Sensitive Data Classification
Data are some of the most valuable assets of U-M, and they need to be protected accordingly to prevent theft, compromise, or inappropriate use. The level of protection is mostly driven by legal, academic, financial, and operational requirements, and is based on the criticality and risk levels of the data. Protecting data assets while supporting U-M's academic, administrative, research, and clinical missions that require collaboration and open sharing of knowledge—often across the world—can be a difficult balancing act. The University of Michigan takes seriously its commitment to protect the privacy of its students, faculty, and staff as well as to protect the security of information critical to U-M's core missions.
One of the most important steps in protecting data appropriately is to determine and assign classification levels to U-M's most important data classes. Data classification provides a framework for managing university-owned or institutional data assets based on value and associated risks. Several U-M IT policies deal specifically with defining sensitive institutional data and the requirements for handling such data.
- The goal of data classification policy is to allow users to identify, understand, better manage, and employ an appropriate level of security for university-owned data in an era when every sector of campus is more and more data-driven.
- U-M utilizes a risk-based approach to help faculty, researchers, staff, and students to identify the data they use, understand its level of sensitivity, and how to best secure it.
U-M Data Classifications
Not all data are the same. Some data require higher level of management and protection. The three university data classifications as defined in SPG 601.12 – Institutional Data Resource Management Policy are:
- Sensitive Data: Unauthorized disclosure may have serious adverse effects on the university's reputation, resources, services, or individuals. Sensitive data requires the highest level of protection (see the Sensitive Data Examples table). There are two kinds of sensitive data.
- Regulated sensitive data includes data protected under federal or state regulations. Additional protective considerations may apply to regulated data due to regulatory or other requirements.
- Unregulated sensitive data includes data that is not legally regulated, but still considered sensitive due to proprietary, ethical, or privacy considerations.
- Private/Confidential Data: Unauthorized disclosure may have moderate adverse effects on the university's reputation, resources, services, or individuals. This is the default classification, and should be assumed when there is no information indicating that data should be classified as public or sensitive.
- Public Data: Disclosure to the general public poses little or no risk to the university's reputation, resources, services, or individuals. Examples include U-M designated directory information, information available on U-M websites that do not require login, and campus maps.
Sensitive Data Resources
- Use the Sensitive Data Guide to make informed decisions about where to safely store and share sensitive data using IT services available on the U-M Ann Arbor campus.
- This Quick Reference Sheet summarizes best practices for staff who handle student, employee, customer, and/or patient information. It provides information on handling different categories of sensitive data as well as information regarding where to seek additional assistance.
- Data Stewardship at U-M provides:
- Information about how ownership of different data types is structured and organized.
- A list of campus stewards and managers who are ultimately responsible for data classification determinations.
Table: Sensitive Data Examples
The table below has one column for the different roles of individuals at U-M and another for types of sensitive data. The Role at U-M column links to sensitive data types or elements typically associated with specific roles or populations on campus as well as guidance about responsibility for protecting such data. The Sensitive Data Types column contains links which identify and define the category and list common data elements typically associated with each type.
U-M Information Technology Policies and Guidelines