The University's Data Classification and Governance Policy (VII.B.6) is effective March 1, 2010. Under the policy, All Purdue University data will be reviewed on a periodic basis and classified according to its use, sensitivity, and importance to the University and in compliance with federal and/or state laws.
Public -- Information which may or must be open to the general public. It is defined as information with no existing local, national or international legal restrictions on access.
Example: Course Catalog
Sensitive -- Information whose access must be guarded due to proprietary, ethical, or privacy considerations. This classification applies even though there may not be a civil statute requiring this protection.
Example: Date of Birth, gender
Restricted -- Information protected because of protective contractual obligations, statutes, policies or regulations. This level also represents information that isn't by default protected by legal statue, but for which the Information Owner has exercised their right to restrict access. Questions regarding the applicability of these definitions to specific data elements should be directed to either the Data Steward or the Information Owner.
Example: Protected Health Information (HIPAA), student data such as SSN, date of birth, grades/GPA/transcripts (FERPA), financial account information (GLBA), government restricted research data (ITAR, EAR), or third party confidential or proprietary information.