Data Classification Questionnaire

Please answer the following questions to help classify your data. This will ensure the data is properly managed, protected, and shared based on its sensitivity and legal requirements. As a data steward, you are responsible for knowing the classification of the data and ensuring the day-to-day management and secure handling of the data.

1. Is the data regulated or governed by any law, regulation, or contractual obligation?

Is this data related to any of the following?

• Health Information: Data regulated by HIPAA, including patient medical records, insurance details, diagnoses, or prescription information.
  • Example: A patient's medical history, test results, insurance coverage details, or prescriptions stored in a health records management system.
• Education Records: Data covered by FERPA, including student grades, transcripts, and Student IDs.
  • Example: A student's grades, academic transcripts, enrollment status, or student ID number.
• Financial Data: Information covered by PCI-DSS, GLBA, including credit card numbers, bank account numbers, or investment account details.
  • Example: A student's credit card number provided for tuition payment, a staff member’s bank account number used for payroll.
• Export Controls: Data subject to ITAR, EAR, such as research data, technology, or military-related information restricted for export.
  • Example: Research data related to national security, military technologies, or technical specifications for weapons systems.
• Controlled Unclassified Information (CUI): Data that is controlled by specific federal agencies but not classified.
  • Example: Sensitive government data shared under an agreement that is not classified but still requires controlled handling (e.g., research data from government-funded projects).
• General Data Protection Regulation EU (GDPR): Data that requires privacy safeguards when dealing with a company/person from the European Union.
  • Example: Personal data of EU residents, including contact details, health data, or financial data that is subject to GDPR privacy protections.
• Legal Orders: Data in response to subpoenas, national security inquiries, or other court orders.
  • Example: Information provided in response to a subpoena or other legal inquiry, such as emails, contracts, or meeting minutes requested by a court.
• Other laws/regulations: Any data that is covered by other federal, state, or local laws (e.g., regulated by DFARS).
  • Example: Data covered by specific laws governing government contractors or intellectual property, such as export-controlled technical data.

(If any of the above apply, the data is classified as Restricted Data.)

2. Does this data contain sensitive personal information or sensitive university data, the disclosure of which could harm individuals or the university?

Does the data include any of the following?

• Personally Identifiable Information (PII): Names, addresses, Social Security numbers, phone numbers, email addresses, date of birth, passport numbers, or other personal identifiers (other than directory information).
  • Example: A student's name, Social Security number, home address, or personal phone number in a student record system.
• Employment Records: Employee performance evaluations, job applications, benefits data, or background checks.
  • Example: An employee’s job performance reviews, or a background check report obtained during the hiring process.
• Financial Account Details: Credit card numbers or credit card security codes, bank account information including account numbers and/or PIN codes, loans, investment portfolios, lines of credit, or any other financial assets.
  • Example: A staff member’s bank account number for payroll deposits, or a student’s credit card information used to pay for tuition.
• Tax Information: W-2 forms, W-4 forms, 1099 forms, or other tax-related documents.
  • Example: A W-2 tax form for university employees, or a 1099 form for independent contractors working with the university.
• Biometric Identifiers: Fingerprints, retina scans, facial recognition data, or voiceprints.
  • Example: A student or employee's fingerprint or facial recognition data used for access control to buildings or systems.
• Library Records: Documents or information in any format retained by a university library that identify a patron as having requested, used, or obtained services, books, or other library materials.
  • Example: A record showing that a student has checked out a specific book from the university library or a list of books they have borrowed.
• Law Enforcement Records: Arrest records, background checks, criminal investigations, and law enforcement data.
  • Example: A police report, background check, or criminal investigation involving a student or employee.
• Audit Working Papers: Internal audit findings, audit reports, or other sensitive financial records.
  • Example: Detailed financial audit reports from internal university audits, or working papers on financial discrepancies.
• Trade Secrets/Proprietary Information: Information about new product designs, formulas, inventions, or business strategies.
  • Example: Research data for a new pharmaceutical product or a university’s business plan for a new academic program.
• Attorney-Client Privileged Information: Legal advice, contracts, or documents protected by attorney-client privilege.
  • Example: Legal communications between the university’s legal counsel and university leadership about a pending lawsuit.
• Business Processes or Systems: Information related to specific business operating systems or procedures.
  • Example: Details about the university’s internal finance system, including specific software used for budgeting and payroll.
• Other Sensitive Data: Any other information that, if exposed, could cause significant harm to individuals or the university, such as intellectual property or confidential business agreements.
  • Example: Confidential research findings before they are published, or sensitive vendor agreements with non-disclosure clauses.

(If any of the above apply, the data is classified as Highly Sensitive Data.)

