Explore UAB

Colleges & Schools

Information Technology

DATA CLASSIFICATION RULE

Approved and Implemented: February 22, 2017

Reviewed/Updated: June 28, 2021

1.0 Introduction

The objective of this data classification requirement is to assist the UAB community in the classification of data and systems to determine the appropriate level of security.

2.0 Scope and Applicability

All UAB data stored, processed, or transmitted must be classified in accordance with this rule.  Based on classification; users are required to implement appropriate security controls.

3.0 Classifying Data

All UAB data must be classified into one of the three following categories.

Public Data

This data classification is for data that is low risk. The loss of the data’s confidentiality, integrity or availability would not cause harm to UAB’s mission, safety, finances or reputation. This is data that UAB has chosen or is required to disclose to the public.

Examples include but are not limited to: public phone directory, course catalogs, public research findings, enrollment figures, public web sites, general benefits data, press releases, newsletters, etc.

Sensitive Data

This data classification is for data that is moderate risk because it should be kept confidential. The loss of the data’s confidentiality, integrity or availability could cause harm to UAB’s mission, safety, finances or reputation. Privacy may be required by law or contract. Access to these data shall require authorization and legitimate need-to-know.

Examples include but are not limited to: FERPA, budgetary plans, proprietary business plans, patent pending information, and data protected by law.

Restricted/PHI Data

This data classification is for data that is high risk because it is sensitive data that is highly-confidential in nature. The loss of the data’s confidentiality, integrity or availability would cause harm to UAB’s mission, safety, finances or reputation. Privacy and Security are typically required by law or contract.

Examples include but are not limited to: HIPAA, PHI, Social Security Numbers, credit card numbers (PCI DSS), GLBA data, Export Controlled data, FISMA regulated data, login credentials, and information protected by non-disclosure agreements.

Note regarding Classification of Research Data –The classification of research data depends on several factors that can and often do change as research progresses. It is incumbent upon the Researcher to know the type of data, the circumstances governing the data, and classify it accordingly. More information.