Data Classification Guide

Purpose

This Guideline defines standards and methodology for assessing Impact Levels, specifying data usage guidelines, and assigning a corresponding Data Classification to Data Types and Data Sets. It further defines roles and responsibilities for implementing this approach to mitigating the risk of data breach.

It is useful to recognize two contexts in which data is used:

Usage 1: Within a System of Record that is operated under the direction of an identified Data Steward.
Usage 2: Outside of a System of Record by employees using the data in the course of their work.

Mitigating risk of breach in Usage #2 is the objective of this Guideline. Employees may not have a deep understanding of the risks of a breach associated with each confidential data type. Hence, a Data Classification is assigned to each data set to aid them in handling the data appropriately, and a Data Usage Guide is maintained that gives clear guidance on how they may handle various data types. The Data Classification and Data Usage Guide help employees understand how to meet their obligations to properly handle Confidential Information as required by HR Policy U601. Note that in Usage #2, the type of device or system may not always be the conventional laptop or desktop. Internet of Things devices, such as printers, health sensors, or even door locks, may contain uniquely personal or sensitive types of data subject to this classification guideline. Employees should seek guidance from local technology professionals when uncertain of the sensitivity of a given device or system’s data.

Risk of breach in Usage #1 is mitigated primarily by processes incorporated into the operation of Systems of Record as directed by Data Stewards, and by the Data Usage Request process by which Data Stewards inform recipients of data from Systems of Record of their obligations in using the data.

Definitions

breach	A loss of confidentiality, integrity, or availability that has the potential to cause some level of negative impact to the University or to individuals.
Impact Level	A summary assessment of degree of impact in case of data breach that begins to suggest the security safeguards used to protect the data. One of High, Moderate, Low, Public, or Overriding Circumstance (defined below).
Data Usage Guide	A University website that provides information to employees about Data Types, Data Classifications, and specific guidance on appropriate use of storage and transmission services and other handling obligations.
Data Set	A set of data records collated to support a specific activity.
Data Type	A specific category of information (e.g., student records, personally identifiable information, protected health information, financial records, etc).
Data Classification	A simple and high level means of identifying the level of security and privacy protection to be applied to a Data Type or Data Set and the scope in which it can be shared. One of Public, Internal, or Restricted (defined below).
Data Steward	A person responsible for defining or creating confidential Data Sets and the policies and access authorization for those data sets.
Data Custodian	A person with operational or management responsibility over Data Sets stored in their information system(s).
sensitive or confidential data	General terms for data sets whose breach has the potential to cause harm to the University or to individuals.
Confidential Information	As defined in HR Policy U601.

Impact Levels

The following standard, drawn from FIPS Publication 199, forms the basis for assigning an Impact Level of a data breach. Security safeguards for each Data Type expressed in the Data Usage Guide should appropriately reflect its Impact Level.

	Impact Level
Security Objective	High	Moderate	Low
Confidentiality Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information.	The unauthorized disclosure of information could be expected to have a severe or catastrophic adverse effect on University operations, University assets, or individuals.	The unauthorized disclosure of information could be expected to have a serious adverse effect on University operations, University assets, or individuals.	The unauthorized disclosure of information could be expected to have a limited adverse effect on University operations, University assets, or individuals.
Integrity Guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity.	The unauthorized modification or destruction of information could be expected to have a severe or catastrophic adverse effect on University operations, University assets, or individuals.	The unauthorized modification or destruction of information could be expected to have a serious adverse effect on University operations, University assets, or individuals.	The unauthorized modification or destruction of information could be expected to have a limited adverse effect on University operations, University assets, or individuals.
Availability Ensuring timely and reliable access to and use of information.	The disruption of access to or use of information or an information system could be expected to have a severe or catastrophic adverse effect on University operations, University assets, or individuals.	The disruption of access to or use of information or an information system could be expected to have a serious adverse effect on University operations, University assets, or individuals.	The disruption of access to or use of information or an information system could be expected to have a limited adverse effect on University operations, University assets, or individuals.

