Sensitive Data Classification
Data are some of the most valuable assets of U-M, and they need to be protected accordingly to prevent theft, compromise, or inappropriate use. The level of protection is mostly driven by legal, academic, financial, and operational requirements, and is based on the criticality and risk levels of the data. Protecting data assets while supporting U-M's academic, administrative, research, and clinical missions that require collaboration and open sharing of knowledge—often across the world—can be a difficult balancing act. The University of Michigan takes seriously its commitment to protect the privacy of its students, faculty, and staff as well as to protect the security of information critical to U-M's core missions.
One of the most important steps in protecting data appropriately is to determine and assign classification levels to U-M's most important data classes. Data classification provides a framework for managing university-owned or institutional data assets based on value and associated risks. Several U-M IT policies deal specifically with defining sensitive institutional data and the requirements for handling such data.
U-M Data Classifications
Not all data are the same. Some data require higher level of management and protection. The three university data classifications as defined in SPG 601.12 – Institutional Data Resource Management Policy are:
Sensitive data is assigned a high level of protection. Therefore, any information assets (information systems, computers) that store or process sensitive data are also assigned a high level of protection. Certain categories of sensitive data may require additional considerations due to regulatory or other requirements.
Examples of public data include: U-M designated directory information, information available on U-M websites if accessible without UMID, and campus maps.
Note: This Quick Reference Sheet is designed as a handout for staff who handle student, employee, customer, and patient information. It provides a summary of best practices for handling different categories of sensitive data as well as information regarding where to seek additional assistance.
See also Data Stewardship at U-M for information about how ownership of different data types is structured and organized, and for a list of campus stewards and managers who are ultimately responsible for data classification determinations.
Staff who handle sensitive university data should use the Sensitive Data Guide to make informed decisions about where to safely store and share sensitive data using IT services available on the UM-Ann Arbor campus. The Guide deals specifically with sensitive regulated data, that is, information that is subject to federal or state regulatory compliance.
The table below has one column for the different roles of individuals at U-M and another for types of sensitive data. The Role at U-M column links to sensitive data types or elements typically associated with specific roles or populations on campus as well as guidance about responsibility for protecting such data.The Sensitive Data Types column contains links which identify and define the category and list common data elements typically associated with each type.
Table: Sensitive Data Examples
U-M Information Technology Policies and Guidelines