The U-M Data Classification Levels define four classifications (sensitivity levels) for U-M institutional data. The examples below help illustrate what level of security controls are needed for certain kinds of data. You can also view examples of data by a person's U-M role. In some instances, data classification level is determined by the security controls mandated by federal regulations or prevailing industry standards, identified in parentheses next to the data example.
Restricted
- Disclosure could cause severe harm to individuals and/or the university, including exposure to criminal and civil liability.
- Has the most stringent legal or regulatory requirements and requires the most prescriptive security controls.
- Legal and/or compliance regime may require assessment or certification by an external, third party.
Examples:
High
- Disclosure could cause significant harm to individuals and/or the university, including exposure to criminal and civil liability.
- Usually subject to legal and regulatory requirements due to data that are individually identifiable, highly sensitive, and/or confidential.
Examples:
- Attorney - client privileged information
- Controlled Unclassified Information (CUI)
- Export controlled information (ITAR, EAR)
- IT security information (such as privileged credentials, incident information)
- Other identifiable health/medical information
- Other financial account numbers (such as bank account numbers)
- Protected health information (HIPAA)
- Sensitive identifiable human subject research
- Social Security numbers
- Student loan application information (GLBA)
Moderate
- Disclosure could cause limited harm to individuals and/or the university with some risk of civil liability.
- Either subject to contractual agreements or regulatory compliance, or is individually identifiable, confidential, and/or proprietary.
Examples:
- Building plans and associated information
- Contracts with third-party entities
- Donor records (individual)
- Employee records (multiple types)
- Emergency planning information
- Human subject research
- Immigration documents (such as visas)
- Intellectual or other proprietary property
- IT service management information (such as information in TeamDynamix)
- Public safety and security information
- Student education records (FERPA)
- Telecommunications systems information
- U-M nonpublic financial information (such as Shortcodes)
- UMID numbers associated with names
Low
- Encompasses public information and data for which disclosure poses little to no risk to individuals and/or the university.
- Anyone regardless of institutional affiliation can access without limitation.
Examples:
- Course catalogs
- Faculty, staff, and student directory information (unless there is a privacy block)
- General institutional and business information not classified as Restricted, High, or Moderate
- Information in the public domain
- Public websites
- Published research (barring other publication restrictions)
- Research Awards
- Research Proposals
- UMID numbers not associated with names
- Unpublished research data (at the discretion of the researcher)