Data Classification Rule

University of Alabama at Birmingham
December 19, 2016
Contents

1.0 Overview

The objective of this data classification requirement is to assist the UAB community in the classification of data and systems to determine the appropriate level of security.

2.0 Scope and Applicability

All UAB data stored, processed, or transmitted must be classified in accordance with this requirement. Based on classification; users are required to implement appropriate security controls.

3.0 Classifying data

All UAB data must be classified into one of the three following categories.

3.1 Public Data

Public data is data that can be disclosed to the general public without harm.
Examples of public data include phone directory information, course catalogs, public research findings, enrollment figures, public web sites, general benefits data, press releases, newsletters and other similar information.

3.2 Sensitive Data

Sensitive data is data that should be kept confidential, with access requiring authorization or legitimate need-to-know involvement.
Examples of sensitive data include FERPA information, budgetary plans, proprietary business plans, patent pending information, export controls information and data protected by law.

3.3 Restricted/PHI data

Restricted/PHI data is sensitive data that is highly confidential in nature, and carries significant risk from unauthorized access. Privacy and security controls are typically required by law or contract for this data.
Examples include Social Security numbers, credit card numbers (PCI), personally identified information, protected health information, GLBA data, export controlled data, FISMA regulated data, login credentials, and information protected by non-disclosure agreements.

Note regarding Classification of Research Data: The classification of research data depends on several factors that can and often do change as research progresses. It is incumbent upon the Researcher to know the type of data, the circumstances governing the data, and classify it accordingly. Learn more about research data

Responsibilities for protection and security of these data may be found in the Data Protection and Security Policy.