Data Classification and Handling Standard
- Reference Number: IS-S302
- Responsible Office: Information Security Office
- Version #: 003
- Effective Date: 9-October-2017
- Last Updated: 31-May-2019
Print version (pdf)
NOTE: IF YOU NEED INFORMATION ON WHERE ANY REGULATED DATA TYPES CAN BE STORED, PLEASE CHECK WITH THE APPROPRIATE COMPLIANCE OFFICE.
The University of Arizona takes seriously its commitment to respect and protect the privacy of its students, alumni, faculty and staff, as well as to protect the confidentiality of information important to the University's academic and research mission. For that reason, UA has classified its information assets into the categories Regulated, Confidential, Public, and Internal for the purpose of determining who is allowed to access the information and what security precautions must be taken to protect it against unauthorized access.
Use these criteria to determine which data classification is appropriate for a particular information asset.
Data protected or controlled by federal, state, local, and/or industry laws or regulations. These data are affected by data breach notification laws and contractual provisions in government research grants, which impose legal and technical restrictions on the appropriate use of institutional information
- Social Security Numbers
- Credit Card Numbers
- Financial/ Banking Account Numbers
- Driver's License Numbers
- Health Insurance Policy ID Numbers
- Data regulated under FERPA, FISMA, ITAR/EAR, HIPAA, GLBA, GDPR
Access limited to those permitted under law, regulation and UA policies, and with a need to know.
- Encryption: NIST-approved encryption is required when transmitting information through a network. Regulated numbers may be redacted instead of encrypted.
- Wireless Network: Wireless transmission of data must be approved by appropriate compliance officers/and or Information Security Officer. If approved, NIST-approved encryption is required. Regulated numbers may be redacted instead of encrypted.
- Email: NIST-approved encryption is required for all Regulated Data. Third-party email services are not appropriate for transmitting Regulated Data. Regulated numbers may be redacted instead of encrypted.
Encryption is required for storage of Regulated Data. Regulated numbers may be redacted instead of encrypted.
Data protected as Confidential by contracts, or third-party agreement or otherwise designated by the University for confidential treatment. Unauthorized disclosure, alteration, or destruction of this data type could cause a significant level of risk to the University or its affiliates.
- Applicant, alumni, donor, potential donor and parent data
- Human Subject Research data
- Restricted or unpublished research data
- Data protected by confidentiality agreements Law enforcement or court records and confidential investigation records
- Citizen or immigrations status
- Detailed information about certain University buildings, activities or events, including facility security system details
Access limited to those with a need to know, at the discretion of the data owner or custodian.
- Encryption: Encryption is strongly recommended when transmitting information through a network. Third-party email services are discouraged for transmitting Confidential Data.
- Wireless Network: Encryption is strongly recommended when transmitting information through a wireless network. Third-party email services are discouraged for transmitting Confidential Data.
- Email: Encryption is strongly recommended when emailing Confidential Data. Third-party email services are discouraged for transmitting Confidential Data.
Encryption is strongly recommended. If appropriate level of protection is not known, check with the data steward and/or the Information Security Office before storing Confidential Data unencrypted. Third-party processing or storage services may receive or store Confidential data if UA has a valid contract with the vendor that specifies appropriate storage or Confidential Data.
Data not intended for public use or exposure. Internal data generally should not be disclosed outside of the University without the permission of the person or group that created the data. Any data not specifically classified as Regulated, Confidential, or Public should be considered Internal.
- Proprietary University information, produced for use only by UA community members (e.g., Employee ID numbers, CatCard numbers)
- Internal operating procedures and operational manuals
- Internal memoranda, emails, reports and other documents
- Contact lists that contain information that is not publicly available
- Technical documents, such as system configurations
Access limited to members of the UA community.
- Encryption: No encryption is required for the transmission of Internal Data.
- Wireless Network: Wireless transmission of Internal Data permissible.
- Email: Email of Internal Data permissible.
No encryption is required for the storage of Internal Data. Care should still be taken to protect the integrity of Internal Data.
Data that may be disclosed to any person, regardless of affiliation with the University. Some level of control is required to protect the integrity and availability of Public data (e.g., protecting original (source) documents from unauthorized modification).
- Public-facing web pages
- Directory data (e.g., contact information)
- Press releases
- Course information
- Dates of attendance
- Application and request forms
- Maps, newsletters, newspapers and magazines
Open access to public information. However, care should always be taken to use all University information appropriately and to respect all applicable laws. Information that is subject to copyright must only be distributed with the permission of the copyright holder.
- Encryption: No encryption is required for the transmission of Public Data.
- Wireless Network: Wireless transmission of Public Data permissible.
- Email: Email of Public Data permissible.
No encryption is required for the storage of Public Data. Care should still be taken to protect the integrity of Public Data.
III. Revision History
- Revision 1: 11/15/08
- Effective 7/1/09
- Revision 2: 5/1/15
- Effective 5/1/15
- Revision 3: 10/9/17
- Effective 10/9/17
For additional guidance, please view our Secure Electronic Sharing of Personal Information Guideline (ISO-1200-G1) on our Confluence space (NetID+ required).
Caution: When sharing and storing files, ensure access is limited to only individuals for whom the information is intended.
For information or guidance on data classification and handling, please contact the Information Security Office Governance, Risk and Compliance (ISO-GRC) Team at (520) 626-8324 or ISO-Compliance@email.arizona.edu.