Data Classification Policy

PRINT DISCLAIMER: Official version of this document is accessible in the online policy library at https://policyoffice.ku.edu/. Printed copies may not reflect the most recent updates.

DOCUMENT TYPE:

Policy

PURPOSE:

The purpose of this policy is to define a consistent, risk-based framework for identifying, classifying, and protecting data across the University of Kansas (KU), the University of Kansas Medical Center (KUMC), the University of Kansas Health System (health system), and related affiliates.

APPLIES TO:

This policy applies to all employees, contractors, volunteers, students, visiting learners, and any other individual, affiliate, or entity authorized to access data owned or maintained by the Organizations. In addition, third parties are subject to this policy through contractual obligations.

CAMPUS:

Lawrence, Edwards, Leavenworth, Juniper Gardens, Parsons, Pittsburg, Salina (KUL), Topeka, Wichita (KUL), Yoder, Medical Center (KUMC), Salina (KUMC), Wichita (KUMC)

DEFINITIONS:

Data: Facts represented as text, numbers, graphics, images, sound, or video. Data is the raw material used to represent information, or from which information can be derived in any format. May be referred to as information in any medium (e.g., paper, digital text, image, audio, video, microfilm, etc.)

Information Asset: Data in any form or media placed into meaningful context for users, collected in relation to business or research activity. An asset has value or produces benefit.

Domain: A logical grouping of related data, information assets, systems, or business functions for which a designated Data Owner has responsibility. Domains are typically organized around organizational units, operational processes, or functional areas where data is created, used, or maintained.

Examples of Domains:

  • Provider Domain: All information related to a healthcare provider’s identity, credentials, scheduling, and operational activities.
  • Human Resources Domain: Employee records, payroll data, performance reviews.
  • Student Information Domain: Admissions data, academic records, advising information.
  • Financial Domain: Budget, procurement, and expenditure information.
  • Research Domain: Research study data, protocols, and related regulatory documentation.

Software: Computer programs, including operating systems, utilities, tools, database management systems and application programs. Software is intellectual property that imposes semantic meaning on input from humans and devices.

CIA Triad: A foundational cybersecurity model used to evaluate and protect information assets by ensuring Confidentiality, Integrity, and Availability (CIA).

Confidentiality: Protecting information from unauthorized access or disclosure. Confidentiality ensures that data is accessible only to individuals or systems with verified authorization and a legitimate business need.

Integrity: Ensuring that information is accurate, complete, and protected from unauthorized or accidental modification, deletion, or corruption. Integrity also includes the concepts of authenticity, accountability, and non-repudiation.

Availability: Ensuring timely and reliable access to information and resources when needed to support organizational operations, decision-making, patient care, and other mission-critical activities.

Open Records: Documents in the possession of a governmental entity that are required to be made available to members of the public on request.

Proprietary Education Information: Non-public academic or educational information created, developed, or maintained by the Organizations that provides strategic, competitive, or operational value and is not intended for public release. This information may be protected by intellectual property rights, contractual restrictions, or institutional policy but is not otherwise classified as Restricted by law or regulation.

Role Definitions

Data User: Individuals who access data at any point during its life cycle. Any individual or entity authorized to access data can be a Data User.

Data Creator: Individuals who create new data. Data Creators are responsible for initially classifying the data or handling it according to a previously assigned classification by the Data Owner. The Data Creator should assess the severity of the organizational impact if that data was compromised, modified improperly, or became unavailable to determine the classification. Anyone within the Organizations can be a Data Creator.

Data Owner: Individuals, often department heads (or a similar role), who have direct responsibility for the data that resides and/or is primarily used within their Domain. The Data Owner is accountable for ensuring data is classified and reviewing the classification.

Data Steward: Individual responsible for producing the documentation of the Domain, ensuring data quality, and articulating access procedures to the Domain – essentially responsible for the entire data classification program for the Domain(s) they have been assigned.

Data Custodian: Individuals responsible for implementing the policies and standards (procedures) established by the Data Steward, including physical data storage, backup and recovery, and the operation of security and data management systems.