3. Is the data intended for internal use and not meant to be shared with the public unless required by law?

Does the data include any of the following?

• Internal Emails/Reports: Internal communications between departments, memos, meeting minutes, or reports that contain sensitive operational details.
  • Example: An internal email chain discussing a new budget proposal or a meeting minute document that includes internal financial strategies.
• Business Partner Information: Vendor contracts, partner agreements, pricing information, and partnership terms where no confidentiality agreement is in place.
  • Example: A contract with a third-party vendor that contains sensitive pricing or terms not yet made public.
• Technical/Systems Documents: Network infrastructure details, system configurations, system passwords, and software specifications.
  • Example: Diagrams of the university’s network architecture, configuration files for university servers, or software specifications for an internal database.
• Research Data (not yet published): Data from research projects that are not yet published or protected under research regulations (e.g., de-identified data).
  • Example: Raw research data collected in an ongoing study that has not yet been published or released.
• University Financial, Legal, or Operational Data: Budgets, financial records, audits, and confidential university policy documents.
  • Example: University-wide budget information, confidential audits, or employee compensation plans.
• Building or Security Infrastructure: Floor plans, blueprints, building security systems, server room configurations, or network topology.
  • Example: Architectural blueprints of campus buildings, or access control details for server rooms and sensitive university facilities.
• Employee University ID Numbers: Identification numbers assigned to employees for internal use.
  • Example: An internal employee identification number used for payroll or HR management.

(If any of the above apply, the data is classified as Sensitive (Internal) Data.)

4. Is this data intended for public access, or can it be shared with the public without major concerns?

Does the data include any of the following?

• Press Releases or Public Announcements: Official news releases, event announcements, or public statements made by the university.
  • Example: A public announcement about a new partnership or donation, or a press release for a university milestone.
• University Class Schedules or Academic Calendars: Course listings, class times, and academic year calendars.
  • Example: A list of available courses for an upcoming semester or the university’s official academic year calendar.
• Public-Facing Maps or Directories: University maps, campus directories, or event schedules accessible by the public (unless otherwise requested by individuals for privacy).
  • Example: A campus map that visitors can access on the university’s website, or an online directory of faculty members.
• Public Donations/Recognition: Public-facing recognition of donors, gifts, or contributions to the university (e.g., giving wall or donor lists).
  • Example: A publicly displayed donor recognition board on campus or a donor recognition section on the university’s website.
• University Newsletters, Magazines, or Newspapers: Publicly accessible publications, newsletters, or magazines published by the university.
  • Example: A magazine published by the alumni association, or a newsletter with general campus updates.
• University Research Publications (Published): Research papers, journal articles, or books authored by university faculty that are publicly accessible through academic journals or university repositories.
  • Example: A published journal article or research study accessible through the university’s open-access repository.
• Student-Athlete Rosters/Statistics: Information on student-athletes such as their names, sports, and statistics, often shared on the university’s website or athletic programs.
  • Example: A roster for a university basketball team, including player names, positions, and statistics.
• Event Information (Publicly Open): Public events, lectures, or workshops hosted by the university, including event times, speakers, locations, and topics.
  • Example: A public lecture by a guest speaker or a community event hosted by the university.
• Course Catalog: The university's list of available courses, course descriptions, and degree programs.
  • Example: A comprehensive list of all available courses and degree programs published online for prospective students.
• Accreditation Information: Documents related to the university's accreditation status, including reports, evaluation forms, or official letters from accrediting bodies.
  • Example: A publicly available document showing the university’s accreditation status from a recognized accrediting agency.
• University Rankings and Reports: Published rankings, performance reports, or metrics related to university achievements (e.g., academic rankings, graduation rates, employment rates).
  • Example: A public document showing the university's ranking in national or global lists, or reports showing the university’s graduation and employment statistics.
• Videos: Publicly accessible videos, including promotional content, event recordings, sports highlights, or educational content.
  • Example: A video tour of the campus, recorded lectures, or a university-sponsored sports event shared on social media.

(If any of the above apply, the data is classified as Public Data.)

Data Classification Summary

• Restricted Data: Highly sensitive data regulated by laws such as HIPAA, FERPA, PCI-DSS, or GDPR. Examples include health information, education records, and financial data.
• Highly Sensitive Data: Sensitive personal or financial information that could harm individuals or the university if disclosed. Examples include PII, tax information, trade secrets, and employment records.
• Sensitive (Internal) Data: Internal-use data not meant for public sharing unless required by law. Examples include internal emails, research data not yet published, or university financial and legal documents.
• Public Data: Data meant for public access or sharing without major concerns. Examples include press releases, university event information, publicly accessible videos, or published research papers.