This page provides information related to the categorization of the confidentiality of information and data. The higher the level, the greater the harm that could occur if the information were released and therefore the greater the required protections.
All data shall be protected at a level commensurate with its risk. Data shall be protected at a minimum with the Foundational Information Security Controls. Additional controls may be specified by law, regulation, and/or data use and research agreements, and Data Stewards.
Level 1 Public Information, Confidentiality - (N/A)
Level 1 information refers to public information the University does not have a legal, regulatory, policy, or contractual obligation to keep confidential and that would have no adverse impact on the University if disclosed.
Level 1 examples
- Published student directory information
- Published information about the University
- Research data that has been de-identified in accordance with applicable rules and is ready for sharing.
- Published research data
Level 2 Internal Information, Confidentiality - Low
Institutional information and research data is categorized as Low when the potential impact due to the loss, exposure, or unauthorized use would have a minimal adverse effect on the University.
Level 2 examples:
- Drafts of research papers
- Patent applications
- Staff meeting notes
- Business process documentation
- Any information or research data categorized as Level 2 by an Institutional Review Board, data steward, or data use agreement.
Level 3 Sensitive Information, Confidentiality - Moderate
Institutional information and research data is categorized as Moderate when the potential impact due to the loss, exposure, or unauthorized use would have a significant adverse effect on the University. This category includes personally identifiable information which if disclosed could reasonably be expected to be damaging to reputation or to cause legal liability.
Level 3 examples:
- Non-directory Information covered under FERPA (Family Educational Rights & Privacy Act) including but not limited to any current or past student’s:
Show/hide list
- Grades
- Class schedule
- Degree progress
- Class and grade rosters
- University bill and payments
- Loan information
- Sponsorship and scholarship information
- Housing assignments
- Holds
- Service indicators
- Student ID, Employee ID, visa and passport information
- University personnel records
- University Financial Records
- Any information or research data categorized as Level 3 by an Institutional Review Board, data steward, or data use agreement.
- Speedtypes
- Invoices
- Internal budgets
- Procurement contracts
- Bankcard statements (with redacted account numbers)
- Purchasing Receipts
Level 4 Confidential Information, Confidentiality - High
Institutional information and research data is categorized as High when the potential impact due to the loss, exposure, or unauthorized use would have a severe or catastrophic adverse effect on the University.
Level 4 examples:
- Individually identifiable financial or medical information
- Information commonly used to establish identity that is protected by state , federal or foreign privacy laws and regulations, such as Massachusetts law protecting personal information, and not classified in Level 5.
For example, name in combination with:- Social security number
- Driver’s license number etc.
- Credit card numbers
- Bank account numbers
- Identifiable human subject research data
- Any information or research data categorized as High by an Institutional Review Board, data steward, or data use agreement.
- Financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number, or password that would permit access to a resident's financial account.
- Credit card numbers (under PCI-DSS, M.G.L 93H)
- Bank account numbers (under M.G.L 93H)
- Under the Fair & Accurate Credit Transactions Act (FACTA) and Gramm–Leach–Bliley Act (GLB)
- Students’ or parents’ financial records that include names, addresses, phone numbers, etc., as they relate to student financial aid information.
- Other financial records: e.g., debit and other financial account numbers. (Under M.G.L 93H)
Level 5 Restricted Information, Confidentiality - High-Plus
Reserved for data that would be categorized as Confidentiality - High, but that also carries additional contractual requirements for exceptional and/or specific security measures.
Level 5 examples:
- Medical information specifically covered under HIPAA
- Credit Card information where the University is the Merchant
- Export-Controlled Information (ITAR, EAR)