From an information security perspective, data classification is the categorization of data according to the severity of adverse effects should those data be disclosed, altered, or destroyed without authorization.

Classification is an essential first step in data management. We use data classification to help select appropriate security controls for storing, processing, transferring, and sharing data. Ultimately, classification helps us protect the confidentiality, integrity, and availability of data.

For example, data classification helps:

  • Protect the privacy of faculty, staff, students, research participants, and patients.
  • Safeguard data provided to WashU by external individuals or entities for use or storage by the university.
  • Preserve the integrity of research by preventing unauthorized access, alteration, or destruction of data.
  • Ensure the continuous availability of systems and data in order to conduct normal operations.
  • Provide the WashU community with resources to reduce the material, legal, and reputational costs of data breaches.
  • Assist the WashU community in meeting requirements specified in laws, regulations, rules, and policies (e.g., federal, state, institution).

The Office of Information Security reviews tools and services to help members of the WashU community protect data, systems, and privacy in accordance with federal, state, and institutional requirements. For a list of available and approved tools and services for your research and data management needs, please visit our Secure Storage and Communication Services page.

A Note about Sensitive Data

The word “sensitive” often describes data that, if disclosed without authorization, could result in harm. Sensitive data includes categories such as protected information, confidential data, personally identifiable information (PII), protected health information (PHI), and controlled unclassified information (CUI).

No exhaustive list of sensitive data exists because sensitivity depends on context. For example, individual pieces of data that are not considered sensitive on their own may become sensitive when taken together. In combination, they may be used to identify an individual. 

Because what is sensitive can vary from one situation to the next, we do not use this term as an official classification. Anyone handling data has a responsibility to think critically about the sensitivity of those data and how unauthorized disclosure might impact the individuals, the institution, and other stakeholders.

Data Classification Categories

There is no universal system of data classification. Universities vary in how they label data classifications, but all classification systems work toward the same goal—safeguarding people and data from risk.

For the sake of clarity, simplicity, and ease of guidance, we use the following categories: Confidential Data, Controlled Unclassified Information (CUI), Protected Data, and Public Data. Each is described below.


New Security Model, Data at WashU