Data Classification Rule

University of Alabama at Birmingham


December 19, 2016

Related Policies, Procedures, and Resources

Data Protection and Security Policy

Data Access Policy

Acceptable Use Policy

Data Protection Rule

Data custodian responsibilities

1.0 Overview

The objective of this data classification requirement is to assist the UAB community in the classification of data and systems to determine the appropriate level of security.

2.0 Scope and Applicability

All UAB data stored, processed, or transmitted must be classified in accordance with this requirement. Based on classification; users are required to implement appropriate security controls.

3.1 Classifying data
All UAB data must be classified into one of the three following categories.

  Public Data:  Data that may be disclosed to the general public without harm.

  Examples: public phone directory, course catalogs, public research findings, enrollment figures, public web sites, general benefits data, press releases, newsletters, etc.

  Sensitive Data:  Data that should be kept confidential. Access to these data shall require authorization and legitimate need-to-know. Privacy may be required by law or contract.

  Examples: FERPA, budgetary plans, proprietary business plans, patent pending information and data protected by law.

  Restricted/PHI Data:  Sensitive Data that is highly confidential in nature, carries significant risk from unauthorized access, or uninterrupted accessibility is critical to UAB operation. Privacy and Security controls are typically required by law or contract.

  Examples: HIPAA PHI, Social Security numbers, credit card numbers (PCI DSS), GLBA data, Export Controlled data, FISMA regulated data, log-in credentials, and information protected by non-disclosure agreements.

Note regarding Classification of Research Data: The classification of research data depends on several factors that can and often do change as research progresses. It is incumbent upon the Researcher to know the type of data, the circumstances governing the data, and classify it accordingly.  Click here for more information.

Responsibilities for protection and security of these data may be found in the Data Protection and Security Policy.
Abbreviations used: FERPA (Family Educational Rights and Privacy Act), HIPAA (Health Insurance Portability and Accountability Act), PHI (protected health information), PCI DSS (Payment Card Industry Data Security Standard), GLBA (Gramm-Leach-Bliley Act), and FISMA (Federal Information Security Management Act.)

Last modified on December 15, 2017