Different Types of Data

Before storing or sharing information, you must determine the type of data you are storing and/or sharing.

Public: Publicly accessible data like employee contact information or University course information. This data may be placed on a publicly accessible website or sent to a third party without approval. Examples include:

  • Directory information for employees
  • Research data specifically classified as public

Sensitive: This category covers data that is owned by the University and must be protected from unauthorized access. Disposition of this data is generally at the discretion of the Data Owner. The location of that data must meet minimum security requirements set forth by the Data Owner. This information is generally sensitive to the institution and governed by policy, but not directly covered under any law or regulation. In some cases the data owner may deem it to be public and other times it may be restricted. Examples include:

  • HR data made available to employees or third parties
  • FERPA (Directory Information) made available to third parties
  • University Intellectual Property

Protected: This data is regulated or restricted based on federal or industry regulations in addition to the Institutional policies. Access can be granted by the data owner in some cases but generally further restrictions are in effect based upon its classification. The difference between Sensitive and Protected is that at all times the data must be governed based on the regulatory environment and in most cases that takes precedence over competing University Policies. Examples include:

  • FERPA protected information such as student grades or class schedule
  • Personally Identifiable information such as SSN (PII)
  • HIPAA or patient health information
  • PCI or credit card information
  • Export controlled data