DCS.1 Data Classifications
Four classes of data are defined by the University of Illinois globally for the institution: High Risk, Sensitive, Internal, and Public. This Program additionally defines a fifth class, Sensitive Data Collection, and an overlapping sixth class which may be present within any of the preceding five data classes, Personally Identifiable Information (PII) Data. A Summary of the global university data classifications is listed below.
More detailed information is available in the DCS.G.1 Data Classification and Security Guideline of the UIC IT Security Program.
DCS.1.1 High Risk Data
High Risk Data is a University class of information that, if disclosed or modified without authorization, would have severe adverse effect on the operations, assets, or reputation of the University, or the University’s obligations concerning information privacy. Information in this class includes, but is not limited to:
- Information assets for which there are legal requirements for preventing disclosure or financial penalties for disclosure, such as credit card information (covered by the Payment Card Industry Data Security Standard (PCI DSS) ).
- Information covered by federal and state legislation, such as the federal Health Insurance Portability and Accountability Act (HIPAA) or the Illinois Personal Information Protection Act (IL PIPA).
- Payroll, personnel, and financial information with special privacy requirements.
DCS.1.2 Sensitive Data
Sensitive Data is a University class of information that, if disclosed or modified without authorization, would have serious adverse effect on the operations, assets, or reputation of the University, or the University’s obligations concerning information privacy. Information that is covered by FERPA, Non-Disclosure Agreements (NDAs), and other intellectual property are, as a minimum, in this class.
Note: Non-Disclosure Agreements may fall into the High Risk Data or Sensitive Data categories and should be individually evaluated.
DCS.1.3 Sensitive Data Collection
In addition to these University classifications, this Policy creates a further distinction in the University Sensitive Data classification:
A Sensitive Data Collection is a collection of Sensitive Data that results from compiling (i.e., collecting) the Sensitive Data from multiple sources. For example, an instructor’s compilation of grades from courses they teach, held on their own computer, would not be a Sensitive Data Collection. However, a department’s compilation of all the grades for all the classes in the department would be a Sensitive Data Collection.
Where a requirement is given in this Program for Sensitive Data, the same requirements apply to Sensitive Data Collections as a minimum threshold. Sensitive Data Collections are specifically identified in this program where a more restrictive or extensive requirement is applied to a Sensitive Data Collection than Sensitive Data.
DCS.1.4 Internal Data
Internal Data is a University class of information that, if disclosed or modified without authorization, would have moderate adverse effect on the operations, assets, or reputation of the University, or the University’s obligations concerning information privacy.
DCS.1.5 Personally Identifiable Information (PII) Data
Personally Identifiable Information (PII) Data is any information about an individual maintained by a Unit, including (1) any information that can be used to distinguish or trace an individual‘s identity, such as name, social security number, date and place of birth, mother‘s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.
At UIC, name, address, and telephony contact data is defined as PII only when it is provided in combination with other PII as described at h.). As independent or standalone data elements, those elements are Public data.
At a minimum, Personally Identifiable Information (PII) must be treated as Internal Data, and elements of PII may be classified as Sensitive, Confidential, or High Risk Data. This definition, however, does not supersede University policy on FERPA data.
Examples of PII Data include, but are not limited to the following data elements or categorizations:
Data elements or categories which are PII only when provided in combination as described at h.) with the other types of PII data in this definition which follow c.) :
a. Name, such as full name, maiden name, mother‘s maiden name, or alias.
b. Address information, such as street address or email address
c. Telephone numbers, including mobile, business, and personal numbers
Note that these three categories are treated by default as Public when collected under FERPA provisions.
Other PII data elements or categories:
d. Personal identification number, such as social security number (SSN), passport number, driver‘s license number, taxpayer identification number, patient identification number, and financial account or credit card number
e. Asset information, such as Internet Protocol (IP) or Media Access Control (MAC) address or other host-specific persistent static identifier that consistently links to a particular person or small, well-defined group of people
f. Personal characteristics, including photographic image (especially of face or other distinguishing characteristic), x-rays, fingerprints, or other biometric image or template data (e.g., retina scan, voice signature, facial geometry)
g. Information identifying personally owned property, such as vehicle registration number or title number and related information
Linked PII data, specifically including a., b., and c. to d. through g. :
h. Information about an individual that is linked or linkable to one of the above (e.g., date of birth, place of birth, race, religion, weight, activities, geographical indicators, employment information, medical information, education information, financial information).
DCS.1.6 Public Data
Public Data is a University class of information intended for public use that, when used as intended, would have no adverse effect on the operations, assets, or reputation of the University, or the University’s obligations concerning information privacy.