Data Classification and Handling Procedures

Purdue University academic and administrative data are important university resources and assets. Data used by the University often contains detailed information about Purdue University as well as personal information about Purdue University students, faculty, staff, and other third parties affiliated with the University. Protecting such information is driven by a variety of considerations including legal, academic, financial, and other business requirements. The Information Security and Privacy Policy (VII.B.8) identifies our roles and responsibilities in protecting information assets.

Identification and classification of University data are essential for ensuring that the appropriate degree of protection is applied to University data. The University's data is classified into three categories: Public, Sensitive, or Restricted. Based upon how the data is classified, that data may have certain precautions that need to be taken when handled.

Data Classification Categories

All Purdue University data will be reviewed on a periodic basis and classified according to its use, sensitivity, and importance to the University, and in compliance with federal and/or state laws. Any data item or information that is not classified will be assumed to be of the Restricted classification until otherwise determined, unless the data is known to be addressed by applicable law or statute (e.g., certain records that might be considered publicly available under applicable Indiana law). Questions on the classification and handling of particular data should be directed to the appropriate Data Steward for the area.

Public — Information that may or must be open to the general public. It is defined as information with no existing local, national or international legal restrictions on access.

Example: Course Catalog

Sensitive — Information whose access must be guarded due to proprietary, ethical, or privacy considerations. This classification applies even though there may not be a civil statute requiring this protection.

Example: Fixed asset details, PUID, electronic or paper admissions applications

Restricted — Information protected because of protective statutes, policies, or regulations. This level also represents information that isn't by default protected by legal statute, but for which the Information Owner has exercised the right to restrict access.

Example: Protected Health Information (HIPAA/PHI); student data such as SSN, date of birth, grades/GPA/transcripts (FERPA); financial account information (GLBA); payment card information such as payment card number (PCI); government-restricted research data (ITAR, EAR); Controlled Unclassified Information (CUI - as indicated by Executive Order 13556); or third-party confidential or proprietary information.