The Data Classification Policy specifies that all university data must be assigned one of three levels based upon confidentiality requirements: Open, Sensitive or Restricted. Data trustees are given the responsibility of appropriately classifying data in accordance with policy

The classification should be a list of specific data types used within a unit, corresponding classifications, and any special handling specifications. The task of preparing the classification may be delegated, but the data owner must explicitly approve the final document. This classification must be documented and communicated with data users and custodians. Data custodians then apply appropriate controls based on these classifications, and data users comply with the use requirements.

Controls appropriate to the different data classifications are specified in information security policies and standards. Data classifications, including ‘Open’, are not related to the applicability of public records laws to specific data. All requests for public records are to be forwarded to the University General Council, regardless of the classification of requested data.

Initial Classification

Data owners can use the table below as an initial classification of data within their unit. Data types that have classifications mandated (due to applicable laws, regulations or contracts) and those that are in common use throughout the university are included. Data owners must add any other data types used in the unit.

Data TypeClassificationJustification
Student records (non-directory)RestrictedFERPA
Patient health or dental records (identifiable)RestrictedHIPAA
Patient billing recordsRestrictedHIPAA
Export Controlled dataRestrictedITAR, EAR
Credit card cardholder dataRestrictedPCI, FISA (F.S. 501.171)
Social Security Numbers1RestrictedFIPA (F.S. 501.171) Fla. Stat. 119.071
Personally Identifiable Information (PII defined by FIPA)RestrictedFIPA (F.S. 501.171)
Animal research protocolsSensitiveCompetitive and commercial potential, security concerns
De-identified patient information2SensitiveHIPAA
System security plansSensitiveProtective information
Unpublished research resultsSensitiveCompetitive and commercial potential
Exams (question banks and answer keys)SensitiveExam integrity
Employee data (not including SSN)SensitiveEmployee privacy
UF Directory (students & staff)OpenFERPA
University regulationsOpenIntended for public use
Course catalogOpenIntended for public use
Public web sitesOpenIntended for public use
1. Use and/or storage of social security numbers must be approved by the UF Privacy Office. See http://privacy.ufl.edu/SSNPrivacy.html
2. In order to be considered de-identified, data must meet requirements in the UF Privacy Office Operational Guidelines http://privacy.ufl.edu/uf-health-privacy/policies-procedures/operational-guidelines/

Definitions

Data owner: Senior leadership, typically at the dean, director or department chair level, with the ultimate responsibility for the use and protection of university data.

Data custodian: The staff member, typically one primarily responsible for IT, that is responsible for implementation of security controls for university data.

Data user: Any member of the university community that has access to university data, and thus is entrusted with the protection of that data.

References

More Information

Data Classification Guidelines