a starting point, and then adjust the classification of a data set based on the combination of data elements present, the regulatory environment, etc. Context is important.
Until the policy is revised, please continue to use the list of sensitive and restricted data elements as they are documented below. These are still accurate as a starting point for classification.
In addition to the information identified below, there are times when a data field is not considered sensitive when used alone but may be so when paired with other data. An example is date of birth. Date of birth is not considered sensitive when it stands alone but if it is available along with social security number and name it is considered sensitive.
Sensitive information may be subject to disclosure under certain circumstances. The University appropriately seeks to maintain systems that protect sensitive information in order to meet a variety of goals.
The data types listed below are those identified as of 6/22/2010.[i]
Sensitive Information means:
- Institutional Data that could, by itself or in combination with other such Data, be used for identity theft, fraud, or other crimes, including but not limited to,
- Social security numbers
- Drivers license numbers and state resident/personal identification numbers
- Financial account number (including credit/debit card) or any security code, access code or password that would permit access to an individuals financial account
- Deoxyribonucleic acid profile, as defined in WI S. 939.74(2d)(a)
- Unique biometric data, including fingerprint, voice print, retina or iris image or any other unique physical representation
- Protected health information (any information about the health status, provision of health care, or payment for health care) (except workmans comp)
Other Data Types:
- Passport numbers and alien registration numbers
- Employee and student identification numbers
- Health insurance identification numbers provided by insurance carriers
- Military ID number
- Personal information such as date of birth and mothers maiden name
- Digitized signatures (ink signatures that have been digitized)
- Garnishments, tax levies, wage assignments
- Beneficiaries, retirement account allocations and investments
Institutional Data whose public disclosure is restricted by law, contract, University policy, professional code, or practice within the applicable unit, discipline, or profession, including but not limited to:
- Student educational records (including official photos)
- Information in a persons medical record
- Human subjects research information, if the subjects have been promised anonymity
- Trade secrets or other proprietary business information owned by a third party and provided to the University upon a promise of confidentiality for the conduct of research, testing, or training, or in connection with a potential investment or transfer of technology by the University
- Proprietary computer applications or source code to which the University holds a license that restricts further or public distribution
- Exam questions and answers/scoring keys until distributed by the professor
- Bids and proposals until they are opened or the deadline for their submission has passed
- Employment data such as retirement account allocations and investments and designations of beneficiaries
- Employee home address where an employee has asked it not be released
- Documentation of grievance, arbitration, and disciplinary proceedings
- Information about pending research misconduct proceedings
- Financial aid applications and related tax and financial information
- Information and records protected by the attorney-client privilege
- Law enforcement investigation records
- Information disclosed under the Universitys conflict of interest policies
- Information from a consumer report
- Information derived from servicing or collecting loans from, or accounts payable to, the University
- Data related to those sensitive knowledge, technologies, equipment, software, biological agents or related services that are subject to United States Government export controls
University and personal security measures, including but not limited to,
- Passwords for access to University facilities or computer systems
- Security codes and combinations for locks
- Key codes
- Security plans
- Security procedures
- Threat assessments and preparedness strategies
- Law enforcement deployment plans
- Operational instructions for law enforcement officers and other emergency personnel
Institutional Data whose value would be lost or reduced by disclosure in advance of the time prescribed for its authorized public release, or whose disclosure would otherwise adversely affect the University financially, including but not limited to,
- Research data or results prior to publication or the filing of a patent application
- Non-patentable technical information or know-how that enhances the value of a patented invention or that has independent commercial value
- Information relating to the Universitys intention to buy, sell, or lease property whose disclosure could increase the cost of that property for the University or decrease what the University realizes from that property (like real property appraisals)
- Computer applications to which the University owns the code
Please address questions or comments to email@example.com.
ReferencesIT Policy Glossary: https://kb.wisc.edu/itpolicy/glossary
- The definitions in this document are directly derived from work done at the Michigan State University. Our thanks to them for allowing us to use their work.
- Restricted Data includes Personal Identifying Information (PII) as specified in Wisconsin’s data Breach Notification Law (statute Section 134.98), plus Protected Health Information (PHI) as defined under the Health Insurance Portability and Accountability Act (HIPAA). Sensitive Information includes Restricted Data, but Restricted Data receives additional protection.