Data Classification Categories

All Purdue University data will be reviewed on a periodic basis and classified according to its use, sensitivity, and importance to the University and in compliance with federal and/or state laws.  Any data item or information that is not classified will be assumed to be of the Restricted classification until otherwise determined, unless the data is known to be addressed by applicable law or statue (e.g., certain records that might be considered publicly available under applicable Indiana law).

Public -- Information which may or must be open to the general public. It is defined as information with no existing local, national or international legal restrictions on access.

Example: Course Catalog

Sensitive -- Information whose access must be guarded due to proprietary, ethical, or privacy considerations. This classification applies even though there may not be a civil statute requiring this protection.

Example: Fixed asset details, PUID, electronic or paper admissions applications

Restricted -- Information protected because of protective statutes, policies or regulations. This level also represents information that isn't by default protected by legal statue, but for which the Information Owner has exercised their right to restrict access.

Example: Protected Health Information (HIPAA/PHI); student data such as SSN, date of birth, grades/GPA/transcripts (FERPA); financial account information (GLBA); payment card information such as payment card number (PCI); government restricted research data (ITAR, EAR); Controlled Unclassified Information (CUI - as indicated by Executive Order 13556); or third party confidential or proprietary information.