Privacy Assurance and Systems Security Council

UW Data Classification

Data classification determines what controls need to be applied to appropriately protect institutional information according to information security and privacy policies.

To help clarify the minimum requirements for UW data security, three categories of data have been defined: Public, Restricted, and Confidential.

These classifications are included in APS 2.2, University Privacy Policy, and APS 2.6, Information Security Controls and Operational Practices. The table below provides criteria for determining data classification.

Questions about data classification can be forwarded to the UW CISO for review by the relevant Data Custodian(s) and the PASS Council.

 
Confidential
Restricted
Public
Risk LevelHighMediumLow
Examples of RiskThe UW's reputation is tarnished by public reports of its failures to protect sensitive records of employees, students, or clientsData is disclosed unnecessarily or in an untimely fashion, which causes harm to UW business interests or to the personal interests of an individualConfusion is caused by corrupted information about enrollment and tuition that is displayed on the official UW web site
Examples of Specific Data

(See more detailed information in the table below on HIPAA, FERPA, GLB, and Employee information)

• HIPAA – protected data when associated with a health record

• FERPA – individual student records

• Export Controls (e.g., EAR, ITAR)

• Gramm-Leach-Bliley (GLB) protected information

• Employee information

• Donor information

• Library use records

• Trade secrets, intellectual and/or proprietary research information

• Information required to be protected by contract

• Vendor non-disclosure agreements

• Attorney/client privileged records

• Restricted police records (e.g., victim information, juvenile records)

• Computer account passwords

• Certain affirmative action related data

• Telephone billing information

• Parking permits

• Location of assets

• Critical infrastructure blueprints or schematics

• Specific physical security measures

• Specific technical security measures

• Proprietary research

• UW employee business-related email (including student employees, but only their work-related email)

• Employee work phone numbers (with special exceptions)

• Employee work locations (with special exceptions)

• Employee email addresses (with special exceptions)

• Value and nature of fringe benefits

• University of Washington business records

Examples of Confidential Data

HIPAA
FERPA
Gramm-Leach-Bliley (GLB)
Employee Information
• Patient names
• Street address, city, county, zip code
• Dates (except year) for dates related to an individual
• Social Security numbers
• Health conditions and symptoms
• Prescriptions
• Account/Medical record numbers
• Health plan beneficiary information
• Certificate and license numbers
• Vehicle identification and serial numbers
• Device identification and serial numbers
• Biometric identifiers
• Full-face images
• Any other unique identifying number, characteristic, or code
• Payment guarantor's information
• Telephone and fax numbers
• Email, URLs, and IP numbers
• Grades
• Courses taken
• Schedule
• Test scores
• Advising records
• Educational services received
• Disciplinary actions
• Student identification number
• Social Security number
• Student private email (with exceptions related to UW business)
• Employee financial account information
• Student financial account information (aid, grants, bills)
• Individual financial information
• Business partner and vendor financial account information
• Social Security Number
• Date of birth
• Home address or personal contact information
• Performance reviews
• Specific benefit selections