Original Issuance Date: December 1, 2023
Last Revision Date: December 1, 2023
Effective Date: December 1, 2024
1. Purpose of Guidelines
These guidelines provide a list of data classification examples.
2. Publishing Office(s)
UW System Office of Information Security
3. Affected Stakeholders on Campus
This guidance is applicable to all UW System institutions, including UW System Administration. In particular, this guidance applies to those who are responsible for classifying and protecting institutional data.
4. Primary Responsibility
Data Stewards responsible for overseeing the lifecycle of one or more data domains and principal investigators overseeing one or more sets of research data should use the following data classification examples to guide their data classification efforts and classify data in a consistent manner.
5. Guidelines
Data classification should be applicable to a data set, depending on its intended use and its combination with other data. Data Stewards need to use their best judgment when choosing how to classify data as data sets, at times, may fall into a higher data classification depending on the situation.
The following are examples of data sets and, where appropriate, data elements expected to fall within each data classification. This list is non-exhaustive.
A. Public (Low Risk)
- University websites, maps, or brochures intended for public use
- Course catalogs and timetables
- Degree program requirements
- Directory information
- University approved press releases
- Final budget data
- Published research data
B. Internal (Low Risk)
- Course evaluation summary results for a program or department
- Draft, preliminary, and unofficial Budget data
- Funding strings, purchase requisitions, and purchase orders
- Facility-, floor-, and space-level data including facility and room square footage, organizational assignments, space use, and function
- Data elements that are not covered by specific regulation but can be used to uniquely identify an individual and that the individual or university policy does not allow for public disclosure
C. Sensitive (Moderate Risk)
I. Student Educational Records regulated by FERPA
Non-Directory student data subject to the Family Educational Rights and Privacy Act (FERPA), including:
-
- Graded work, grade book, etc.
- Name and preferred name
- Date of birth
- Place of birth
- Directory address and phone number
- Electronic mail address
- Mailing address
- Campus office address (for graduate students)
- Secondary mailing or permanent address
- Residence assignment and room or apartment number
- Dates of attendance, i.e. specific semesters of registration
- Enrollment status
- UW degree(s) awarded and date(s)
- Major(s), minor(s) and field(s)
- University degree honors
- Institution attended immediately prior to UW
- ID card photographs for university classroom use
- Student Identifier (unique identifier for all students)
- College and class
- II. Student Directory Opt-Out Data
- Note that the following data may ordinarily be revealed by the university for Directory Information purposes without student consent unless the student designates otherwise. If the student designates otherwise, then the following data elements must be treated as Sensitive data:
-
- Name and preferred name
- Directory address and phone number
- Dates of attendance, i.e. specific quarters or semesters of registration
- Enrollment status, i.e. college, class (fresh, sophomore, etc…)
- UW degree(s) awarded and date(s)
- College and class
- Major(s), minor(s) and field(s) of study
- University degree honors and awards management data
- III. Faculty and staff reviews and performance evaluations
- IV. Research data not otherwise classified
- V. Research protocols containing proprietary information
D. Restricted (High Risk)
- Information that must be reported to the state if disclosed, according to Wis. Stat. § 134.98
- Personal Information
Personal Information that consists of an individual’s last name, and the individual’s first name or first initial, in combination with and linked to any one or more of the following data elements:
-
- Social Security number or partial Social Security number
- Driver’s license number
- State identification card number
- Passport number
- United States Permanent Resident Card or similar identification
- Student Identifier
- Financial account number
- Credit/debit card number
- Unique biometric information, including:
- DNA or deoxyribonucleic acid profile, as defined in Wis. Stat. § 939.74(2d)(a)
- Fingerprint, voice print, retina or iris image
- Any other unique physical representation
- III. Protected Health Information (PHI) regulated under the Health Insurance Portability and Accountability Act (HIPAA)
-
- Patient names
- Street address, city, county, zip code
- Dates (except year) related to an individual (e.g. clinical encounters)
- E-mail, URLs, & IP addresses
- Social Security numbers or partial Social Security numbers
- Account/Medical record numbers
- Health plan beneficiary numbers
- Certificate/license numbers
- Vehicle IDs & serial numbers
- Device IDs & serial numbers
- Biometric identifiers
- Full face images associated with HIPAA records
- Payment guarantor’s information
- Any PHI not de-identified per the Safe Harbor De-Identification method listed in the university HIPAA Policy
- IV. Employee Information
Information pertaining to employees of UW System, including the following data elements:
-
- Social Security number or partial Social Security number
- Direct deposit information
- Home address or personal contact information
- Benefits information
- Worker’s compensation or disability claims
V. Legal Information
VI. Student Educational Records (FERPA)
FERPA Restricted Non-Directory Data
-
- Transcripts
- Student financial services information
- Credit card numbers/Bank account numbers/Debit cards numbers
- Birth name is Restricted if a preferred name is selected
- Wire transfer information
- Payment history
- Financial Aid/Grant information
- Student tuition bills
VII. General Data Protection Regulation (GDPR)
Personal Data protections apply to European Union residents, permanent or temporary, regardless of citizenship. Includes any information relating to an identified or identifiable person (data subject). Applies to all individuals regardless of student or employee status. Applies to all data that alone or in combination identifies a person directly or indirectly, including but not limited to:
-
- An identification number such as a passport, national ID, or driver’s license number
- Location data such as home address
- An online identifier such as email or IP address
- Any data specific to the physical, physiological, genetic, mental, economic, cultural or social identity of a person such as a photo, social media profile, political opinions, or religious beliefs
VIII. Donor Information
-
- Name
- Credit card numbers/Debit card numbers
- Bank account numbers
- Social Security numbers or partial Social Security numbers
- Amount/what donated
- Telephone/Fax numbers
- Employment information
- Family information(spouse(s)/children/grandchildren)
- Medical history
IX. Housing Data
-
- Name when in combination with:
- Credit rating/history
- Financial worth; Income levels and sources, etc.
- Name when in combination with:
- X. Research Information
-
- Lab animal care information
- Proprietary data as classified by an industry sponsor
XI. UW proprietary or 3rd party information
XII. Business Information
-
- Credit card numbers; Bank account information
- Proprietary data covered by confidentiality or non-disclosure agreements such as but not limited to: Contracts or proposals; project specifications; proprietary company data; models, figures, illustrations.
- Purchasing card (P-card) numbers
- Social Security or other taxpayer ID numbers
- Contract information (between UW and third parties)
XIII. Federal Information Security Management Act (FISMA) Data
XIV. Controlled Unclassified Information (CUI)
XV. Export Controlled Research Information
-
- Any information labelled Export Controlled or ITAR USML Category or EAR CCL ECCN or any DoD Distribution Statement other than A.
- Information or technology subject to the authorization requirements of 10 CFR part 810, or Restricted data as defined in section 11 y. of the Atomic Energy Act of 1954, as amended, or of other information, data, or technology the release of which is controlled under the Atomic Energy Act and regulations therein.
- Proprietary or 3rd Party information not in the public domain or being published, must be protected until an export classification determination is complete.
XVI. Data Posing a Threat to Health and Safety
-
- Bio Toxins
6. Contact
Institutional Data Stewards, Principal Investigators
7. Guideline History
Original Issuance: December 1, 2023
8. Scheduled Review
December 2028