Data Classification and Handling
Identification and classification of university data are essential for ensuring that the appropriate degree of protection is applied to university data. The University's data is classified into three categories: Public, Sensitive, or Restricted. Based upon how the data is classified, that data may have certain precautions which need to be taken when handled.
DATA CLASSIFICATION CATEGORIES
All Purdue University data will be reviewed on a periodic basis and classified according to its use, sensitivity, and importance to the University and in compliance with federal and/or state laws. Any data item or information that is not classified will be assumed to be of the Restricted classification until otherwise determined, unless the data is known to be addressed by applicable law or statue (e.g., certain records that might be considered publicly available under applicable Indiana law).
Example: Course Catalog
Sensitive -- Information whose access must be guarded due to proprietary, ethical, or privacy considerations. This classification applies even though there may not be a civil statute requiring this protection.
Example: Fixed asset details, PUID, electronic or paper admissions applications
Restricted -- Information protected because of protective statutes, policies or regulations. This level also represents information that isn't by default protected by legal statue, but for which the Information Owner has exercised their right to restrict access.
Example: Protected Health Information (HIPAA/PHI); student data such as SSN, date of birth, grades/GPA/transcripts (FERPA); financial account information (GLBA); payment card information such as payment card number (PCI); government restricted research data (ITAR, EAR); Controlled Unclassified Information (CUI - as indicated by Executive Order 13556); or third party confidential or proprietary information.