UAB has introduced three classification levels for data to help better protect University data and the personal and financial information of students, faculty and staff.

UAB IT worked closely with information security officials from UAB Health System to develop the classification system. The Data Classification Rule has three levels of data — public, sensitive and restricted/PHI — intended to protect University data. UAB’s Data Protection Rule establishes roles and responsibilities for those individuals and groups who will safeguard and use UAB data. Much of the University's data covered by the sensitive and restricted levels is already

Classification levels

Public data

Public data is data that can be disclosed to the general public without harm. Examples of public data include phone directory information, course catalogs, public research findings, enrollment figures, public web sites, general benefits data, press releases, newsletters and other similar information.

Sensitive data

Sensitive data is data that should be kept confidential, with access requiring authorization or legitimate need-to-know involvement. Examples of sensitive data include FERPA information, budgetary plans, proprietary business plans, patent pending information, export controls information and data protected by law.

Restricted/PHI data

Restricted/PHI data is sensitive data that is highly confidential in nature, and carries significant risk from unauthorized access. Privacy and security controls are typically required by law or contract for this data. Examples include Social Security numbers, credit card numbers (PCI), personally identified information, protected health information, Gramm-Leach-Bliley Act (GLBA) data, export controlled data, FISMA regulated data, login credentials, and information protected by non-disclosure agreements.


Data stewards

Data stewards have administrative control and are officially accountable for a specific information set. Examples include the vice president of Financial Affairs and Administration; the vice president for Research and Economic Development; deans and department chairmen overseeing data from their respective academic areas; and hospital managers or directors and vice presidents overseeing data from their respective clinic areas.

Data custodians

Data custodians safeguard the data on behalf of the data steward. While data stewards are ultimately responsible for the security of data, data custodians ensure the security controls are in place. UAB’s central Information Technology units (UAB IT) will be responsible for protecting all institutional data maintained and stored in the institutional information systems. UAB Health Services Information Services (HSIS) will be responsible for protecting all Health System data maintained and stored in the institutional information systems.

UAB Information Security

Members of the UAB IT and UAB Health System information security teams are responsible for developing and implementing the information security program, as well as the supporting data security and protection policies and procedures.

Departmental security administrators

Each unit or department senior manager will choose one DSA to act as a liaison with the UAB Information Security team. DSAs oversee information security responsibilities for the departments, including security awareness and security incident response.

System administrators

System administrators in UAB IT, HSIS and school/department units who are responsible for day-to-day maintenance of information systems are responsible for following data security protection procedures and practices.

Data users

Data users refers to individuals authorized to access UAB data and who are responsible for protecting information assets on a daily basis through adherence to UAB policies.