14.09 University Data Classification

Purpose

The University of Northern Iowa Data Classification policy is intended to provide the University with a method to categorize the information collected, stored, and managed by the University community. These data classifications will be used internally and referenced by other policies to improve the University’s ability to prevent, deter, detect, respond to, and recover from internal and external compromises to its electronic information resources. 

Scope

This policy applies to all persons or entities that have access to university data. It applies to all data utilized by the University community for the purpose of carrying out the institutional mission of research, teaching, outreach, and data used in the execution of required business functions, limited by any overriding contractual or statutory requirements.

Policy Statement

University data are essential to the operations of the University and its quality and safety must be ensured to comply with legal, regulatory, and administrative requirements. Information will be classified according to the risk of unauthorized exposure and the resulting impact. University data shall be classified as Level I (low potential impact), Level II (moderate potential impact), or Level III (high potential impact). 

Unless otherwise classified by a data custodian or policy, all University data shall be classified as Level II.

Usage of Terms

AVAILABILITY – A loss of availability is the disruption of access to or use of information or an information system.

CONFIDENTIALITY – A loss of confidentiality, for the purposes of this policy, is the unauthorized disclosure of information.

DATA CUSTODIAN– Data custodians are senior University officials who have planning, management, and policy-level responsibility for data within their functional areas.  A data custodian has the authority to authorize or deny access to data. For example, the Registrar, Director of Human Resource Services, Director of Business Operations, and Director of Admissions, Department Heads, Deans, Vice Presidents, and the University President would all be data custodians. University administrators may act as data custodians for departments under their authority.

DATA ELEMENT – A data element is the smallest portion of data contained within a larger document, database, or other electronic record.

INTEGRITY –A loss of integrity is the unauthorized modification or destruction of information.

POTENTIAL IMPACT - The level of adverse effect a loss of confidentiality, integrity, or availability could be expected to have on University operations, University assets, or individuals.

UNIVERSITY DATA – University data are information that supports the mission and operation of the University.  It is a vital asset and is owned by the University.  Some University data are shared across multiple units of the University as well as outside entities.

Procedures 

Data must be consistently protected throughout its life cycle in a manner commensurate with its sensitivity regardless of where it resides or what purpose(s) it serves. Extracts of data shall have the same classification level and utilize the same protective measures as the same data in the system of record.

Data custodians may utilize the negative potential impacts listed below to evaluate data under their purview if the data does not clearly fall under the laws, regulations, or examples listed. The highest negative impact rating received shall classify data within that category. Data that has no negative impacts to the University but may cause significant harm to individuals must be categorized as Level III. Most of the legal and regulatory requirements are driven by confidentiality and integrity concerns.

Determination of Impact Classification

Special Considerations for FERPA data

Certain types of FERPA data, such as student grades maintained by an instructor, class lists, and lists of students in a major in a department are classified as Level II, regardless of FERPA protections. Easy access to such materials to appropriate University personnel is critical to support the University of Northern Iowa's mission. As the named FERPA Officer for the University of Northern Iowa, the University Registrar shall be a data custodian for FERPA-protected data and may classify other types of FERPA data as Level II at their discretion. Certain FERPA-protections only apply at the request of the student; such restricted data will be Level II or III at the discretion of the University Registrar.

Level I: Low Potential Impact:

Level I data may or must be open to the general public. This information is not restricted by local, state, national, or international statute regarding disclosure or use. Access is available to the general public but may need to be granted by the Data Custodian.

The loss of confidentiality of Level I data should be expected to have limited adverse effects on University operations, University assets, or individuals. A loss of integrity or availability of Level I data may have limited adverse effects on University operations, University assets, or individuals.

