R02.07.090 Data Classification Standards
The University of Alaska (UA) generates, acquires, and maintains a large number of electronic records. In addition, UA often enters into relationships with third parties who maintain electronic records and information associated with these relationships. UA, as well as its affiliates, are often legally required to limit access to, distribution of, and/or disclosure of electronic records and information. The approach at UA is to adopt a classification scheme for all data.
Data classification standards help personnel who own and maintain information resources and systems to determine the sensitivity of the data within those systems. This regulation is designed to prevent the following:
- Unauthorized internal access to electronic information
- Unauthorized external access to electronic information
- Illegal or otherwise inappropriate use of UA electronic information
- Loss, corruption, or theft of UA electronic information
This classification standard applies to all data associated with UA business; to any other data caches located at any UA entity and covered by statutory or regulatory compliance requirements; and to data caches on the information systems of UA affiliates. Data associated with UA-hosted research that represents significant intellectual property interests are subject to this standard and may be subject to other specific protective requirements. These standards apply to all individuals who have access to and use UA information systems and data, particularly UA systems owners and designated custodians who have special responsibilities under the standards. Questions about the applicability of this standard can be forwarded to the UA Chief Records Officer.
Data Classification and Examples
The nature of any particular data set largely determines what measures and operational practices need to be applied to protect it. To help clarify the specific minimum requirements for UA data security, three classes of data are defined. The people who are accountable for protecting the data must understand and inventory their data assets according to these categories.
Data classified as restricted maybe subject to disclosure laws and warrant careful management and protection to ensure its integrity, appropriate access, and availability. This information is considered private and must be guarded from disclosure. Unauthorized exposure of this information could contribute to ID theft or financial fraud, and violate State and Federal law. Unauthorized disclosure of restricted data could adversely affect the university or the interests of individuals and organizations associated with the university.
Internal Use Data
This class encompasses information that is generally not available to parties outside the University of Alaska community such as non-directory listings, minutes from non-confidential meetings, and internal websites. Public disclosure of this information would cause minimal trouble or embarrassment to the institution. The university may have a duty to make this data available on demand under the Alaska Public Record Act (AS 40.25.110).
Public data is data published for public use or has been approved for general access by the appropriate UA authority.
In most cases categorizing the data will be obvious. When in doubt about how a particular data element or data set is classified, data custodians should use caution by defaulting to the higher class of the choices involved. In other words, it is better to err on the side of privacy and security protection until clarification is obtained.
The source data used to produce important reports, such as UA financial records, are treated as restricted or internal use even though the reports created from them are treated as public information. Data classification questions may be forwarded to the UA Chief Records Officer for review.
The Data Classification Categories table clarifies the nature of each data category and provides criteria for determining which classification is appropriate for a particular set of data. When using this table, a positive response for the most restrictive (highest risk) category in any row is sufficient to place that set of data into that category.
Data Classification Categories
|Legal Requirements||Protection of data is required by law or best practices||UA has best practice (due care) reasons to protect data||Data approved for general access by appropriate UA authority|
|Consequences of Exposure||The University’s reputation is tarnished by public reports of its failures to protect restricted records of students, employees, clients, or research. Such failure may subject the University to litigation.||Data is disclosed unnecessarily or in an untimely fashion, which causes harm to UA business interests or to the personal interests of an individual.||Confusion is caused by corrupted information about enrollment and tuition that is displayed on the official UA web site.|
|Examples of Specific Data|