An additional Impact Level of Public is available for Confidentiality only, with the meaning that a breach will have no adverse impact to the University or to individuals.

Some Data Types are subject to specific external regulation or internal policy that define the security safeguards that must be employed, i.e., it’s not dependent on our own risk assessment. These are noted as Overriding Circumstance. For example, payment card data handling is determined by University policies that comply with PCI-DSS standards, and permission to store or transmit this type of data must not be given by means of a data classification guideline or policy.

Maintaining Confidentiality, Integrity, and Availability are the three objectives that security safeguards can hope to meet. Impact Level and Data Classification discussions focus primarily on Confidentiality and occasionally on Integrity. Availability is primarily a function of how systems are operated, for which appropriate security safeguards are chosen by other means, notably the Security Guidelines published by IT Services.

Assessing Impact Level of a Potential Breach

The process of assessing the Impact Level of a potential breach is primarily an exercise of good judgment from a University perspective. The risk to the University’s operations, assets, or individuals must be weighed against the cost to implement security protections and the impediment to operations they may cause, and the concerns to be balanced may be difficult or impossible to quantify. Following are several considerations to inform that judgment:

Security objectives
All three security objectives defined above should be considered.

Scope of impact
A breach may be seen as severe or catastrophic from the perspective of those directly impacted, but that need not imply it is severe or catastrophic from a University perspective.

High water mark
A breach of a data type for which there are several kinds of potential impact should be assigned the Impact Level corresponding to the greatest of all potential impacts. A similar principle holds when considering breach of a data set containing multiple data types.

Combination and context
A particular field that is part of a confidential Data Type might be sensitive only when combined with other data in a data set. E.g. SSNs belong to a “personally identifiable information” Data Type, but breach of a list containing nothing but SSNs has no negative impact to individuals since there are no names or other personally identifiable information associated with them.

Regulations and contracts
Assignment of Impact Level should be consistent with any obligations the University may have due to regulations it is subject to or contracts it has executed. This might, but need not, imply that Data Types covered by regulation or contract have High Impact Level.

Ability to operate
A breach that could lead to severe degradation in or complete loss of ability to operate one of the University’s primary functions should be assigned the High Impact Level. One that causes a significant degradation, substantially impacting the effectiveness of a primary function but allowing it to continue, should be assigned the Moderate Impact Level. A breach that causes a noticeable degradation, noticeably impacting the effectiveness of a primary function but allowing it to continue, should be assigned the Low Impact Level.

Assets
A breach that could result in major damage to University assets or major financial loss should be assigned the High Impact Level. One that could result in significant damage to University assets or significant financial loss should be assigned the Moderate Impact Level. A breach that could result in minor damage to University assets or minor financial loss should be assigned the Low Impact Level. For this purpose, an asset might be tangible or intangible, e.g., reputation or intellectual property.

Welfare of individuals
A breach that could result in severe harm to individuals involving threat to life or physical injury should be assigned the High Impact Level. One that could result in significant harm to individuals but does not threaten their physical well-being should be assigned the Moderate Impact Level. A breach that could result in minor harm to individuals should be assigned the Low Impact Level.

Process to Define Data Usage Guidance

The process to identify services acceptable for storing or transmitting a given type of confidential data is as follows:

Define or enumerate the Data Type under consideration and purpose for which it is maintained.
Assess the Impact Level in case of a breach as above. Is there an Overriding Circumstance? Note any scenarios under which a breach might have different levels of impact, (e.g., if only a small set of records are improperly altered, lost, stolen, or exposed or are only partially exposed in some manner).
Note any specific safeguards that may be especially pertinent, e.g., system audit capabilities, encryption, user access controls, workflow processes, operating procedures, user training, certification, etc.
Consult with IT Security on how well each of the storage and transmission services in the Data Usage Guide meet these considerations. Then make a business decision which of them present an acceptable risk for use with the Data Type, taking into account any strong or weak points each service has. Note any service-specific usage profiles or stipulations that should pertain, e.g., email can be used to transmit the data only if it is in an attached document that is appropriately encrypted.
Assign a Data Classification to be associated with this Data Type.