The loss of confidentiality of Level I data may result in some of the following:

  1. No loss of mission capability, but inconveniences may be experienced by some individuals
  2. No damage to university assets
  3. No financial damages and/or fines
  4. Insignificant harm to individuals
  5. Little, if any, negative impact on the University’s reputation

The loss of availability or integrity of Level I data may result in some of the following:

  1. Limited degradation in or loss of mission capability to an extent and duration that the University is able to perform its primary functions, but the effectiveness of the functions may be noticeably reduced.
  2. No or very minor damage to university assets
  3. No direct financial damages and no fines
  4. Insignificant indirect financial damages
  5. Insignificant harm to individuals
  6. Possible negative impact on the University’s reputation, generally dependent on the visibility of loss of integrity or availability to the community

Examples include published “white pages” directory information, maps, departmental websites, lists of email addresses, academic course descriptions, and other information readily published and provided to the public at large.

Level II: Moderate Potential Impact:

Level II data are information whose access must be guarded due to proprietary, ethical, or privacy considerations. This classification applies even though there may not be a statute requiring this protection. This information is not intended for public dissemination, but its disclosure is not restricted by Federal or state law with the exception of certain types of FERPA data, which are classified as Level II. 

Unless otherwise classified by a data custodian or policy, all University data shall be classified as Level II. Level II data may or may not be available for public examination per university policy 10.04 Examination of Public Records and 10.04A Public Records Exemption for Security-Related Information.

The loss of confidentiality, integrity, or availability of Level II data should be expected to have moderate adverse effects on University operations, University assets, or individuals.

The loss of confidentiality, integrity, or availability of Level II data may result in some of the following:

  1. Limited degradation in or loss of mission capability to an extent and duration that the University is able to perform its primary functions, but the effectiveness of the functions is noticeably reduced.
  2. Minor damage to university assets
  3. Minor direct financial damages and/or fines
  4. Minor indirect financial damages
  5. Minor harm to individuals
  6. Minor negative impact on the University’s reputation

Examples include student grades maintained by an instructor, class lists, lists of students in a major in a department, internal memos, email communications, and other documents not intended for public distribution that are not otherwise Level III data. 

Level III: High Potential Impact:

Level III data include all data protected by federal or state law, including, but not limited to FERPA (excluding previous exceptions), HIPAA, Gramm-Leach-Bliley Act, and Iowa’s Personal Information Security Breach Protection law (Iowa Code Chapter 715C) or by the Payment Card Industry Data Security Standard (PCI DSS) and other contractual obligations. Level III data also include any data requiring protections as specified in Federal Acquisition Regulations and their supplements, including but not limited to the Defense Federal Acquisition Regulation Supplement (DFARS); International Traffic in Arms Regulations (ITAR) and/or Export Administration Regulations (EAR); and any data required by law or contract to meet standards specified in National Institute of Standards and Technology (NIST) Special Publication 800-series.

The loss of confidentiality, integrity, or availability of Level III data should be expected to have serious adverse effects on University operations, University assets, or individuals.  The loss of confidentiality, integrity, or availability of Level III data may result in some of the following:

  1. Severe degradation in or loss of mission capability to an extent and duration that the University is not able to perform one or more of its primary functions
  2. Major damage to university assets
  3. Major direct financial damages and/or fines
  4. Major indirect financial damages
  5. Significant harm to individuals
  6. Major negative impact on the University’s reputation

Examples include credit card numbers, social security numbers, driver’s license numbers, health records, student transcripts, financial aid data, and human subject research data that identify an individual. Other examples include credentials used as passwords, passphrases, or fingerprints as well as the data stored to allow self-service reset of the credentials. Typically, but not always, Level III data is not subject to public examination per university policy 10.04 Examination of Public Records and 10.04A Public Records Exemption for Security-Related Information.

Intermingling of Data Classifications

Multiple classifications of data may reside together in the same document, database, or electronic record.  A document, database, or electronic record containing multiple classifications of data shall be classified according to the highest level of any single data element contained therein. Adequate redaction or removal of data elements will cause a document, database, or electronic record to be reclassified according to its new contents.

Information Technology Services, approved April 12, 2015
President’s Cabinet, approved May 19, 2015
President and Executive Management Team, approved June 1, 2015
[Last reviewed and/or updated (IT): 6/4/2020]