GDL-3000.07C: Data Classification Guidelines

GUIDELINE SUMMARY

Intended Audience: University personnel responsible for data management
Guideline Owner: Director of Information Security

Definitions

Data Classification

The process of grouping data into categories based on the sensitivity of the data.

Data Custodian

A technical person responsible for the secure custody, transport, and storage of data as well as proper implementation of business rules. They provide technical support to the Data Steward.

Data Steward

An individual responsible for data business use, access, archiving, security, and destruction decisions. They may create and oversee enforcement of business rules. They will often arrange contracts such as data sharing agreements (DSAs) and memorandums of understanding (MOUs).

Personal Information

Information about an individual as defined in RCW 19.255.005. A partial list of common Personal Information includes an individual’s first name or first initial and last name in combination with any one of the following:

  1. Social Security number, driver’s license number, or state ID number.
  2. Date of birth.
  3. Private (encryption) key.
  4. Student, military, or passport identification number.
  5. Health insurance policy number or health insurance identification number.
  6. Medical history or mental or physical condition.
  7. Medical diagnosis or treatment.
  8. Biometric data (fingerprints, voice, etc.).
  9. Username or email in combination with password.

Introduction and Scope 

This guideline pertains to the classification of University data. Proper Data Classification is required to determine the appropriate data security controls to apply to reduce the risk associated with the unauthorized access, disclosure, or destruction of data. This guideline applies to all University-managed data and information systems. 

All data should have a Data Steward and Data Custodian assigned. Data Stewards must ensure that data entrusted to their care is classified according to the four broad categories described below, and they must work with Data Custodians to ensure the data is protected accordingly: 

Category 1 – Public Information

Public Information is information that can be released to the public. It does not need protection from unauthorized disclosure but does need protection from unauthorized changes that may mislead the public or embarrass the University.

Category 2 – Sensitive Information

Sensitive Information is not specifically protected by law but should be limited to official use only and protected against unauthorized access.

Category 3 – Confidential Information

Confidential Information is information that is specifically protected by law. It generally includes:

  1. Personal Information (see Definitions) about individuals, regardless of how that information is obtained.
  2. Information concerning employee payroll and personnel records.
  3. Information regarding IT infrastructure and security of computer and telecommunications systems.

Category 4 – Confidential Information Requiring Special Handling

Confidential Information Requiring Special Handling is information that is specifically protected from disclosure by law and for which:

  1. Especially strict handling requirements are dictated, e.g., by statutes, regulations, or agreements.
  2. Serious consequences could arise from unauthorized disclosure, ranging from life threatening to legal sanctions.

NOTE: The use of the word “confidential” for data or information at the University is to include both Category 3, “Confidential Information” and Category 4, “Confidential Information Requiring Special Handling” unless stated otherwise.

Commingled Data

Whenever different types of information requiring different levels of protection are commingled, all the commingled information must be assigned the highest classification appropriate for any of the commingled information and protected accordingly.

 

For the complete guideline, click "Full Document" tab at top of page.

FULL DOCUMENT

Intended Audience: University personnel responsible for data management
Guideline Owner: Director of Information Security

1. Definitions

Data Classification

The process of grouping data into categories based on the sensitivity of the data.

Data Custodian

A broad term typically used for a technical person responsible for the secure custody, transport, and storage of data as well as proper implementation of business rules. They provide technical support to the Data Steward.

Data Steward

An individual responsible for data business use, access, archiving, security, and destruction decisions. They may create and oversee enforcement of business rules. They will often arrange contracts such as data sharing agreements (DSAs) and memorandums of understanding (MOUs).

Personal Information

Information about an individual as defined in RCW 19.255.005. A partial list of common Personal Information includes an individual’s first name or first initial and last name in combination with any one of the following:

  1. Social Security number, driver’s license number, or state ID number.
  2. Date of birth.
  3. Private (encryption) key.
  4. Student, military, or passport identification number.
  5. Health insurance policy number or health insurance identification number.
  6. Medical history or mental or physical condition.
  7. Medical diagnosis or treatment.
  8. Biometric data (fingerprints, voice, etc.).
  9. Username or email in combination with password.

2. Introduction

This guideline pertains to the classification of University data. Proper Data Classification is required to determine the appropriate data security controls to apply to, in turn, reduce the risk associated with the unauthorized access, disclosure, or destruction of data.

3. Scope

This guideline applies to all University-managed data and information systems.

4. Designation of a Data Steward and Data Custodian

OCIO 141.10: 8.2

All data will have a Data Steward assigned. All data will also have a Data Custodian assigned who serves as the technical expert for secure management of the data.

5. Data Classification

OCIO 141.10: 4.1

Data Stewards must ensure that data entrusted to their care is classified according to the four broad categories described below, and protected accordingly:

5.1 Category 1 – Public Information

Public Information is information that can be released to the public. It does not need protection from unauthorized disclosure, but does need protection from unauthorized change that may mislead the public or embarrass the University.

5.2 Category 2 – Sensitive Information

Sensitive Information is not specifically protected by law but should be limited to official use only and protected against unauthorized access.

5.3 Category 3 – Confidential Information

Confidential Information is information that is specifically protected by law. It generally includes:

  1. Personal Information about individuals, regardless of how that information is obtained.
  2. Information concerning employee payroll and personnel records.
  3. Information regarding IT infrastructure and security of computer and telecommunications systems.

5.4 Category 4 – Confidential Information Requiring Special Handling

Confidential Information Requiring Special Handling is information that is specifically protected from disclosure by law and for which:

  1. Especially strict handling requirements are dictated, e.g., by statutes, regulations, or agreements.
  2. Serious consequences could arise from unauthorized disclosure, ranging from life threatening to legal sanctions.

NOTE: The use of the word “confidential” for data or information at the University is to include both Category 3, “Confidential Information” and Category 4, “Confidential Information Requiring Special Handling” unless stated otherwise.

5.5 Commingled Data

Whenever different types of information requiring different levels of protection are commingled, all the commingled information must be assigned the highest classification appropriate for any of the commingled information and protected accordingly.

6. Authority

  1. University policy POL-U3000.07 - Securing Information Systems
  2. Washington State Office of the Chief Information Officer (OCIO) 141.10 – Securing Information Technology Assets Standards
  3. Federal Regulation Title 34, Part 99 – Family Educational Rights and Privacy Act (FERPA)
  4. Federal Criminal Justice Information Systems (CJIS) Security Policy

7. References

  1. FIPS Publication 199: Standards for Security Categorization
  2. NIST 800-53: Security and Privacy Controls for Federal Information Systems and Organizations
  3. OCIO 141: Securing Information Technology Assets
  4. OCIO 141-10: Securing Information Technology Assets Standards
  5. OCIO Policy No. 103: Technology Policy and Standards Waiver Request
  6. RCW 19.255.005: Personal Information – Notice of Security Breaches, Definitions

Change Log

Revised Version Author Approver Change
01/08/2021 1.0 Beth Albertson ITS Standards & Guidelines Committee Original Version