All data stored and accessed on USI information systems, whether managed by employees or by a third party, must follow this policy. Data stored on USI computing resources must be assigned a classification level. This level is used to determine user access, data storage and protection, data handling, data retention and destruction. Data classification is defined in four categories. In the absence of being formally classified, institutional data should be treated as Internal Use by default:
Listed from most sensitive to least sensitive
- Critical – Sensitive data that could result in criminal or civil penalties if exposed. Applies to the most sensitive business information which is only intended for selective access within USI.
- Examples include passwords, encryption keys, cardholder data, bank account information, financial data, employee personnel file data, patient data (health and dental), human research subject data, and government export control restricted data.
- Restricted – Data that due to the legal, ethical, or other constraints specific authorization is required to access. Unauthorized disclosure could seriously and adversely impact the University, its employees, or students.
- Examples include student academic data, grades, transcripts, class schedule, advising notes, and detailed environmental and control system designs.
- Internal Use - Applies to information which is intended for use within USI. Unauthorized disclosure could negatively impact the University and/or its employees. Access restrictions should be applied accordingly.
- Examples include university owned intellectual property, policy and procedures, performance metrics, and administrative or academic data files that do not contain data that is classified as Critical or Restricted.
- Public - Applies to all other information which does not clearly fit into any of the above classifications. Unauthorized disclosure isn’t expected to negatively impact the University.
- Examples include student name, major, degree, campus map, and emergency phones.
Any public records access requests must be coordinated through Government Relations.