The Data Type definition, assigned Data Classification, and proposed data usage guidance to be incorporated into the Data Usage Guide should be provided to the University’s Chief Information Security Officer (CISO). The CISO will review and may revise the materials and bring the result to the University’s Data Stewardship Council, or other appropriate authoritative body, to review and ask for their endorsement. Accepted materials will be incorporated into the Data Usage Guide.

Data Classifications

The following classifications are associated with each Data Type or Data Set as a means of identifying the level of security and privacy protection to be applied to it and the scope in which it can be shared. Associated Impact Level values define the Data Classification that should be applied to a Data Type or Data Set with the corresponding Impact Level.

Data Classification	Definition	Impact Levels
Restricted	Confidential information requiring the highest level of security and privacy protection. Access is only permitted as directed by the associated Data Steward or applicable University authority.	High, Moderate, or Overriding Concern
Internal	Confidential information requiring diligent security and privacy protection. Information may be shared within the University and its Medical Center on a need to know basis.	Low
Public	Information may be published and shared freely.	Public

Roles and Responsibilities

Data Stewards

assess Impact Levels
specify data usage guidelines
assign a corresponding Data Classification to Data Types or Data Sets
authorize access to data for which they are responsible
use reasonable means to inform those receiving or accessing the data of their obligations in so doing

Data Custodians

ensure that systems handling Restricted or Internal data provide security and privacy protections according to the Data Classification, the Data Steward’s policies, obligations, and authorizations, and as may be identified in the Data Usage Guide
use reasonable means to inform those accessing data sets in their control of their obligations in so doing

Employees

observe the constraints and directions of Data Stewards and Data Custodians
follow the Data Usage Guide in their handling of confidential information

The CISO

maintains the Data Usage Guide and the framework defined by this guideline
reviews, amends, and prepares proposed enhancements to either the Data Usage Guide or this guideline for review and endorsement by the Data Stewardship Council or other appropriate authoritative body
annually reviews the Data Usage Guide and this Guideline with the Data Stewardship Council and other appropriate authoritative bodies

Data Types

Data Types are used in this guideline to make the process efficient and standardized yet observant of specific requirements that occur in context. HR Policy U601 identifies a number of Data Types termed “confidential information” and sets forth several usage guidelines. Their definitions and Data Classifications are provided in the following table.

