UW Privacy Office

Data Classification Process

Data are essential to the UW’s mission. The benefits and risks associated with personal data necessitate careful review to help the UW uphold its values, academic freedom, policies, and/or privacy principles throughout the data lifecycle, from creation or collection to propagation, disclosure, or destruction.

The concept of classifying data as confidential, restricted, or public was established in 2001, by Office of the CISO to help UW units determine the level of privacy and security that should be afforded to a set of data. The data classification process is now managed by the UW Privacy Office and the categories are described in Administrative Policy Statement 2.2, University Privacy Policy.

Additionally, personal data are organized by subject areas on the UW data map, illustrated in the diagram below.
UW Data Map - Data Subject Areas. Shows nine categories of data subject areas, six categories of which are part of the official UW Data Map as of May 2018: Academics, Research, University Advancement, Services & Resources, Financial Resources, and Human Resources.   The other three data subject areas (Healthcare, Children and Athletics) were added for privacy purposes only.  All nine categories are shown of equal size.  A smaller circle in the center reads “Master Data,” indicating that some data fields are likely common across all subject areas.

As needed, the data classifications are updated via the following process:

  1. Discuss the purpose and intended use of data.
  2. Consult with designated subject matter experts, compliance experts, and data custodians to assess the regulatory and contractual requirements associated with the data.
  3. Consider, as needed, whether individuals may have a reasonable expectation of privacy.
  4. Determine data classification.
  5. Evaluate if the combination or removal of data elements from a data set may change the data classification.
  6. Partner with the Office of the CISO to advise UW units on the controls that are commensurate with the value of the asset and risk to the UW as described in Administrative Policy Statement 2.6, Information Security Controls and Operational Practices.
  7. Align data and data classification with UW data map.
  8. Continue, as needed, to review and modify the data classifications with the PASS Council.

For more information, contact uwprivacy@uw.edu.