A proposed data classification system for UAB will make it easier for faculty, staff and researchers to determine how best to keep University data safe.
UAB IT has worked closely with information security officials from UAB Health System to develop the proposed classification system.
The new system proposes three levels of data: public, sensitive and restricted/PHI.
“Much of the University data covered by the sensitive and restricted levels is already regulated by law or contract,” said Brian Rivers, assistant vice president and chief information officer. “This proposed standard should help employees determine the best level of protection for the data they use.”
Public data is data that can be disclosed to the general public without harm. Examples of public data include phone directory information, course catalogs, public research findings, enrollment figures, public web sites, general benefits data, press releases, newsletters and other similar information.
Sensitive data is data that should be kept confidential, with access requiring authorization or legitimate need-to-know involvement. Examples of sensitive data include FERPA information, budgetary plans, internal communications, proprietary business plans, patent pending information, export controls information and data protected by law.
Restricted/PHI data is sensitive data that is highly confidential in nature, and carries significant risk from unauthorized access. Privacy and security controls are typically required by law or contract for this data. Examples include Social Security numbers, credit card numbers (PCI), personally identified information, protected health information, Graham-Leach-Bliley Act (GLBA) data, export controlled data, FISMA regulated data, login credentials, and information protected by non-disclosure agreements.
The proposed policy also establishes roles and responsibilities for protecting institutional data.