From an information security perspective, data classification is the categorization of data according to the severity of adverse effects should those data be disclosed, altered, or destroyed without authorization.

Classification is an essential first step in data management. We use data classification to help select appropriate security controls for storing, processing, transferring, and sharing data. Ultimately, classification helps us protect the confidentiality, integrity, and availability of data.

For example, data classification helps:

• Protect the privacy of faculty, staff, students, research participants, and patients.
• Safeguard data provided to WashU by external individuals or entities for use or storage by the university.
• Preserve the integrity of research by preventing unauthorized access, alteration, or destruction of data.
• Ensure the continuous availability of systems and data in order to conduct normal operations.
• Provide the WashU community with resources to reduce the material, legal, and reputational costs of data breaches.
• Assist the WashU community in meeting requirements specified in laws, regulations, rules, and policies (e.g., federal, state, institution).

The Office of Information Security reviews tools and services to help members of the WashU community protect data, systems, and privacy in accordance with federal, state, and institutional requirements. For a list of available and approved tools and services for your research and data management needs, please visit our Secure Storage and Communication Services page.

A Note about Sensitive Data

The word “sensitive” often describes data that, if disclosed without authorization, could result in harm. Sensitive data includes categories such as protected information, confidential data, personally identifiable information (PII), protected health information (PHI), and controlled unclassified information (CUI).

No exhaustive list of sensitive data exists because sensitivity depends on context. For example, individual pieces of data that are not considered sensitive on their own may become sensitive when taken together. In combination, they may be used to identify an individual. 

Because what is sensitive can vary from one situation to the next, we do not use this term as an official classification. Anyone handling data has a responsibility to think critically about the sensitivity of those data and how unauthorized disclosure might impact the individuals, the institution, and other stakeholders.

Data Classification Categories

There is no universal system of data classification. Universities vary in how they label data classifications, but all classification systems work toward the same goal—safeguarding people and data from risk.

For the sake of clarity, simplicity, and ease of guidance, we use the following categories: Confidential Data, Controlled Unclassified Information (CUI), Protected Data, and Public Data. Each is described below.

Domains of Information Examples

Domain	Protected Information	Confidential Information	Public Information
Cross-domain Identifiers	SSN, Biometrics (finger and voice prints, facial scans)	Last 4 Digits of SSN, University ID numbers	Username
Student	Driver’s license, passport, credit card or banking information, loan/FAFSA data	Individual grades, academic transcript, class schedule, date of birth, advising notes, Student Address, Phone	Student name, major, degree
Human Resources	I-9 Form data; payroll direct deposit account number	Employee home address, Employee offer letters, faculty tenure recommendations	Employee name
Health	Patient record, faculty/staff immunization record
Facilities		Detailed floor plans showing gas, water, sprinkler shut-offs, hazardous materials	Campus map showing buildings, names, addresses, parking, lighted pathways, emergency phones, etc.
Finance	FAFSA data, loan disbursement data, delinquent account or collection, treasury (electronic claims)	Tax deductions or contributions, Capital asset data, chart of accounts, Budget

Related

New Security Model, Data at WashU