POLICY STATEMENT:

The University of Kansas (KU) and the University of Kansas Medical Center (KUMC) (hereafter, “Organizations”) along with the University of Kansas Health System (health system) are committed to the protection of data, which is a valuable asset and is critical to the mission of the Organizations. The classification of data is necessary to understand which security practices should be used to protect different types of information. The more protected the information needs to be, the more controls are required. Data can be classified as Restricted, Confidential, Sensitive, or Public.

Classification Levels

Restricted Classification

The Restricted Classification applies to data that is intended for use by authorized data users, and unauthorized disclosure or modification could cause exceptionally grave damage to the Organizations and/or national security. The Restricted Classification also applies to data that must be kept confidential under federal, local, and state laws, contractual agreements, or based on its proprietary worth.

Restricted Classification data has a high CIA Triad Index. Compromises to confidentiality, integrity, and availability of data may result in severe or catastrophic damage to the Organizations which could include reputational costs and financial, patient care, and contracting impacts.

Examples of Restricted Classification data include:

  • Protected Health Information (PHI): A patient's medical record number or social security number;
  • Limited Data Set (LDS): A patient’s medical record with many, but not all, of the identifiers removed;
  • Payment Card Industry (PCI): A visitor's credit card number and expiration date
  • Family Educational Rights and Privacy Act (FERPA): A student’s information with social security number*; and
  • Controlled Unclassified Information (CUI): A federal government employee’s information with social security number or export-controlled information.

* FERPA-protected data may be classified as Restricted or Confidential depending on the presence of high-risk identifiers and the potential impact of unauthorized disclosure. FERPA data that does not include Social Security Numbers, financial account information, or authentication credentials is generally classified as Confidential.

Confidential Classification

The Confidential Classification applies to data that is intended for use by authorized Data Users, and unauthorized external disclosure could adversely affect the Organizations, their clients, customers, patients, employees, students, or business partners.

Confidential classification data has a moderate to high CIA Triad Index. Compromises to confidentiality, integrity, and availability of data may result in serious to severe damage to the Organizations which could include reputational costs and financial, patient care, and contracting impacts.

Examples of Confidential Classification data include:

  • Personal identifiers like name and contact information (non-PHI), including staff directories;
  • Research information that is controlled, non-published, or not shared outside of the research group;
  • Human subjects research data that does not contain restricted identifiers, such as SSN, financial account information, or regulated clinical records subject to HIPAA.
  • Proprietary education information;
  • Project planning, budget, and resource allocations; and
  • Export-controlled information not otherwise classified as Restricted.

Sensitive Classification

The Sensitive Classification applies to data that is not openly published but can be made available via open record requests. Unauthorized disclosure could affect the Organizations, their clients, customers, patients, employees, students, or business partners. Direct access to this data is restricted to authenticated and authorized data users. This classification includes data that contains redactions to protect restricted and confidential data.

Sensitive classification data has a moderate CIA Triad Index. Compromises to confidentiality, integrity, and availability of data may result in serious damage to the Organizations which could include reputational costs and financial, patient care, and contracting impacts.

Examples of Sensitive Classification include:

  • Application or network login or system ID, without password;
  • Employment or student application data; and
  • Employee names, student or applicant data.

Public Classification

The Public Classification applies to data that is readily viewable to the public with anonymous access.

Public Classification data has a low CIA Triad Index. Compromises to the confidentiality, integrity, and availability of data is unlikely to result in damage to the Organizations.

Examples of Public Classification include:

  • A news article or story in a paper or on a news station;
  • The public-facing internet sites with information about the Organizations; and
  • Research findings published in a journal.

Mapping from Three-tier Classification

The prior classification framework utilized three tiers. The following table shows the mapping from the previously used three-tier to new four-tier classification framework.

Four-tier classification (New) KUMC Three-tier classification (Old) KU Three-tier classification (Old)
Restricted Classification High Risk Level I - Confidential Protection
Confidential Classification Moderate Risk Level II - Sensitive Projection
Sensitive Classification Moderate Risk Level II - Sensitive Protection
Public Classification Low Risk Level III - Public Protection

Under the prior three-tier classification framework, human subjects research data was generally categorized as High Risk or Level I as a conservative measure to ensure compliance with privacy and research protections. Under the four-tier classification framework, human subjects research data is classified based on the sensitivity of the data elements involved, rather than research designation alone.

