8.2.2.1 Information (Data) Classification Standard

Purpose

The University of Oklahoma (OU) recognizes that institutional information is an asset, critically important to effectively supporting OU’s mission of excellence in teaching, research and creative activity, and service.OU also recognizes the need for appropriate data protections, to ensure student and employee privacy is respected and the University complies with applicable laws.  All Institutional Data must be classified to support the operations of OU and apply data protection through technical and procedural controls, assuring the proper use of data.

Scope:

This Standard applies to all Institutional Data and all OU activities and operations in which Institutional Data is maintained and/or accessed.  For the purposes this standard, “Institutional Data” refers to any data – structured or unstructured, detailed, or aggregated – that are relevant to operations, planning, management, research, and/or patient care activities of any University unit. 

Roles and Responsibilities

  1. Any individual who creates an Authoritative Source or System of Record is responsible for performing the duties of a Data Owner.  Data Owners must classify Institutional Data as described below.
  2. Each Authoritative Source or SOR must be recorded in the OU IT data catalog, in accordance with the OU IT Asset Management Policy.  

Data Classification

Category A: Healthcare Data

Category A data includes data that is legally regulated by the Health Insurance Portability and Accountability Act of 1996, Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009, and Children’s Online Privacy Protection Act (COPPA).  This category requires notification to affected parties in case of a confidentiality breach.  Unauthorized disclosure or modification of Category A data or resources could result in significant fines or penalties, regulatory action, or civil or criminal violations.  There is also an inherent significant risk to OU reputation and business continuity, along with harm or impairment to OU patients or research subjects.

DESCRIPTION

EXAMPLES

Protected Health Information (PHI)
  • Medical records
  • Health Insurance Plan information
  • Healthcare service payments

Human Participant Research Information

  • ePHI identifiers, see University of Oklahoma HIPAA Policy, De-Identification/Re-Identification of PHI.
  • Treatment records

OU Health
  • Medical records

Donor Information
  • Medical information

Student Information
  • Medical records

Category B: Payment Card Data

Category B data includes data that is governed by Payment Card Industry (PCI) Data Security Standards to protect the confidentiality, integrity, and availability of the payment card data.This category requires notification to affected parties in case of a confidentiality breach.Unauthorized disclosure or modification of Category B data or resources could result in fines or penalties and institutional financial loss of credit card processing operations.

DATA DESCRIPTION

EXAMPLES

Payment Card Information
  • Cardholder name
  • Credit/debit card account number
  • Credit/debit card expiration date
  • Credit/debit card verification number
  • Credit/debit card security code

Category C: Student Data

Category C data includes records that contain information directly related to a student, that are maintained by the University, and are governed by the Family Educational Rights and Privacy Act (FERPA), Higher Education Act of 1965, Gramm-Leach-Bliley (GLBA) Act, and Children’s Online Privacy Protection Act (COPPA).This category requires notification to affected parties in case of a confidentiality breach.Unauthorized disclosure or modification of Category C data or resources could result in fines or penalties, regulatory action, or civil or criminal violations.There is also an inherent significant risk to OU reputation and business continuity, along with harm or impairment to OU students.

DATA DESCRIPTION

EXAMPLES

Student Data
  • FERPA student records (including Student ID)
  • Access device numbers (card number, building access code, etc.) used to protect student records information
  • Class lists or enrollment information
  • Transcripts and/or student grade reports
  • Student assessments
  • Student graded and ungraded assignments
  • Student tests
  • Notes on student performance
  • Disciplinary action
  • Athletics or department recruiting information
  • Race/ethnicity information, including tribal affiliation
  • Date of birth
  • Gender/sex
  • Participation in campus activities and sports
  • Weight and height (athletics)
  • Dates of attendance
  • Status
  • Last name and first name or initial, with any one of the following:
  • Social Security Number 
  • Driver’s license number
  • State ID card
  • Passport number

Student Financial Information

(*requires additional data governance)
  • Financial Aid information
  • Financial information of students or parents
  • GLBA Loan or scholarship information
  • Payment history
  • Student tuition bills

Academic/Research Information

  • Library transactions (e.g., circulation, acquisitions)
  • Library paid subscription electronic resources
  • Course evaluations

Donor Information
  • Student donor information

Category D1 – Controlled Unclassified Research or Classified Research Data

Category D1 research data includes data which the University is obligated to protect in accordance with the Department of Defense Cybersecurity Maturity Model Certification and National Institute of Standards and Technology (NIST) Special Publication 800-171.

