Examples of Sensitive Data by Classification Level

The U-M Data Classification Levels define four classifications (sensitivity levels) for U-M institutional data. The examples below help illustrate what level of security controls are needed for certain kinds of data. You can also view examples of data by a person's U-M role. In some instances, data classification level is determined by the security controls mandated by federal regulations or prevailing industry standards, identified in parentheses next to the data example. 


Restricted Classification:

  • Disclosure could cause severe harm to individuals and/or the university, including exposure to criminal and civil liability.
  • Has the most stringent legal or regulatory requirements and requires the most prescriptive security controls.
  • Legal and/or compliance regime may require assessment or certification by an external, third party.


High Classification: 

  • Disclosure could cause significant harm to individuals and/or the university, including exposure to criminal and civil liability.
  • Usually subject to legal and regulatory requirements due to data that are individually identifiable, highly sensitive, and/or confidential. 


Data Examples:

  • Building plans and associated information
  • Contracts with third-party entities
  • Donor records (individual)
  • Employee records (multiple types)
  • Emergency planning information
  • Human subject research
  • Immigration documents (such as visas)
  • Intellectual or other proprietary property
  • IT service management information  (such as information in TeamDynamix)
  • Public safety and security information
  • Student education records (FERPA)
  • Telecommunications systems information
  • U-M nonpublic financial information (such as Shortcodes
  • UMID numbers associated with names

Moderate Classification:

  • Disclosure could cause limited harm to individuals and/or the university with some risk of civil liability.
  • Either subject to contractual agreements or regulatory compliance, or is individually identifiable, confidential, and/or proprietary. 


Data Examples:

  • Course catalogs
  • Faculty, staff, and student directory information (unless there is a privacy block)
  • General institutional and business information not classified as RestrictedHigh, or Moderate
  • Information in the public domain
  • Public websites
  • Published research (barring other publication restrictions)
  • Research Awards
  • Research Proposals
  • UMID numbers not associated with names
  • Unpublished research data (at the discretion of the researcher)

Low Classification:

  • Encompasses public information and data for which disclosure poses little to no risk to individuals and/or the university.
  • Anyone regardless of institutional affiliation can access without limitation.