UW Privacy Office

Data Classifications

ON THIS PAGE:


The UW Privacy Office oversees and manages the classification of data to support the UW in meeting the privacy principle of due care.  The following categories for classifying data are intended to help UW units clarify and prioritize the minimum privacy and information security protections.

Relevant UW Policies

UW Confidential

We work closely with subject matter experts, compliance experts, and the UW division of the Attorney General’s Office to classify as “UW Confidential” data elements that are very sensitive in nature and typically subject to federal or state regulations. Unauthorized disclosure of this information could seriously and adversely impact the University or the interests of individuals and organizations associated with the University.

Examples include, but are not limited to:

  • Attorney/client privileged records
  • Certain affirmative action related data
  • Computer account passwords
  • Donor information
  • Employee information
  • EU GDPR – Any identifier, such as name, ID, location data, online identifier; or factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person. 
  • Export Controls (e.g., EAR, ITAR)
  • FERPA – individual student records
  • Gramm-Leach-Bliley (GLB) protected information
  • HIPAA – protected data when associated with a health record
  • Information required to be protected by contract
  • Library use records
  • Restricted police records (e.g., victim information, juvenile records)
  • Trade secrets, intellectual, and/or proprietary research information
  • Vendor non-disclosure agreements

Restricted

When it is determined that data elements aren’t UW confidential, we work closely with the UW data custodians to classify as “Restricted” data that is circulated on a need-to-know basis or sensitive enough to warrant careful management and protection.
Examples include, but are not limited to:

  • Critical infrastructure blueprints or schematics
  • Location of assets
  • Parking permits
  • Proprietary research
  • Specific physical security measures
  • Specific technical security measures
  • UW employee business-related email (including student employees, but only their work-related email)

Public

When it’s determined that data elements are neither confidential or restricted, we work closely with the relevant units to classify as “Public” those data sets that will be published for public use or have been approved for general access by the appropriate University authority.
Examples include, but are not limited to:

  • Employee email addresses (with special exceptions)
  • Employee work locations (with special exceptions)
  • Employee work phone numbers (with special exceptions)
  • UW business records
  • Value and nature of fringe benefits

Special Categories of Personal Data

Categories of personal data that when alone or combined with other data could adversely impact the University or individuals. Special categories of personal data also may be confidential information in that they are protected by a law or regulation.
Examples include, but are not limited to data or information regarding:

  • Criminal offenses
  • Citizenship and/or immigration status
  • Race or ethnic origin, political opinions
  • Religious or philosophical beliefs
  • Trade union membership
  • Genetic or biometric data used to identify a natural person
  • Health
  • Disability
  • Sex life
  • Gender
  • Gender identity
  • Sex or sexual orientation
  • Universal identification numbers
  • Youth under the age of eighteen (18)

Data Classification Process

Data are essential to the UW’s mission. The benefits and risks associated with personal data necessitate careful review to help the UW uphold its values, academic freedom, policies, and/or privacy principles throughout the data lifecycle, from creation or collection to propagation, disclosure, or destruction.

The concept of classifying data as confidential, restricted, or public was established in 2001, by the Office of the CISO to help UW units determine the level of privacy and security that should be afforded to a set of data.

As needed, the data classifications are updated via the following process:

  1. Discuss the purpose and intended use of data.
  2. Consult with designated subject matter experts, compliance experts, and data custodians to assess the regulatory and contractual requirements associated with the data.
  3. Consider, as needed, whether individuals may have a reasonable expectation of privacy.
  4. Determine data classification.
  5. Evaluate if the combination or removal of data elements from a data set may change the data classification.
  6. Partner with the Office of the CISO to advise UW units on the controls that are commensurate with the value of the asset and risk to the UW as described in Administrative Policy Statement 2.6, Information Security Controls and Operational Practices.
  7. Align data and data classification with UW data map.
  8. Continue, as needed, to review and modify the data classifications with the PASS Council.

For more information, contact uwprivacy@uw.edu