DATA DESCRIPTION

EXAMPLES

Contracts and contract data referencing the labels
  • Export Controlled Research or Information (ITAR)
  • Controlled Unclassified Information (CUI)
  • National Institutes of Health (NIH)
  • IACUC Protocol(s)
  • Animal Specimen Veterinary Records
  • For Official Use Only (FOUO)
  • Sensitive But Unclassified (SBU)
  • Limited Official Use (LOU)
  • Sensitive Unclassified Information (SUI)
  • Law Enforcement Sensitive
  • DEA Sensitive
  • Official Use Only (OUO)
  • Department Of Defense (DoD) Technical Information
  • Distribution Statements on Technical Documents
  • Sensitive Security Information
  • Protected Critical Infrastructure Information
  • Unclassified Controlled Nuclear Information
  • DFARS 252.204-7012

Category D2 – Research Data

Category D2 data includes research data generally planned for release or publish to the public, or data not under contractual or regulated obligations for data protection.

DATA DESCRIPTION

EXAMPLES

Business Data

  • List of publications (published research)
  • Unpublished research or research detail/results that are not confidential data
  • Private funding information
  • De-identified research data

University Property
  • Intellectual Property Disclosures
  • Unpublished know-how and/or data
  • Existing University Intellectual Property

Category E – University Administrative and Financial Data

Category E data includes confidential University information requiring security and privacy protection, subject to State of Oklahoma Policy, Standards, Procedures, and Guidelines (PSPG), Privacy Act of 1974, E-Government Act of 2002, and the Fair and Accurate Credit Transaction Act of 2003.

DATA DESCRIPTION

EXAMPLES

Business/Financial Data

  • Financial transactions that do not include confidential data
  • Information covered by non-disclosure agreements
  • Contracts that do not contain PII
  • Credit reports
  • Records on spending, borrowing, net worth

University Property
  • Proprietary intellectual property created by employees in connection with their work (patents, trademarks, copyrights, etc.)
  • Commercial license type agreements
  • Partner Agreements (NDA, Confidentiality, MTA, DUA, IPA, IIA, etc.)

Donor Information
  • Last name
  • First name or initial (and/or name of organization if applicable) with any type of gift information (e.g., amount and purpose of commitment.)
  • Telephone/fax numbers, e-mail & employment information
  • Family information (spouse(s), partner, guardian, children, grandchildren, etc.)

Authentication Verifiers
  • Passwords
  • Cryptographic private keys

Security/Safety Data

 
  • Emergency operations procedures and planning documents
  • Facilities blueprints and utility documents
  • Power plant
  • OUPD data
  • Disaster Recovery and Business Continuity plans

Personal/Employee Data

 
  • OU Employee ID Numbers
  • Income information and Payroll information
  • Personnel records, performance reviews, benefit information
  • Race/ethnicity information, including tribal affiliation
  • Gender/sex
  • Date and place of birth or age
  • Worker’s compensation or disability claims
  • Last name and first name or initial, with any one of the following:
    • Social Security Number 
    • Driver’s license number
    • State ID card
    • Passport number
    • Federal Tax Information

Certain directory/contact information not designated by the individual as private

 
  • Name
  • Campus address
  • Email address
  • Listed telephone number(s)
  • Degrees, honors and awards
  • Most recent previous educational institution attended
  • Major field of study
  • Dates of current employment, position(s)
  • ID card photographs for University use

Management Data

  • Detailed annual budget information
  • Conflict of Interest Disclosures
  • University’s investment information

Information Technology Information
  • Server Event Logs
  • Non-published Information Technology Policy, Standard and Procedures
  • Network diagrams
  • Technical blueprints
  • Security documentation and procedures
  • Licensed software/software license keys

Category F – Public Data

Category F data includes data that the University is under obligation to make available to the public, and data for which there is no expectation of privacy or confidentiality.

DATA DESCRIPTION

EXAMPLES

Business Data

  • Press Releases
  • Course information
  • Campus maps
  • Job postings
  • Official institutional reports, such as those required by law or accreditation

 

University Property
  • Patent published applications
  • Issued Patent
  • Patent prosecution history

References

  1. National Institute of Standards and Technology Cybersecurity Framework (CSF)
  2. National Institute of Standards and Technology Special Publication 800-171, Controlled Unclassified Information
  3. Health Insurance Portability and Accountability Act of 1996 (HIPAA), Security Rule, §
  4. General Data Protection Regulation (GDPR)
  5. Payment Card Industry (PCI) Data Security Standards
  6. Gramm-Leach-Bliley Act (GLBA)
  7. Family Education Rights and Protection Act (FERPA)
Print Article

Related Articles (2)

8.2.1.17 Data Governance Policy
The University of Oklahoma (OU) recognizes that Institutional Data is an asset and critically important to effectively supporting OU’s mission. The value of data as an institutional resource is increased through its widespread and appropriate use; its value is diminished through misuse, misinterpretation, or unnecessary restrictions to its access. The university has an obligation to protect the integrity and quality of institutional data, privacy of data subjects, and security of institutional d