Fayetteville Policies and Procedures 921.0

Data Classification

Overview
All University of Arkansas data is required to be categorized into one of four data classifications to ensure proper handling and sharing of data based on sensitivity. Data classifications used at the University of Arkansas are: Restricted, Highly Sensitive, Sensitive (Internal), and Public.
Purpose
The purpose of this policy is to establish classification requirements for all university data to help ensure that all data are secured and handled according to their sensitivity, taking into consideration the impact to confidentiality, integrity, and availability would have on the university and its constituents. This policy has been developed to assist the university and provide direction regarding identification and classification of data.
Scope
This policy applies to faculty, staff, student workers, contractors, and other affiliates that have access to or utilize university data, records, and/or documents in either paper or electronic formats.
Definitions
1. University Data: Data in the university’s care, in any form (electronic, physical, or otherwise), including but not limited to data created, used, or stored in pursuit of the university’s mission.
2. Personally Identifiable Information (PII): PII is information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other information that is linked or linkable to a specific individual, including but not limited to:
  - Social Security number (SSN)
  - Mother's maiden name
  - Driver's license number
  - Military, or passport identification number
  - PINs or passwords
  - Bank account information
  - Relatives' names
  - Personal characteristics
  - Date or place of birth
  - Health information not covered under HIPAA
  - Other information that would make the individual's identity easily attainable
3. Directory Information: A category of PII that is public information until it is recategorized under restricted or a formal request from the owner or steward, to make the data private, is approved.
  - First and last name
  - Email address
  - Home or cellular telephone number
  - Postal address
  - Department or title
Policy
The university uses four data classifications: Restricted, Highly Sensitive, Sensitive (Internal), and Public. It is the responsibility of the data owner or designated data steward to classify data appropriately.
1. Restricted Data: Data that is regulated by federal, state, or local statutes, regulations, industry standards, or contractual obligations. Access, use, transmission, or management of Restricted data is outlined in the applicable regulation or standards. To the extent not covered by specific requirements in governing statutes or regulations, management of Restricted data is covered by Fayetteville Policies and Procedures (FPP) 922.0 , Data Management, Use and Protection.
  
  Examples of Restricted data include, but are not limited to, data to which access is prohibited, restricted, or governed by:
  - (HIPAA) Health Insurance Portability and Accountability Act
  - (FERPA) Family Educational Rights and Privacy
    - Includes Student ID
  - (GDPR) General Data Protection Regulation (European Union)
  - (GLBA) Gramm-Leach-Bliley Act
  - (PCI-DSS) Payment Card Industry – Data Security Standard
  - (DFARS) Defense Federal Acquisition Regulation Supplement
  - (ITAR) International Traffic in Arms Regulations
  - (CUI) Controlled Unclassified Information
  - (EAR) Export Administration Regulations
  - Subpoena, National Security inquiry, and other court orders, or
  - Any applicable federal, state, or local law.
2. Highly Sensitive Data: Data that, if compromised, could result in serious personal, financial, or reputational harm to individuals or to the university in whole or in part. Handling of Highly Sensitive data is outlined in FPP 922.0, Data Management, Use and Protection.
  
  Examples of Highly Sensitive data may include, but are not limited to:
  - Personally Identifiable Information (PII) -- other than Directory Information
  - Law Enforcement records, including background check and arrest records
  - Employment files and other HR Data
  - Tax information (W-2, W-4, 1099, etc.)
  - Financial account numbers (bank account, investment account, etc.)
  - Audit working papers
  - Business processes that pertain to security practices
  - Donor records and work products including records compiled and maintained by University Advancement
  - Biometric identifiers, including finger and voice prints
  - Attorney-client privileged information
  - Trade secrets or proprietary information which the university, by choice, contract, or other agreement, identified for confidentiality
  - Passwords/PINs
  - Computer/network security plans
  - Library records
  - Research data prior to publication, governmental research, intellectual property
  - Certain contractual obligations
  - Other data such as the risk to the effected parties reaches the level of harm defined in Highly Sensitive data
3. Sensitive (Internal) Data: Data that is not intended to be shared with the public, absent a legally binding public records request. Sensitive (Internal) data should not be disclosed outside of the university without the permission of the person or group that is responsible for the data, except to the extent required by law.
  
  Examples of Sensitive (Internal) data include, but are not limited to:
  - Data related to university operations, finances, contracts, legal matters, audits, or other activities that are not routinely public in nature
  - Data related to unpublished research that is not subject to the federal Common Rule for human subjects protection (de-identified data) or not in a restricted category
  - Internal memoranda, emails, and reports
  - Technical documents, such as system configurations of information systems or processes
  - Detailed building plans and other infrastructure diagrams and data, e.g., server rooms and floor plans, building blueprints, HVAC systems, and electrical wiring
  - Business partner information where no more restrictive confidentiality agreement exists
  - Employee University ID numbers
4. Public Data: This includes data where unauthorized disclosure or loss poses a low risk or impact to the university or its affiliates. Public data is information to which the general public may be granted routine access in accordance with University of Arkansas policy or standards. Sufficient security measures are needed to control the unauthorized modification, use, or destruction of this data.
  Examples of public data include, but are not limited to:
  - Press releases
  - Schedules of classes
  - Interactive university maps, newsletters, newspapers, and magazines
  - Directory information
  - Public donations (e.g., giving wall)
Reporting and Addressing Suspected Violations
Anyone who has reason to believe that another person has violated this policy shall report the matter promptly to the Office of the CISO (Chief Information Security Officer) and/or their supervisor or department head. Failure to report a suspected violation is a violation of this policy. After a suspected violation of this policy has been reported or discovered, the issue will be handled as soon as possible to mitigate any harm to the university and its affiliates.
Enforcement
Violation of this policy may result in loss of access and disciplinary action up to and including termination. For additional information, see the Code of Computing Practices. Code of Computing Practices | VCFA | University of Arkansas (uark.edu).
Exemptions
Exemptions from this policy must be approved. Any questions abut the contents of this policy or the applicability of this policy to a particular situation should be referred to the Office of the CISO. Please see the Exemption policy.
References
Data and System Security Classification, Office of the State ECIO, State of Arkansas

Revised April 17, 2023
Previously listed as Fayetteville Policies and Procedures 309.4
Reformatted for Web May 13, 2014
January 2011