Responsibilities

Data classification roles are assigned based on functional responsibility and domain ownership, not on specific job titles or centralized organizational units. These roles may be fulfilled by individuals within academic units, administrative units, healthcare units, research centers, or central IT, depending on where data is created, managed, and used.

Data Classification Steering Committee (DCSC)

The Data Classification Steering Committee (DCSC) provides institutional oversight for the data classification program. The DCSC is responsible for:

  • Establishing and maintaining the data classification program.
  • Monitoring implementation, resolving classification disputes, and ensuring continuous improvement of the applicable DC Procedures and related practices.
  • Providing complementary guidance on data classification, handling, and security controls to support compliance with IRB-approved protocols and applicable regulations. The DCSC does not replace or supersede the authority of the Institutional Review Board (IRB).

Data Owners

Data Owners are typically department heads or functional leaders with authority over data within a defined Domain. Data Owners are responsible for:

  • Ensuring data within their Domain is identified and classified.
  • Appointing one or more Data Stewards. 
  • Working in partnership with Information Technology (IT) and the Data Classification Steering Committee (DCSC) to implement and uphold the applicable data classification procedures (DC Procedures).
  • Ensuring that all data within their Domain is identified, classified, and protected in alignment with the applicable DC Procedures.
  • Ensuring that data access is appropriately managed and that data redistribution restrictions (e.g., via email or physical mail) are clearly communicated and enforced.

Data Stewards

Data Stewards are designated by Data Owners and are responsible for day-to-day management of data classification within assigned Domains. Data Stewards:

  • Validate the classifications assigned by Data Creators in consultation with the Data Owner. 
  • Maintain documentation describing data assets and classifications.
  • Define access and handling requirement in coordination with IT and Data Custodians.
  • Develop and maintain training materials related to data handling

Data Custodians

Data Custodians are responsible for implementing and maintaining technical and operational safeguards that protect data according to its classification. In coordination with IT, Data Custodians:

  • Must review and assess the progress of the DC efforts within their Domains at the frequency specified by the Data Owner.
  • Report classification metrics as required by the DCSC, including the number and classification status of identified assets and software.
  • Implement storage, backup, recovery, and security controls appropriate to the classification level.
  • Support Data Stewards in aligning technical controls with policy requirements.

Data Creators

Data Creators are individuals who create or collect new data. Data Creators are responsible for:

  • Assigning a preliminary classification to data at the time of creation.
  • Handling data appropriately for the assigned classification.
  • Consulting with Data Stewards when classification is unclear.

Data Users

Data Users are individuals authorized to access data – regardless of medium (e.g., electronic, physical) or platform (e.g., software, system). Data Users must:

  • Comply with the information handling requirements for the assigned classification
  • Use data only for approved purposes
  • Complete required training and follow institutional policies

CIA Triad Index

Data classification indicates the level of impact to the Organizations if the confidentiality, integrity, and/or availability of the data is compromised. If the appropriate classification of an information asset is not obvious (i.e., not dictated by specific laws and regulations), use the following table as a guide to effectively classify the asset. The higher the impact on the Organization, the more restrictive the classification will be.

Security Objective Potential Impact    
  Low Moderate High
Confidentiality
Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information

The unauthorized disclosure of information could be expected to have a limited adverse effect on organizational operations, organizational assets, organizational reputation, or individuals.

The unauthorized disclosure of information could be expected to have a serious adverse effect on organizational operations, organizational assets, organizational reputation, or individuals.

 The unauthorized disclosure of information could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, organizational reputation, or individuals.
Integrity
Guarding against improper information modification or destruction and includes ensuring information non-repudiation and authenticity.

The unauthorized modification or destruction of information could be expected to have a limited adverse effect on organizational operations, organizational assets, organizational reputation, or individuals.

 The unauthorized modification or destruction of information could be expected to have a serious adverse effect on organizational operations, organizational assets, organizational reputation, or individuals. The unauthorized modification or destruction of information could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, organizational reputation, or individuals.
Availability
Ensuring timely and reliable access to, and use of, information.		 The disruption of access to, or use of, information or an information system could be expected to have a limited adverse effect on organization operations, organization reputation, or individuals. The disruption of access to, or use of, information or an information system could be expected to have a serious adverse effect on organization operations, organization reputation, or individuals. The disruption of access to, or use of, information or an information system could be expected to have a severe or catastrophic adverse effect on organization operations, organization reputation, or individuals.

