Search Google Appliance

Information Technology

Data Classification at UMass Amherst

At UMass Amherst, University data falls into four categories: restricted, confidential, operational use only, and unclassified. Each category denotes a unique level of sensitivity and has specific access and handling requirements.

Note: This page provides examples for different data categories and is not intended as an exhaustive list of items for each category. For more information about University data in practice, see Understand Sensitive Data at UMass Amherst

A. Restricted Data

Restricted data is defined as confidential data with the highest level of sensitivity, whose loss, corruption, or unauthorized use would pose the greatest risk to the University. Note: All policies referring to confidential data also apply to restricted data. 

Examples of restricted data include:

A.1. Personal information

  • An individual’s name in combination with Social Security Number (under M.G.L. 93H, Massachusetts data security law)
  • Ethnicity (under University policy)

A.2. Financial records
Under Payment Card Industry Data Security Standard (PCI-DSS), M.G.L. 93H:

  • Credit card numbers
  • Bank account numbers
  • Other financial records (e.g., debit and other financial account numbers)

A.3. Medical records
Under HIPAA (Health Insurance Portability & Accountability Act)
Any individually-identifiable information and details about a person’s:

  • Physical or mental health
  • Past, current, or future health condition
  • Health care treatment
  • Payment for health care service

A.4. Protected Research Data
Research data that requires compliance with International Traffic in Arms Regulations (ITAR) and/or Export Administration Regulations (EAR). 

B. Confidential Data

Confidential data is defined as “data whose loss, corruption, or unauthorized use would impair the academic, research, or business functions of the University.” - University of Massachusetts Data & Computing Standards (pdf, 114k)

  • Is protected by statute under state and federal law or by University policy
  • Involves personally identifiable information or other issues of personal privacy
  • Includes:

B.1. Personal information
Under M.G.L. 93H:
An individual’s name in combination with any of the following:

  • Driver’s License Number
  • State Identification Card Number
  • Financial account number
  • Credit or debit account number

B.2. Education records
Under FERPA (Family Educational Rights & Privacy Act):
Any current or past student’s:

  • Grades, class schedule, advising record, degree progress, academic load, class and grade rosters
  • University bill and payments, Financial Aid application and awards, loan information, sponsorship and scholarship information, UCard transactions
  • Housing assignments, holds, and service indicators
  • Restricted directory information. Note: Under FERPA, directory information is public unless a student chooses to withhold it.

Under University policy: Applicants’ names, test scores, recommendations, and other application materials

B.3. Financial records
Under the
Fair & Accurate Credit Transactions Act (FACTA) and Gramm–Leach–Bliley Act (GLB)
Students’ or parents’ financial records including names, addresses, phone numbers, bank and credit card account numbers, credit histories, or Social Security Numbers as they relate to student financial aid information.

B.4. ID Information
Under University policy:

  • Student ID
  • Employee ID
  • Visa and passport information

B.5. Confidential Research Data

University trade secrets and intellectual property.

C. Operational Use Only Data

Operational use only data refers to information critical to the University's academic, research, and business operations that requires a higher degree to handling than unclassified data. Examples include:

  • System configuration/log files
  • Staff meeting notes
  • Business process documentation
  • Campus infrastructure plans

D. Unclassified Data

Unclassified data refers to public information the University does not have a legal, policy, or contractual obligation to protect. Examples include:

  • Campus maps
  • Schedule of Classes
  • Policies
  • Student directory information (unless restricted)