The Data Classification Policy applies to anyone handling UW-Madison data.
There are four data classifications. From highest to lowest risk they are: Restricted (significant risk), Sensitive (moderate risk), Internal (some risk), and Public (little or no risk).
UW-Madison is adjusting the data classifications. A revision of the policy is in progress. In the meantime, here are the classifications as defined by the Data Stewardship Council.
Data should be classified as Restricted when the unauthorized disclosure, alteration, loss or destruction of that data could cause a significant level of risk to the University, affiliates or research projects. Data should be classified as Restricted if:
Data should be classified as Sensitive when the unauthorized disclosure, alteration, loss or destruction of that data could cause a moderate level of risk to the University, affiliates or research projects. Data should be classified as Sensitive if the loss of confidentiality, integrity or availability of the data could have a serious adverse effect on university operations, assets or individuals.
Data should be classified as Internal when the unauthorized disclosure, alteration, loss or destruction of that data could result in some risk to the University, affiliates, or research projects. By default, all Institutional Data that is not explicitly classified as Restricted, Sensitive or Public data should be treated as Internal data.
Data should be classified as Public prior to display on web-sites or once published without access restrictions; and when the unauthorized disclosure, alteration, loss or destruction of that data would result in little or no risk to the University and its affiliates.
The current policy identifies many specific data elements as being Sensitive, of which six of are identified as Restricted. These are still accurate as a starting point for classification. It is the process of classifying data that has changed.
The most significant change to the policy is to use the default classifications of data elements as a starting point, and then adjust the classification of a data set based on the combination of data elements present, the regulatory environment, etc. Context is important.
Until the policy is revised, please continue to use the list of sensitive and restricted data elements as they are documented below. These are still accurate as a starting point for classification.
In addition to the information identified below, there are times when a data field is not considered sensitive when used alone but may be so when paired with other data. An example is date of birth. Date of birth is not considered sensitive when it stands alone but if it is available along with social security number and name it is considered sensitive.
Sensitive information may be subject to disclosure under certain circumstances. The University appropriately seeks to maintain systems that protect sensitive information in order to meet a variety of goals.
The data types listed below are those identified as of 6/22/2010.[i]
Sensitive Information means:
Other Data Types:
Institutional Data whose public disclosure is restricted by law, contract, University policy, professional code, or practice within the applicable unit, discipline, or profession, including but not limited to:
University and personal security measures, including but not limited to,
Institutional Data whose value would be lost or reduced by disclosure in advance of the time prescribed for its authorized public release, or whose disclosure would otherwise adversely affect the University financially, including but not limited to,
Please address questions or comments to email@example.com.