Policy Statement

To provide the basis for protecting the confidentiality of data at the University of Florida by establishing a data classification system. Further policies and standards will specify handling requirements for data based on their classification.

Applicability

This standard applies to all data or information that is created, collected, stored or processed by the University of Florida, in electronic or non-electronic formats.

Definitions

University of Florida Data: Data in any format collected, developed, maintained or managed by or on behalf of the University, or within the scope of University activities. The terms ‘data’ and ‘information’ are used interchangeably in the context of the information security program.

Policy Specifics

All data at the University of Florida shall be assigned one of the following classifications. Collections of diverse information should be classified as to the most secure classification level of an individual information component with the aggregated information.

  1. Restricted: Data in any format collected, developed, maintained or managed by or on behalf of the university, or within the scope of university activities, that are subject to specific protections under federal or state law or regulations or under applicable contracts. Examples include, but are not limited to medical records, social security numbers, credit card numbers, Florida driver licenses, non-directory student records and export controlled technical data.
  2. Sensitive: Data whose loss or unauthorized disclosure would impair the functions of the university, cause significant financial or reputational loss or lead to likely legal liability. Examples include, but are not limited to, research work in progress, animal research protocols, financial information, strategy documents and information used to secure the university's physical or information environment.
  3. Open: Data that does not fall into any of the other information classifications. This data may be made generally available without specific information owner's designee or delegate approval. Examples include, but are not limited to, advertisements, job opening announcements, university catalogs, regulations and policies, faculty publication titles and press releases.

Review and Adjudication

  1. Data owners are responsible for appropriately classifying data.
  2. Data custodians are responsible for labeling data with the appropriate classification and applying required and suggested safeguards.
  3. Data users are responsible for complying with data use requirements.
  4. Data users are responsible for immediately referring requests for public records to the University Relations Division – Office of Public Affairs or to the Office of the Vice President and General Counsel.

Policy Violations

Failure to comply with this policy could result in disciplinary action for employees, up to and including termination. Volunteers may have their volunteer status terminated.

History

Revision DateDescription
April 26, 2012 Policy originally adopted
  Policy updated