Institutional Information and Research Data Categorization Examples

Information is valued using considerations such as who can see it (confidentiality), who can change it (integrity), and having it accessible when you need it (availability). At UMass Amherst, institutional information and research data is categorized as: High, Moderate, Low and Not Applicable (N/A). Each category denotes a unique level of sensitivity and specific security controls which include access, storage and handling requirements. For more information on data categories, see Institutional Information, Research Data and Information System Categorization.

This page provides examples of the categories and the baseline security controls that apply to each category.  This is not intended as an exhaustive list of information and data types or control standards for each category.  

The categorization and specific control requirements for information and data are defined by the Data Stewards.

For more information see:

• Information Management
• Confidentiality of Institutional Information and Research Data Policy

High

Institutional information and research data is categorized as High when the potential impact due to the loss, exposure, or unauthorized use would have a severe or catastrophic adverse effect on the University.

Examples of institutional information and research data with a categorization of High include:

Medical records
PHI (Protected Health Information) as defined Under HIPAA/HITEC (Health Insurance Portability & Accountability Act / Health Information Technology for Economic and Clinical Health Act)

Personal information

(under M.G.L. 93H, Massachusetts data breach law)

An individual's name in combination with:

• Social Security Number
• Driver’s License Number
• State Identification Card Number
• Financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident's financial account.

Financial information

• Credit card numbers (under PCI-DSS, M.G.L 93H)
• Bank account numbers (under M.G.L 93H)
• Other financial records: e.g., debit and other financial account numbers. (Under M.G.L 93H)

Protected Research Data
Research data that has specific compliance requirements through law, regulations, data user agreements, research contracts, etc.

Security Controls for High

Institutional information and research data categorized as High shall be protected at a minimum with the Foundational Information Security Controls, including encryption at rest and in transit. Additional controls may be specified by law, regulation, and/or data use and research agreements, and Data Stewards.

Moderate

Institutional information and research data is categorized as Moderate when the potential impact due to the loss, exposure, or unauthorized use would have a significant adverse effect on the University. 

Examples of institutional information and research data with a categorization of Moderate include:

Education records
(Under FERPA [Family Educational Rights & Privacy Act]):
Any current or past student’s:

• Grades, class schedule, advising record, degree progress, academic load, class and grade rosters University bill and payments, Financial Aid application and awards, loan information, sponsorship and scholarship information, UCard transactions, Housing assignments, holds, and service indicators, etc.
• Restricted directory information. Note: Under FERPA, directory information is public unless a student chooses to withhold it.

Under University policy: 

• Applicants’ names, test scores, recommendations, and other application materials
• Ethnicity (pursuant to University policy)

Financial records
Under the Fair & Accurate Credit Transactions Act (FACTA) and Gramm–Leach–Bliley Act (GLB)
Students’ or parents’ financial records including names, addresses, phone numbers, etc., as they relate to student financial aid information.

ID Information
Under University policy:

• Student ID
• Employee ID
• Visa and passport information

Protected Research Data

Research data that has specific compliance requirements through law, regulations, data user agreements, research contracts, etc.

Security Controls for Moderate

Institutional information and research data categorized as Moderate shall be protected at a minimum with the Foundational Information Security Controls. Additional controls may be specified by law, regulation, and/or data use and research agreements, and Data Stewards.

Low

Institutional information and research data is categorized as Low when the potential impact due to the loss, exposure, or unauthorized use would have a minimal adverse effect on the University. 

Examples include:

• Staff meeting notes
• Business process documentation

 

Security Controls for Low

Institutional information and research data categorized as Low shall be protected at a minimum with the Foundational Information Security Controls. Additional controls may be specified by law, regulation, and/or data use and research agreements, and Data Stewards.

Not applicable (N/A)

A Not Applicable (N/A) confidentiality categorization of institutional information and research data refers to public information the University does not have a legal, regulatory, policy, or contractual obligation to keep confidential.

Examples include:

• Student directory information (unless restricted), as defined by the University here.
• Campus maps
• Policies