Skip to main content
University Policies and Procedures

9.8.1 Data Classification Procedure

Purpose

This document defines the official data classification levels and establishes the procedure for classifying institutional data. The purpose is to ensure that data assets are categorized and protected according to their level of sensitivity, criticality, and risk to the institution and its members. This procedure is intended for use by designated Data Stewards.

Scope

This procedure applies to all institutional data, regardless of its format (e.g., electronic, paper) or location (e.g., on-premise servers, cloud services, physical records). It is applicable to all University students, faculty, staff, contractors, and other agents who create, access, manage, or store institutional data. All information systems owned or managed by the institution fall under the provisions of this procedure.

Definitions

All institutional data will be categorized into one of the three classification levels defined below. Data Stewards must classify data based on the specific data element in question.

When a dataset contains elements with multiple classifications, the entire dataset must be classified at the highest-level present.

Confidential

  • Definition: Data protected by law, regulation, or contractual agreement. Unauthorized disclosure is likely to result in critical financial loss, legal liability, reputational damage, harm to individuals, or significant operational disruption.
  • Data Examples: Social Security Numbers (SSNs), medical records, biometric information, credit card numbers, Driver's License number, Controlled Unclassified Information (CUI), sensitive research data (e.g., ITAR/EAR), system authentication credentials.
  • Common regulatory frameworks: Family Educational Rights and Privacy Act (FERPA), Health Insurance Portability and Accountability Act (HIPAA), Illinois Personal Information Protection Act (PIPA), Illinois Biometric Protection Act (BIPA), Payment Card Industry Data (PCI DSS), Gramm-Leach-Bliley Act (GLBA) data.

Sensitive

  • Definition: Data not available to the public. Unauthorized disclosure could result in serious financial loss, reputational harm, operational disruption, or harm to individuals' privacy interests.
  • Data Examples: Student education records (FERPA-protected data like grades, course rosters), employee records (performance reviews, personnel files), non-public research data, University financial information (not classified as Confidential), donor information, proprietary internal documents.
  • Common regulatory frameworks: Family Educational Rights and Privacy Act (FERPA), Gramm-Leach-Bliley Act (GLBA), General Data Protection Regulation (GDPR), and other privacy acts

Internal

  • Definition: Data intended for University operations purposes. Unauthorized disclosure could result in adverse effects.
  • Examples: Non-sensitive departmental data and communications, general operational procedures such as internal memos, job descriptions, employee schedules, contracts with 3rd parties.

Data Stewards must follow this procedure to assign an appropriate classification level to data elements under their purview. The evaluation should proceed sequentially from Step 1 to Step 4.

Step 1: Evaluate for Confidential Classification

Evaluate if the data meets any of the following criteria. If a match is found, the data is classified as Confidential, and you may proceed directly to Step 4.

  1. Regulatory & Contractual Obligations: The data is subject to specific protection requirements under state, federal, or international regulations, or under a binding contractual agreement.
  2. Life Safety Risk: The unauthorized disclosure, modification, or destruction of the data could create a direct risk to the health or safety of individuals.
  3. Severe Strategic/Financial Risk: The data constitutes a critical trade secret or intellectual property that, if disclosed, would cause severe financial or strategic harm to the University.

If no criteria are met, proceed to Step 2.

Step 2: Evaluate for Sensitive Classification

If the data is not classified as Confidential, evaluate if it meets any of the following criteria. If a match is found, the data is classified as Sensitive, and you may proceed directly to Step 4.

  1. Other Regulated Data: The data is subject to regulations not covered in Step 1, such as the Family Educational Rights and Privacy Act (FERPA).
  2. Moderate Reputational/Financial Risk: Unauthorized disclosure would cause moderate reputational damage to the University or individuals, or result in significant but not severe financial loss.
  3. Proprietary Information: The data contains proprietary research or operational information that is not a critical trade secret but is still valuable and not intended for public release.

If no criteria are met, proceed to Step 3.

Step 3: Evaluate for Internal Classification

If the data is not classified Confidential or Sensitive, classify it as Internal, which is the default classification for all non-sensitive data. After determining the classification, proceed to Step 4

If the data steward is unable to review and classify the data element, the data element will go forward to the Data Governance Committee for review and classification

Step 4: Documentation & Reclassification

The final classification level and the rationale for the decision (i.e., the specific criterion that triggered the classification) must be recorded in the University's official data catalog (Data Cookbook). This action completes the classification procedure for the data element under review.

Review and Approval

This procedure shall be reviewed on an annual basis, or more frequently if significant changes to the regulatory or technological environment occur. The Data Governance Committee is responsible for the review and for recommending any updates to the Data Governance Executive Council for final approval.

Document Details

Date of Initial Publication: May 2012

Date of Last Review: March 2026

Date of Last Revision: March 2026