Data Classification at UMass

What is operational use only data?

Operational use only data refers to information critical to the University’s academic, research, and business operations that requires a higher degree to handling than unclassified data. Examples include:

  • System configuration/log files
  • Staff meeting notes
  • Business process documentation
  • Campus infrastructure plans

What is unclassified data?

Unclassified data refers to public information the University does not have a legal, policy, or contractual obligation to protect. Examples include:

  • Campus maps
  • Schedule of Classes
  • Policies
  • Student directory information (unless restricted)

What is confidential data?

Confidential data is defined as “data whose loss, corruption, or unauthorized use would impair the academic, research, or business functions of the University.” – Policy Statement on Electronic Data Security, Electronic Mail and Computer Policy Development, Board of Trustees Policies

  • Is protected by statute under state and federal law or by University policy
  • Involves personally identifiable information or other issues of personal privacy

Includes:

Personal information

Under M.G.L. 93H, an individual’s name in combination with any of the following:

  • Driver’s License Number
  • State Identification Card Number
  • Financial account number
  • Credit or debit account number

Education records

Under FERPA (Family Educational Rights & Privacy Act), any current or past student’s:

  • Grades, class schedule, advising record, degree progress, academic load, class and grade rosters
  • University bill and payments, Financial Aid application and awards, loan information, sponsorship and scholarship information, UCard transactions
  • Housing assignments, holds, and service indicators
  • Restricted directory information. Note: Under FERPA, directory information is public unless a student chooses to withhold it.

Under University guidelines, applicants’ names, test scores, recommendations, and other application materials

Financial records

Under the Fair & Accurate Credit Transactions Act (FACTA) and Gramm–Leach–Bliley Act (GLB) Students’ or parents’ financial records including names, addresses, phone numbers, bank and credit card account numbers, credit histories, or Social Security Numbers as they relate to student financial aid information.

ID Information

Under University guidelines:

  • Student ID
  • Employee ID
  • Visa and passport information

Confidential Research Data

University trade secrets and intellectual property.

What is restricted data?

Restricted data is defined as confidential data with the highest level of sensitivity, whose loss, corruption, or unauthorized use would pose the greatest risk to the University. Note: All policies referring to confidential data also apply to restricted data.

Examples of restricted data include:

Personal information

  • An individual’s Social Security Number
  • Ethnicity (under University policy)

Financial records

Under Payment Card Industry Data Security Standard (PCI-DSS), M.G.L. 93H:

  • Credit card numbers
  • Bank account numbers
  • Other financial records (e.g., debit and other financial account numbers)

Medical records

Under HIPAA (Health Insurance Portability & Accountability Act) Any individually-identifiable information and details about a person’s:

  • Physical or mental health
  • Past, current, or future health condition
  • Health care treatment
  • Payment for health care service

Protected Research Data

Research data that requires compliance with International Traffic in Arms Regulations (ITAR) and/or Export Administration Regulations (EAR).