Sensitive Data Classification
Data are some of the most valuable assets of U-M, and they need to be protected accordingly to prevent theft, compromise, or inappropriate use. The level of protection is mostly driven by legal, academic, financial, and operational requirements, and is based on the criticality and risk levels of the data. Protecting data assets while supporting U-M's academic, administrative, research, and clinical missions that require collaboration and open sharing of knowledge—often across the world—can be a difficult balancing act. The University of Michigan takes seriously its commitment to protect the privacy of its students, faculty, and staff as well as to protect the security of information critical to U-M's core missions.
One of the most important steps in protecting data appropriately is to determine and assign classification levels to U-M's most important data classes. Data classification provides a framework for managing university-owned or institutional data assets based on value and associated risks. Several U-M IT policies deal specifically with defining sensitive institutional data and the requirements for handling such data.
U-M Data Classifications
Not all data are the same. Some data require higher level of management and protection. The three university data classifications as defined in SPG 601.12 – Institutional Data Resource Management Policy are:
Moving to New Classifications
Several of U-M's IT policies are being revised and updated. As part of that effort, the university is moving toward use of the following four data classification levels: restricted, high, moderate, and low.
Te restricted level encompasses information and data that are covered by specific prescriptive information security controls and the most stringent legal or regulatory requirements.
Risk Level of Disclosure or Unauthorized Access: Severe harm to individuals and the university; could expose the university and individual staff to criminal and civil liability.
The high level encompasses information and data that are both individually identifiable and highly sensitive or confidential, and usually subject to legal or regulatory compliance.
Risk Level of Disclosure or Unauthorized Access: Significant harm to individuals or the university; could expose the university and individual staff to criminal and civil liability.
The moderate level encompasses information and data that are individually identifiable, include confidential or proprietary institutional records, or are subject to contractual agreements or legal or regulatory compliance.
Risk Level of Disclosure or Unauthorized Access: Moderate harm to individuals or the university; some risk that the university could be exposed to civil liability.
The low level encompasses public information, and university business data that generally anyone, regardless of institutional affiliation, can access without limitation..
Risk Level of Disclosure or Unauthorized Access: Disclosure to the general public poses little to no risk to the University’s reputation, resources, services, or individuals.
Sensitive Data Resources
Table: Sensitive Data Examples
The table below has one column for the different roles of individuals at U-M and another for types of sensitive data. The Role at U-M column links to sensitive data types or elements typically associated with specific roles or populations on campus as well as guidance about responsibility for protecting such data. The Sensitive Data Types column contains links which identify and define the category and list common data elements typically associated with each type.
U-M Information Technology Policies and Guidelines