Data Type	Description & Examples	Data Classification
Attorney/Client Privileged Information	Confidential communications between a client and an attorney for the purpose of securing legal advice. For the privilege of confidentiality to exist, the communication must be to, from, or with an attorney. Communications related to a lawsuit. Communications related to a contract, such as email between the Office of Legal Counsel and Procurement Services related to a contract dispute with a vendor.	Restricted
Attorney Working Documents	Internal investigation information, pre-litigation, and non-public litigation and administrative agency charge, audit and inquiry information.	Restricted
Contractual Non-Disclosure	Information, materials, data and records designated confidential by by contract, including information obtained by the University from third parties under non-disclosure agreements or any other contract that designates third party information as confidential.	Internal
Departmental Administration	Budgetary, departmental, or University planning information. Non-public financial, procurement, health/safety, audit, insurance and claims information.	Internal
Export Controlled Research (ITAR, EAR)	Export Controlled Research includes information that is regulated for reasons of national security, foreign policy, anti-terrorism, or non-proliferation. The International Traffic in Arms Regulations (ITAR) and Export Administration Regulations (EAR) govern this data type. Current law requires that this data be stored in the U.S and that only authorized U.S. persons be allowed access to it. Chemical and biological agents Scientific satellite information Certain software or technical data Military electronics Nuclear physics information Documents detailing work on new formulas for explosives	Restricted
FISMA Data	The Federal Information Security Management Act (FISMA) requires federal agencies and those providing services on their behalf to develop, document, and implement security programs for information technology systems and store the data on U.S. soil. This means that, under some federal contracts or grants, information the University collects or information systems that the University uses to process or store research data need to comply with FISMA.	Restricted
Law Enforcement Information	Non-public law enforcement records generated or maintained by the University of Chicago Police Department.	Restricted
Payment Card Industry (PCI) Information	Information related to credit, debit, or other payment cards. This data type is governed by the Payment Card Industry (PCI) Data Security Standards and overseen by the Bursar’s Office. Credit or debit card numbers cannot be stored in any electronic format without the expressed, written consent of the Bursar’s Office. Exclusive of an individual’s personal or University credit card information. Cardholder name Credit/debit card account number Credit/debit card expiration date Credit/debit card verification number Credit/debit card security code	Restricted
Private Personal Information	This is a category of sensitive information that is associated with an individual person, such as an employee, student, or donor. For everyone: Social Security number National ID number Passport number Visa permit number Driver’s license number Bank and credit/debit card numbers Tax information (e.g., W-2, W-4, 1099) Disability information Ethnicity Gender Biometric information For employees: Biographic/demographic data (Date and location of birth, Country of citizenship, Citizenship status, Marital status, Military status) Criminal record & criminal background check information Home address Grievance information Discipline information Leave-of-absence reason Payroll and benefits information Health information Conflict of Interest information For donors: Biographic/demographic data Contact information Prospect data Gift and gift-planning data	Restricted
Proprietary Intellectual Property	Proprietary intellectual property in which the University asserts ownership that is created by University employees in connection with their work.	Internal
Protected Health Information	Protected Health Information (PHI) is defined by the Health Insurance Portability and Accountability Act (HIPAA). PHI is individually identifiable health information that relates to the Past, present, or future physical or mental health or condition of an individual. Provision of health care to the individual by a covered entity (for example, hospital or doctor). Past, present, or future payment for the provision of health care to the individual. The following individually identifiable data elements, when combined with health information about that person, make such information protected health information (PHI): Names Telephone numbers Fax numbers Email addresses Social Security numbers Medical record numbers Health plan beneficiary numbers License plate numbers URLs Full-face photographic images Any other unique identifying number, characteristic, code, or combination that allows identification of an individual	Restricted
Sensitive Identifiable Human Subject Research	Individually identifiable research data containing sensitive information about human subjects. A human subject is a living individual about whom a researcher obtains data and information that can be used to identify him or her. The researcher determines whether the data is sensitive or not, based on privacy and ethical considerations. This data type is governed by the Federal Policy for the Protection of Human Subjects (also called the “Common Rule”). Among other requirements, the Common Rule mandates that researchers protect the privacy of subjects and maintain confidentiality of human subject data. Illegal behaviors Drug or alcohol abuse Sexual behavior Mental health or other sensitive health or genetic information Any data collected under a National Institutes of Health (NIH) Certificate of Confidentiality A Data Use Agreement may define additional constraints on the handling of a covered data set.	Restricted
Student Education Records (FERPA)	Records that contain information directly related to a student and that are maintained by the University or by a person acting for the University. The Family Educational Rights and Privacy Act (FERPA) governs release of, and access to, student education records. “Directory information” about a student is not regulated by FERPA and can be released by the University without the student’s permission. Students can request non-disclosure from the Registrar’s Office.	Restricted
Student Loan Application Information (GLBA)	Personal financial information held by financial institutions and higher education organizations as related to student loan and financial aid applications. Gramm Leach Bliley Act (GLBA) provisions govern this data type.	Restricted
Unpublished Research	Unpublished grant proposals, research data, manuscripts and associated correspondence.	Internal

Category: Security
Policy Owner: mmorton