Examples of Sensitive Data by Classification Level

The U-M Data Classification Levels define four classifications (sensitivity levels) for U-M institutional data. The examples below help illustrate what level of security controls are needed for certain kinds of data. You can also view examples of data by a person's U-M role. In some instances, data classification level is determined by the security controls mandated by federal regulations or prevailing industry standards, identified in parentheses next to the data example. 

Restricted

Data Examples:

  • Credit card numbers (PCI)
  • FISMA

Restricted Classification:

  • Disclosure could cause severe harm to individuals and the university, including exposure to criminal and civil liability.
  • Has the most stringent legal or regulatory requirements and requires the most prescriptive security controls.
  • Legal and/or compliance regime may require assessment or certification by an external, third party.

High

Data Examples:

  • Attorney - client privileged information
  • Controlled Unclassified Information (CUI)
  • Export controlled information (ITAR, EAR)
  • IT security information
  • Other identifiable health/medical information
  • Other financial account numbers (e.g., bank account numbers)
  • Protected health information (HIPAA)
  • Sensitive identifiable human subject research
  • Social Security numbers
  • Student loan information (GLBA)

High Classification: 

  • Disclosure could cause significant harm to individuals and the university, including exposure to criminal and civil liability.
  • Usually subject to legal and regulatory requirements due to data that are individually identifiable, highly sensitive and/or confidential. 

Moderate

Data Examples:

  • Building plans and associated information
  • Contracts with third-party entities
  • Donor records (individual)
  • Employee records (multiple types)
  • Emergency planning information
  • Human subject research
  • Immigration documents (e.g., visas)
  • Intellectual or other proprietary property
  • IT service management (ServiceLink) information 
  • Public safety and security information
  • Student records (FERPA)
  • Telecommunications systems information
  • U-M nonpublic financial information

Moderate Classification:

  • Disclosure could cause limited harm to individuals and the university with some risk of civil liability.
  • Either subject to contractual agreements or regulatory compliance or is individually identifiable, confidential, and/or proprietary. 

Low

Data Examples:

  • Course catalogs
  • Faculty, staff, and student directory information (unless there is a privacy block)
  • Information in the public domain
  • Public websites
  • Published research (barring other publication restrictions)
  • UMID numbers
  • Unpublished research data (at the discretion of the researcher)
  • General institutional and business information not classified as RestrictedHigh, or Moderate

Low Classification:

  • Encompasses public information and data for which disclosure poses little to no risk to individuals or the university.
  • Anyone regardless of institutional affiliation can access without limitation.