U-M Data Classification Levels

All U-M institutional data is classified into one of four classifications or sensitivity levels, with Restricted as the most prescriptive, requiring the most security controls, and Low as the least prescriptive. See About Sensitive Data Classification.

See Examples of Sensitive Data by Classification Level to learn about the kinds of data grouped in each classification, or Examples of Sensitive Data by U-M Role to see examples grouped by the U-M community members that work with them the most. You can also use the Sensitive Data Guide to IT Services to help determine which data types can be used with which IT services at U-M. 

Restricted

  • Disclosure could cause severe harm to individuals and/or the university, including exposure to criminal and civil liability.
  • Has the most stringent legal or regulatory requirements and requires the most prescriptive security controls.
  • Legal and/or compliance regime may require assessment or certification by an external, third party.

High

  • Disclosure could cause significant harm to individuals and/or the university, including exposure to criminal and civil liability.
  • Usually subject to legal and regulatory requirements due to data that are individually identifiable, highly sensitive and/or confidential. 

Moderate

  • Disclosure could cause limited harm to individuals and/or the university with some risk of civil liability.
  • May be subject to contractual agreements or regulatory compliance, or is individually identifiable, confidential, and/or proprietary. 

Low

  • Encompasses public information and data for which disclosure poses little to no risk to individuals or the university.
  • Anyone regardless of institutional affiliation can access without limitation.

Applicable University Policies

You are responsible for complying with the policies and standards below. The information on this page help you meet that responsibility.