UW Privacy Office

Data Classification Process

Data are essential to the UW’s mission. The benefits and risks associated with personal data necessitate careful review to help the UW uphold its values, academic freedom, policies, and/or privacy principles throughout the data lifecycle, from creation or collection to propagation, disclosure, or destruction.

The concept of classifying data as confidential, restricted, or public was established in 2001, by Office of the CISO to help UW units determine the level of privacy and security that should be afforded to a set of data. The data classification process for personal data is now managed by the UW Privacy Office and the categories are described on the data classifications webpage.

As needed, the data classifications are updated via the following process:

  1. Discuss the purpose and intended use of data.
  2. Consult with designated subject matter experts, compliance experts, and data custodians to assess the regulatory and contractual requirements associated with the data.
  3. Consider, as needed, whether individuals may have a reasonable expectation of privacy.
  4. Determine data classification.
  5. Evaluate if the combination or removal of data elements from a data set may change the data classification.
  6. Partner with the Office of the CISO to advise UW units on the controls that are commensurate with the value of the asset and risk to the UW as described in Administrative Policy Statement 2.6, Information Security Controls and Operational Practices.
  7. Align data and data classification with UW data map.
  8. Continue, as needed, to review and modify the data classifications with the PASS Council.

For more information, contact uwprivacy@uw.edu.