University of Washington
Administrative Policy Statements		 June 27, 2008 2.10.2

Table of Contents

1. Background

2. Data Classification and Examples

3. Controls for Protection of Data

4. Protective Measures for Data

5. Exemptions

6. Reporting

7. Enforcement

8. Additional Information
      

Minimum Data Security Standards:
Data Classification and Related Measures of Protection

(Approved by the Provost and Executive Vice President by authority of Executive Order No. 4, Senior Vice President for Finance and Facilities by authority of Executive Order No. 5, and the Vice President of UW Technology by authority of Executive Order No. 63)


2.   Data Classification and Examples

The nature of the data largely determines what measures and operational practices need to be applied to protect it. To help clarify the various minimum requirements for UW data security, three categories of data have been defined. It is essential that those who are accountable for protecting the data (e.g., system owners and data custodians) understand and inventory their data assets according to these categories.

  • Confidential: Data that is very sensitive in nature and typically subject to federal or state regulations. Unauthorized disclosure of this data could seriously and adversely impact the UW or the interests of individuals and organizations associated with the UW. To avoid confusion with federal Executive Order 12958 for classified national security information, confidential documents and data may be labeled "UW Confidential."

  • Restricted: Data that is generally circulated and subject to disclosure laws, yet sensitive enough to warrant careful management and protection to ensure its integrity, appropriate access, and availability.

  • Public: Data that is published for public use or has been approved for general access by the appropriate UW authority.

In most cases, it will be obvious how to categorize data. When in doubt about how a particular data element or set of data should be classified, the safe "rule of thumb" is to default to the higher classification of the choices involved. In other words, it is better to err on the side of privacy and security protection until clarification can be obtained.

For electronic information where the integrity of the data is important, but the data itself is classified as "Public" (e.g. UW financial business records), the source of the data — "the master data" (application, database, authorized data collection point, etc.) — should be treated as "Restricted" and the published versions of those data (e.g. reports) can be treated as "Public" data.

Any questions about the classification of data can be forwarded to the UW Chief Information Security Officer (CISO) for review by the PASS Council.

The table below clarifies the nature of each data category and provides criteria for determining which classification is appropriate for a particular set of data. When using this table, a positive response for the most restrictive (highest risk) category in any row is sufficient to place that set of data into that category.

Confidential Restricted Public
Legal Requirements

Protection of data is required by law. (See examples of specific HIPAA and FERPA data elements below.)

UW has a contractual obligation or best practice (due care) reason to protect the data.

 
Risk Level High Medium Low
Examples
of Risk

The UW's reputation is tarnished by public reports of its failures to protect sensitive records of employees, students, or clients.

Data is disclosed unnecessarily or in an untimely fashion, which causes harm to UW business interests or to the personal interests of an individual.

Confusion is caused by corrupted information about enrollment and tuition that is displayed on the official UW Web site.
Examples
of Specific Data
  • HIPAA — protected data when associated with a health record1
    • Patient names
    • Street address, city, county, zip code
    • Dates (except year) for dates related to an individual
    • Social Security numbers
    • Health conditions and symptoms
    • Prescriptions
    • Account/Medical record numbers
    • Health plan beneficiary information
    • Certificate and license numbers
    • Vehicle identification and serial numbers
    • Device identification and serial numbers
    • Biometric identifiers
    • Full-face images
    • Any other unique identifying number, characteristic, or code
    • Payment guarantor's information
    • Telephone and fax numbers
    • Email, URLs, and IP numbers
  • FERPA — individual student records2
    • Grades
    • Courses taken
    • Schedule
    • Test scores
    • Advising records
    • Educational services received
    • Disciplinary actions
    • Student identification number
    • Social Security number
    • Student private email (with exceptions related to UW business)
  • Export Controls (e.g., EAR, ITAR)3

  • Gramm-Leach-Bliley (GLB)4
    • Employee financial account information
    • Student financial account information (aid, grants, bills)
    • Individual financial information
    • Business partner and vendor financial account information
  • Employee information
    • Social Security number
    • Date of birth
    • Home address or personal contact information
    • Performance reviews
    • Specific benefit selections
  • Donor information
  • Library use records
  • Trade secrets, intellectual and/or proprietary research information
  • Information required to be protected by contract
  • Vendor non-disclosure agreements
  • Attorney/client privileged records
  • Restricted police records (e.g., victim information, juvenile records)
  • Computer account passwords
  • Certain affirmative action related data5
  • UW NetID account information
  • Contact information between the UW and business partners or venders
  • Employee Internet usage
  • Telephone billing information
  • Parking permits
  • Location of assets
  • Critical infrastructure blueprints or schematics
  • Specific physical security measures
  • Specific technical security measures
  • Proprietary research
  • UW employee business-related email (including student employees, but only their work-related email)
  • Campus promotional material
  • Annual reports
  • Press statements
  • Job titles
  • Job descriptions
  • Employee work phone numbers (with special exceptions)
  • Employee work locations (with special exceptions)
  • Employee email addresses (with special exceptions)
  • Value and nature of fringe benefits
  • University of Washington business records

 

1Health Insurance Portability and Accountability Act (HIPAA) for the Human Subjects Division and Health Insurance Portability and Accountabiilty Act (HIPAA) for UW Medicine

2Family Educational Rights and Privacy Act (FERPA)

3Export Administration Regulations (EAR) and International Traffic in Arms Regulations (ITAR)

4Gramm-Leach-Bliley Financial Services Modernization Act (GLB)

5UW Affirmative Action Data Collection

 

Return to Table of Contents


Top of Page