Information Security: Data Classification

Original Issuance Date: September 14, 2016
Last Revision Date: March 2, 2022

1. Purpose of Procedure

This document outlines a method to classify data according to risk to the University of Wisconsin System and assign responsibilities and roles that are applicable to data governance.

2. Responsible UW System Officer

Associate Vice President (AVP) for Information Security

3. Definitions

Please see SYS 1000, Information Security: General Terms and Definitions, for a list of general terms and definitions. Terms and definitions found within this policy include:

• Compensating Control
• Data Steward
• Low Risk
• Moderate Risk
• High Risk

4. Procedures

A. Data steward requirements

These standards establish a minimum baseline for data classification across UW System. Each institution shall identify a qualified Data Steward(s) for each data domain controlled by the institution. For the purpose of these standards, it is the responsibility of the Data Steward to work with Security, Privacy, and/or Data Officers to assure that the data is classified appropriately.

i. UW System will provide Data Steward training materials. Each institution shall train their Data Stewards to ensure that they understand their responsibilities and to enhance consistent classification of data.

ii. Each data steward must identify the major system(s) where their data resides, classify those systems according to the classifications defined in UW System Administrative Policy 1031, Information Security: Data Classification and Protection, document this classification in a hard copy or electronic format, and ensure appropriate controls and implemented.

iii. Data stewards shall review data classification(s) at least annually (365 days).

B. FERPA

Data covered by the Family Educational Rights and Privacy Act (FERPA) may contain elements from multiple classifications (i.e. data sets). The composition of these data sets may result in either a moderate or a high risk data classification. In these cases, protections prescribed by federal law will take precedence.

C. Data Element Examples

I. High Risk:

• information protected from unauthorized disclosure by legislation such as the Health Insurance Portability and Accountability Act (HIPAA), or industry standards such as Payment Card Industry Data Security Standard (PCI DSS);
• information referenced in s. 134.98, Wis. Stats.. An individual’s last name and the individual’s first name or first initial, in combination with and linked to any of the following elements, if the element is not publicly available information and is not encrypted, redacted, or altered in a manner that renders the element unreadable:
• Social Security Numbers;
• driver’s license numbers or state identification number
• financial account numbers, including a credit card or debit card account number, or any security code, access code, or password that would permit access to the financial account; or
• deoxyribonucleic acid profile (as defined in s. 939.74(2d)(a)), Wis. Stats.;
• protected health information (e.g., any information about the health status, provision of health care, or payment, excepting workers compensation);
• personal identifiable information (e.g., an individual’s first name and last name, Social Security numbers, Driver’s license number);
• student educational records regulated under FERPA in conjunction with identifying references such as Social Security numbers or student identification numbers (excluding directory data);
• trade secrets or information which the UW System, by choice, contract, or other agreement, has committed to ensuring confidentiality;
• information and/or documentation where release would significantly impair the ability to secure the UW System data, operations and facilities;
• University information that is statutorily exempt from public records requests per s. 19.31, Wis. Stats.

II. Moderate Risk:

• information that is proprietary or produced only for use by members of the UW System community, such as project plans, email reports, and procedure documents plans;
• student educational records without identifying references;
• FERPA-related information not specifically classified as high risk;
• institutionally developed and/or owned computer applications and/or source code not designated as in the public domain;
• directory information for employees who have chosen to withhold their personal information;
• information used for internal purposes or exchanged pursuant to contract that is not considered high risk, such as drafts;
• donor or other third-party partner information maintained by the University;
• proprietary financial, budgetary or personnel information not explicitly authorized for public release;
• emails and other communications regarding internal UW System matters which have not been specifically approved for public release;
• unpublished research data not considered high risk.

III. Low Risk:

• published “white pages” directory information;
• university approved maps, university websites or brochures intended for public use;
• university approved course catalogs and timetables;
• university approved press releases; and
• institutional statements and other reports filed with federal or state authorities and generally available to the public.

5. Related Documents

Regent Policy Document 25-5, Information Technology:  Information Security
UW System Information Security Program
UW System Administrative Policy 1031, Information Security: Data Classification and Protection

UW System Administrative Policy 1031.B, Information Security: Data Protection Standard
Information Security Compensating Control Request Form

6. History

Revision 5: March 2, 2022

Revision 4: November 13, 2020

Revision 3: December 9, 2019
Revision 2: January 9, 2019
Revision 1: July 31, 2017
First approved: September 14, 2016