Sensitive Data Classification

Data are some of the most valuable assets of U-M, and they need to be protected accordingly to prevent theft, compromise, or inappropriate use. The level of protection is mostly driven by legal, academic, financial, and operational requirements, and is based on the criticality and risk levels of the data. Protecting data assets while supporting U-M's academic, administrative, research, and clinical missions that require collaboration and open sharing of knowledge—often across the world—can be a difficult balancing act. The University of Michigan takes seriously its commitment to protect the privacy of its students, faculty, and staff, as well as to protect the security of information critical to U-M's core missions.

One of the most important steps in protecting data appropriately is to determine and assign classification levels to U-M's most important data classes. Data classification provides a framework for managing university-owned or institutional data assets based on value and associated risks. Several U-M IT policies deal specifically with defining sensitive institutional data and the requirements for handling such data.

  • The goal of data classification policy is to allow users to identify, understand, better manage and employ an appropriate level of security for university-owned data in an era when every sector of campus is more and more data-driven.
  • U-M utilizes a risk-based approach to help faculty, researchers, staff and students identify the data they use, understand its level of sensitivity, and learn how to best secure it.

U-M Data Classifications

Current Classifications

Not all data are the same. Some data require higher level of management and protection. The three university data classifications as defined in SPG 601.12 - Institutional Data Resource Management Policy are:

  • Sensitive Data: Unauthorized disclosure may have serious adverse effects on the university's reputation, resources, services, or individuals. Sensitive data requires the highest level of protection (see the Sensitive Data Examples table). There are two kinds of sensitive data.
    • Regulated sensitive data includes data protected under federal or state regulations. Additional protective considerations may apply to regulated data due to regulatory or other requirements.
    • Unregulated sensitive data includes data that is not legally regulated, but still considered sensitive due to proprietary, ethical, or privacy considerations.
  • Private/Confidential Data: Unauthorized disclosure may have moderate adverse effects on the university's reputation, resources, services, or individuals. This is the default classification, and should be assumed when there is no information indicating that data should be classified as public or sensitive.
  • Public Data: Disclosure to the general public poses little or no risk to the university's reputation, resources, services, or individuals. Examples include U-M designated directory information, information available on U-M websites that do not require login, and campus maps.

Moving to New Data Classifications

Several of U-M's IT policies are being revised and updated. As part of that effort, the university is moving toward use of the following four data classification levels: restricted, high, moderate and low.

Restricted

The restricted level encompasses information and data that are covered by specific prescriptive information security controls and the most stringent legal or regulatory requirements.

Risk Level of Disclosure or Unauthorized Access: Severe harm to individuals and the university; could expose the university and individual staff to criminal and civil liability.

High

The high level encompasses information and data that are both individually identifiable and highly sensitive or confidential, and usually subject to legal or regulatory compliance.

Risk Level of Disclosure or Unauthorized Access: Significant harm to individuals or the university; could expose the university and individual staff to criminal and civil liability.

Moderate

The moderate level encompasses information and data that are individually identifiable, include confidential or proprietary institutional records, or are subject to contractual agreements or legal or regulatory compliance.

Risk Level of Disclosure or Unauthorized Access: Moderate harm to individuals or the university; some risk that the university could be exposed to civil liability.

Low

The low level encompasses public information and university business data that generally anyone, regardless of institutional affiliation, can access without limitation.

Risk Level of Disclosure or Unauthorized Access: Disclosure to the general public poses little to no risk to the university's reputation, resources, services or individuals.