The U-M Data Classification Levels define four classifications (sensitivity levels) for U-M institutional data. The examples below help illustrate what level of security controls are needed for certain kinds of data. You can also view examples of data by a person's U-M role. In some instances, data classification level is determined by the security controls mandated by federal regulations or prevailing industry standards, identified in parentheses next to the data example.
- Credit card numbers (PCI)
- Disclosure could cause severe harm to individuals and the university, including exposure to criminal and civil liability.
- Has the most stringent legal or regulatory requirements and requires the most prescriptive security controls.
- Legal and/or compliance regime may require assessment or certification by an external, third party.
- Attorney - client privileged information
- Controlled Unclassified Information (CUI)
- Export controlled information (ITAR, EAR)
- IT security information
- Other identifiable health/medical information
- Other financial account numbers (e.g., bank account numbers)
- Protected health information (HIPAA)
- Sensitive identifiable human subject research
- Social Security numbers
- Student loan information (GLBA)
- Disclosure could cause significant harm to individuals and the university, including exposure to criminal and civil liability.
- Usually subject to legal and regulatory requirements due to data that are individually identifiable, highly sensitive and/or confidential.
- Building plans and associated information
- Contracts with third-party entities
- Donor records (individual)
- Employee records (multiple types)
- Emergency planning information
- Human subject research
- Immigration documents (e.g., visas)
- Intellectual or other proprietary property
- IT service management (ServiceLink) information
- Public safety and security information
- Student records (FERPA)
- Telecommunications systems information
- U-M nonpublic financial information
- Disclosure could cause limited harm to individuals and the university with some risk of civil liability.
- Either subject to contractual agreements or regulatory compliance or is individually identifiable, confidential, and/or proprietary.
- Course catalogs
- Faculty, staff, and student directory information (unless there is a privacy block)
- Information in the public domain
- Public websites
- Published research (barring other publication restrictions)
- UMID numbers
- Unpublished research data (at the discretion of the researcher)
- General institutional and business information not classified as Restricted, High, or Moderate
- Encompasses public information and data for which disclosure poses little to no risk to individuals or the university.
- Anyone regardless of institutional affiliation can access without limitation.