Data Classification Policy

Effective Date:

April 15, 2008

Date(s) Reviewed:

Date (s) Revised:


The University of Miami’s mission is to educate and nurture students, to create knowledge, and to provide service to our community and beyond. This policy establishes a framework to classify the University’s data from risks including but not limited to, access, use, disclosure, removal, and unauthorized destruction. The University recognizes data as an asset and therefore this policy establishes guidelines for categorizing data based on the sensitivity of the information and regulatory requirements, such as HIPAA, FERPA, and industry compliance PCI.


This policy applies to all electronic data stored on any media or system(s) throughout the University of Miami and applies to all individuals storing, accessing, or working with the data, in any way, including all University employees, students, contractors, guests, consultants, temporary employees, and any other users, including all personnel affiliated with third parties utilizing University resources.


Data: Data includes all information stored on any electronic media throughout the University of Miami.

Data Classification: The process of categorizing an entity’s electronic data based on value and risk as required for satisfying regulatory compliance requirements.

System Administrators/Data Custodian: A data custodian is an individual with the responsibility of maintenance and protection of data on any given system. Only full-time and permanent part-time employees of the University and/or third party vendors approved by IT may function as data custodians.

User: An individual who creates or stores data, and thus is the owner of the information.


All data shall be classified by the University into levels based on sensitivity and risk. University system administrators, data custodians and/or users will be responsible for assigning each item of institutional data to one of four categories: Confidential, Private, Sensitive, or Public.


These categories take into account regulatory requirements, contractual agreements, ethical considerations, and strategic/proprietary worth.


Confidential information includes data covered by Federal and State legislation such as FERPA, HIPAA and the Data Protection Act or is legally covered by contract and must be protected at all times. The disclosure of this information may seriously damage or negatively impact the University. This information includes, but is not limited to: investment strategies; plans or designs; medical research technology; controversial research topics; financial information; file encryption keys; Social Security Numbers; donor names and account numbers; credit card numbers; sensitive student information; faculty, employee, or alumni personal information; patient’s medical records.


Private information is data restricted to proprietary use by authorized personnel only and is considered critical to ongoing options. The disclosure of this information may seriously impede the University’s operations. This information includes, but is not limited to: salaries; research details or results that are not confidential; library transactions; financial transactions which do not include confidential data; information covered by non-disclosure agreements; educational records including file documents or other materials; information directly related to a student, faculty, employee, and maintained by the University (i.e. home phone, address date of birth, drug test results, etc.).

LEVEL 3 -SENSITIVE (Internal Use Only)

Sensitive information is data not approved for general distribution outside the University. Access to this information must be guarded due to proprietary, ethical, or privacy considerations. The disclosure of this information may only result in a minor inconvenience to the University and its management. Examples of sensitive information include: accounting information, business plans, internal memos, minutes of meetings, and internal project reports.


Public information is data without any, national or international legal restriction regarding access. Public data is information that anyone within the public domain may access. This information, if disclosed, should not impact the University of Miami. This includes annual reports, press statements, Internet website, etc.

Details regarding the handling of University Information will reside within the Data Classification Procedures document.


System Administrator/Data Custodian:


    Responsible for labeling data into one of the four categories and applying appropriate security controls to ensure adequate protection of the information within their assigned responsibilities.

Chief Security Officer (CSO):


    Responsible for monitoring the enforcement of the policy.



    Responsible for identifying appropriate data classification category.