University of Alaska Data Classification Standards

Overview

The University of Alaska (UA) defines in Policy & University Regulation R02.07.090 Data Classification Standards for the UA system. This is reproduced below for ease of access; however, the authoritive version is the afore referenced policy.

 

R02.07.090 General Statement

The University of Alaska (UA) generates, acquires, and maintains a large number of electronic records. In addition, UA often enters into relationships with third parties who maintain electronic records and information associated with these relationships. UA, as well as its affiliates, are often legally required to limit access to, distribution of, and/or disclosure of electronic records and information. The approach at UA is to adopt a classification scheme for all data.

 

R02.07.091 Purpose

Data classification standards help personnel who own and maintain information resources and systems to determine the sensitivity of the data within those systems. This regulation is designed to prevent the following:

  • Unauthorized internal access to electronic information
  • Unauthorized external access to electronic information
  • Illegal or otherwise inappropriate use of UA electronic information
  • Loss, corruption, or theft of UA electronic information

 

R02.07.092 Applicability

This classification standard applies to all data associated with UA business; to any other data caches located at any UA entity and covered by statutory or regulatory compliance requirements; and to data caches on the information systems of UA affiliates. Data associated with UA-hosted research that represents significant intellectual property interests are subject to this standard and may be subject to other specific protective requirements. These standards apply to all individuals who have access to and use UA information systems and data, particularly UA systems owners and designated custodians who have special responsibilities under the standards. Questions about the applicability of this standard can be forwarded to the UA Chief Records Officer.

 

R02.07.093 Data Classification and Examples

The nature of any particular data set largely determines what measures and operational practices need to be applied to protect it. To help clarify the specific minimum requirements for UA data security, three classes of data are defined. The people who are accountable for protecting the data must understand and inventory their data assets according to these categories.

  1. Restricted Data: Data classified as restricted maybe subject to disclosure laws and warrant careful management and protection to ensure its integrity, appropriate access, and availability. This information is considered private and must be guarded from disclosure. Unauthorized exposure of this information could contribute to ID theft or financial fraud, and violate State and Federal law. Unauthorized disclosure of restricted data could adversely affect the university or the interests of individuals and organizations associated with the university.

  2. Internal Use Data: This class encompasses information that is generally not available to parties outside the University of Alaska community such as non-directory listings, minutes from non-confidential meetings, and internal websites. Public disclosure of this information would cause minimal trouble or embarrassment to the institution. The university may have a duty to make this data available on demand under the Alaska Public Record Act (AS 40.25.110).

  3. Public Data: Public data is data published for public use or has been approved for general access by the appropriate UA authority.

    In most cases categorizing the data will be obvious. When in doubt about how a particular data element or data set is classified, data custodians should use caution by defaulting to the higher class of the choices involved. In other words, it is better to err on the side of privacy and security protection until clarification is obtained.

    The source data used to produce important reports, such as UA financial records, are treated as restricted or internal use even though the reports created from them are treated as public information. Data classification questions may be forwarded to the UA Chief Records Officer for review.

 

R02.07.094 Categories

The Data Classification Categories table clarifies the nature of each data category and provides criteria for determining which classification is appropriate for a particular set of data. When using this table, a positive response for the most restrictive (highest risk) category in any row is sufficient to place that set of data into that category.

 

Data Classification Categories
Class Restricted Internal Use Public
Legal Requirements Protection of data is required by law or best practices UA has best practice (due care) reasons to protect data Data approved for general access by appropriate UA authority
Risk level High Medium Low
Consequences of Exposure

The University’s reputation is tarnished by public reports of its failures to protect restricted records of students, employees, clients, or research. Such failure may subject the University to litigation.

Data is disclosed unnecessarily or in an untimely fashion, which causes harm to UA business interests or to the personal interests of an individual.

Confusion is caused by corrupted information about enrollment and tuition that is displayed on the official UA web site

Examples of Specific Data
  • HIPAA
  • FERPA
  • Research – EAR, export controls, ITAR, TCP, safeguarding confidential information
  • Information required to be protected by contract
  • Human subjects identifiable research data
  • Trade secrets, intellectual property and/or proprietary research
  • Attorney/client privileged records
  • Payment Card Industry
  • University banking records
  • Restricted police records
  • Computer account passwords
  • Gramm-Leach-Bliley
  • Certain affirmative action related data
  • Alaska Personal Information Protection Act
  • Library records confidentiality
  • Employee Internet usage
  • Specific technical security measures
  • UA employee business-related email (including student employees, but only their work-related email)
  • Location of assets
  • Faculty promotion, tenure, evaluations
  • Supporting documents for UA business functions
  • Public research
  • Supporting documents for UA business functions
  • Aggregate human subjects research data
  • Animal research
  • Proposal records
  • Campus promotional material
  • Annual reports
  • Press statements
  • Job titles
  • Job descriptions
  • Employee work phone numbers (with special exceptions)
  • University of Alaska business records
  • Employee work locations (with special exceptions)
  • Employee email addresses (with special exceptions)