Go Directly to Page Content
Go Directly to Site Search
Go Directly to Site Navigation
ITS Safe Computing

Sensitive Data Classification

Data are some of the most valuable assets of U-M, and they need to be protected accordingly to prevent theft, compromise, or inappropriate use. The level of protection is mostly driven by legal, academic, financial, and operational requirements, and is based on the criticality and risk levels of the data. Protecting data assets while supporting U-M's academic, administrative, research, and clinical missions that require collaboration and open sharing of knowledge—often across the world—can be a difficult balancing act. The University of Michigan takes seriously its commitment to protect the privacy of its students, faculty, and staff as well as to protect the security of information critical to U-M's core missions.

One of the most important steps in protecting data appropriately is to determine and assign classification levels to U-M's most important data classes. Data classification provides a framework for managing university-owned or institutional data assets based on value and associated risks. Several U-M IT policies deal specifically with defining sensitive institutional data and the requirements for handling such data.

  • The goal of data classification policy is to allow users to identify, understand, better manage, and employ an appropriate level of security for university-owned data in an era when every sector of campus is more and more data-driven.
  • U-M utilizes a risk-based approach to help faculty, researchers, staff, and students to identify the data they use, understand its level of sensitivity, and how to best secure it.

U-M Data Classifications

Not all data are the same. Some data require higher level of management and protection. The three university data classifications as defined in SPG 601.12 – Institutional Data Resource Management Policy are:

SENSITIVE DATA: Unauthorized disclosure may have serious adverse effects on the university's reputation, resources, services, or individuals. Typically includes data protected under federal or state regulations, or due to proprietary, ethical, or privacy considerations. Sensitive data requires the highest level of protection (see the Sensitive Data Examples table).

PRIVATE/CONFIDENTIAL DATA: Unauthorized disclosure may have moderate adverse effects on the university's reputation, resources, services, or individuals. This is the default classification, and should be assumed when there is no information indicating that data should be classified as public or sensitive.

PUBLIC DATA: Disclosure to the general public poses little or no risk to the university's reputation, resources, services, or individuals.

Sensitive data is assigned a high level of protection. Therefore, any information assets (information systems, computers) that store or process sensitive data are also assigned a high level of protection. Certain categories of sensitive data may require additional considerations due to regulatory or other requirements.

Examples of public data include: U-M designated directory information, information available on U-M websites if accessible without UMID, and campus maps.

Note: This Quick Reference Sheet is designed as a handout for staff who handle student, employee, customer, and patient information. It provides a summary of best practices for handling different categories of sensitive data as well as information regarding where to seek additional assistance.

See also Data Stewardship at U-M for information about how ownership of different data types is structured and organized, and for a list of campus stewards and managers who are ultimately responsible for data classification determinations.

Staff who handle sensitive university data should use the Sensitive Data Guide to make informed decisions about where to safely store and share sensitive data using IT services available on the UM-Ann Arbor campus. The Guide deals specifically with sensitive regulated data, that is, information that is subject to federal or state regulatory compliance.

The table below has one column for the different roles of individuals at U-M and another for types of sensitive data. The Role at U-M column links to sensitive data types or elements typically associated with specific roles or populations on campus as well as guidance about responsibility for protecting such data.The Sensitive Data Types column contains links which identify and define the category and list common data elements typically associated with each type.

Back to Top

Table: Sensitive Data Examples

Role at U-M Sensitive Data Types Associated with Role
Customer
Employee
Faculty
Patient
Researcher
Staff
Student
Donor
Back To Top

U-M Information Technology Policies and Guidelines

Compliance Resource Center

Back To Top