• Home
  • Data Classification and Handling Policy

Data Classification and Handling Policy

Policy
Purpose: 

Information is a valuable University asset and is critical to the mission of teaching, research, and service to Kansans.

Determining how to protect and handle information depends on a consideration of the information’s type, importance, and usage.

Classification is necessary to understand which security practices should be used to protect different types of information. The more protected the information needs to be, the more practices are required.

Applies to: 

University employees (faculty, staff, student employees) and other covered individuals (e.g., affiliates, vendors, independent contractors, etc.) in their handling of University data, information, and records in any form (paper, digital text, image, audio, video, microfilm, etc.) during the course of conducting University business (administrative, financial, teaching, research, or service).

“Handling” information includes, but is not limited to, the following: creating, collecting, accessing, viewing, using, storing, transferring, mailing, managing, preserving, disposing, or destroying.

Campus: 
Lawrence
Policy Statement: 
  1. All University employees and other covered individuals are responsible for:
    1. Understanding what constitutes Private or Public University information; and
    2. Managing Private or Public University information in a manner consistent with the criticality of and the requirements for confidentiality associated with the data in any form (electronic, documentary, audio, video, etc.) throughout the entire information lifecycle (from creation through preservation or disposal).
  2. All University information whether at rest (i.e., stored in databases, tables, email systems, file cabinets, desk drawers, etc.) or in use (i.e., being: processed by application systems, electronically transmitted, used in spreadsheets, or manually manipulated, etc.) must be classified into one of the three data classification levels described in this policy by each unit or department that is the Custodian of Records for that information.
    1. Determining classification level should be done according to an assessment of the need for Confidentiality of the information.

      Confidentiality: Access to information must be strictly limited to protect the university and individuals form loss.

      Limiting access to authorized individuals/entities/devices ensures legal obligations are fulfilled and/or protects KU and its stakeholders from the disclosure of data which is sensitive in nature.

      Note: The appropriate classification of each data set is based on the classification of the most confidential data stored in the data set (e.g., the database, table, file, etc.), or accessed by systems or people. This is true even if the data set contains other information that would qualify for a lower level of protection if it were stored separately.

    2. The table below summarizes the Data Classification process. All individuals covered under this policy are required to handle University information per the procedural controls found at the Data Classification and Handling Procedures Guide.
      Level I – Confidential Protection STOP! SPECIAL CARE IS REQUIRED
      Level II – Sensitive Protection BE VERY CAUTIOUS
      Level III – Public Protection PROCEED WITH AWARENESS
      • Level I – Confidential Information: High risk of significant financial loss, legal liability, public distrust, or harm if this data is disclosed. (Examples provided in Appendix 1: Data Classifications Levels I, II, and III, linked below).
      • Level II – Sensitive Information: Moderate requirement for Confidentiality and/or moderate or limited risk of financial loss, legal liability, public distrust, or harm if this data is disclosed. (Examples provided in Appendix 1: Data Classifications Levels I, II, and III, linked below)
      • Level III – Public Information: Low requirement for Confidentiality [information is public] and/or low or insignificant risk of financial loss, legal liability, public distrust, or harm if this data is disclosed. (Examples provided in Appendix 1: Data Classifications Levels I, II, and III, linked below)

Appendix 1: Data Classification Levels I, II and III

Data Classification and Handling Procedures Guide

Exclusions or Special Circumstances: 

Exceptions to this Policy shall only be allowed if previously approved by the KU Information Technology Security Office and this approval is documented and verified by the Chief Information Officer.

Consequences: 

Faculty, staff, and student employees who violate this University policy may be subject to disciplinary action for misconduct and/or performance based on the administrative process appropriate to their employment.

Students who violate this University policy may be subject to proceedings for non-academic misconduct based on their student status.

Faculty, staff, student employees, and students may also be subject to the discontinuance of specified information technology services based on the policy violation.

Contact: 

Office of the Chief Information Officer
1001 Sunnyside Avenue 
Lawrence, KS 66045
785-864-4999
kucio@ku.edu

Approved by: 
Provost and Executive Vice Chancellor
Approved on: 
Thursday, January 15, 2009
Effective on: 
Thursday, January 15, 2009
Review Cycle: 
Annual (As Needed)
Definitions: 

Private Information: an overarching term used to indicate all Confidential and Sensitive Information as defined below. Private Information includes all information protected by state and/or federal law or that the University is contractually obligated to protect. Private Information also includes information designated by the University as Private (Confidential or Sensitive) through the creation of standards, procedures, and guidelines. Access to these data must be tightly monitored.

Confidential Information: a subset of Private Information that includes information protected by state and/or federal law and information that the university is contractually obligated to protect. The mishandling of Confidential Information may impact the University through financial and legal sanctions, loss of public confidence, and damage to the University’s reputation. Examples of Confidential Information include Social Security numbers, bank account information, BPC account numbers, healthcare records, educational records, and risk assessments that highlight potential weaknesses in the University’s utility/service infrastructure.

Sensitive Information: a subset of Private Information that includes non-public information (other than Confidential Information) that may cause harm to the University or to individuals if inappropriately used or disclosed. This category includes, for example, research data with commercial or societal value, and individual works of intellectual property.

Public Information: includes information developed for public access. If this information is disclosed, there is no risk of damage to the University’s reputation. Some examples include:

  • Publicly accessible web pages
  • Campus maps
  • University application forms and brochures
Keywords: 
data classification, data handling
Change History: 

08/30/2024: Updated broken link in Related Statutes section.
01/26/2022: Updated contact section.
11/17/2014: Policy formatting cleanup (e.g., bolding, spacing).

Information Access & Technology Categories: 
Information Access
Privacy & Security

Can't Find What You're Looking For?
Policy Library Search
KU Today
One of 34 U.S. public institutions in the prestigious Association of American Universities
Nearly $290 million in financial aid annually
44 nationally ranked graduate programs.
—U.S. News & World Report
Top 50 nationwide for size of library collection.
—ALA
23rd nationwide for service to veterans —"Best for Vets," Military Times