 Adapted from: Federal Information Processing Standards Publication 199

EXCLUSIONS OR SPECIAL CIRCUMSTANCES:

All requests for exception to this policy must be submitted itsec@ku.edu for review by the Data Classification Steering Committee.

CONSEQUENCES:

Any individual discovered to have violated this policy may be subject to suspension of user access and disciplinary action, up to and including termination of employment.

Unauthorized disclosure of data protected by federal, state, or local laws, such as personally identifiable information, may result in legal repercussions. Individuals should also be aware of other possible consequences under Organizational policies or under laws related to computer crime, copyright infringement, or similar violations.

CONTACT:

Lawrence Campus and all Reporting Units:
Information Technology
Chief Information Security Officer
785-864-9003
itso@ku.edu

KU Medical Center Campus and all Reporting Units:
Office of Information Security
913-588-3333
infosec@kumc.edu

RESPONSIBLE UNIT: 

Information Technology

APPROVED BY:

Chancellor

APPROVED ON:

2009-01-15

EFFECTIVE ON:

2009-01-15

REVIEW CYCLE:

Annual (As Needed)

BACKGROUND: 

Data must be properly handled throughout its entire life cycle, from creation to disposal. Because data varies in sensitivity, legal requirements, and operational importance, different types of information require different levels of protection.

To ensure the Organizations meet legal, regulatory, and contractual obligations, data classification must align with the following categories of laws, regulations, and standards:

Healthcare Regulations

  • Health Insurance Portability and Accountability Act (HIPAA): Federal law governing the privacy and security of Protected Health Information (PHI). 
  • Limited Data Set (LDS): A subset of PHI with specific identifiers removed for research, public health, or operations.

Privacy and Personal Data Laws

  • Personally Identifiable Information (PII): Information that can be used to distinguish or trace an individual’s identity. 
  • Family Educational Rights and Privacy Act (FERPA): Federal law protecting the privacy of student educational records.
  • Kansas Open Records Act (KORA): State law requiring certain public records to be accessible to the public while identifying exemptions for sensitive or confidential information.

Security and Compliance Standards

  • National Institute of Standards and Technology (NIST): Federal agency that provides cybersecurity frameworks and definitions, including the CIA Triad and impact categorizations.
  • Federal Information Processing Standards (FIPS): Especially FIPS 199, which guides categorization of information and systems by impact level.

Financial and Transactional Data Requirements

  • Payment Card Industry Data Security Standard (PCI DSS): Requirements for protecting credit cardholder data.

Research and Intellectual Property Protections 

  • Research data: Data generated in the course of academic or scientific investigation that may be subject to contractual or regulatory protections. 
  • Intellectual property (IP): Patents, copyrights, proprietary methodologies, and other creations of intellectual effort.
  • Controlled unclassified information (CUI): Sensitive information regulated by federal requirements (e.g., export-controlled data).

RELATED STATUTES, REGULATIONS, AND/OR POLICIES:

ISO-17799 (upon request)

Federal Information Processing Standards Publication 199

RELATED PROCEDURES:

KU Lawrence:

KU Medical Center:

RELATED RESOURCES:

Analytics, Institutional Research, & Effectiveness (AIRE)

AIRE Data Governance

Enterprise Systems Leadership Group

CHANGE HISTORY:

02/13/2026: Updated to all-University policy. 
11/04/2025: Updated formatting. 
04/23/2025: Updated links.
03/26/2025: Migration to TeamDynamix from Drupal.
08/30/2024: Updated broken link in Related Statutes section.
01/26/2022: Updated contact section.
11/17/2014: Policy formatting cleanup (e.g., bolding, spacing).

TITLE: 

Data Classification Policy

Print Article

Related Articles (24)

Acceptable Use of Electronic Information Resources
This policy outlines the expectations for the use of electronic information resources at the University of Kansas.
Data Center and Server Room Policy
The purpose of the Data Center and Server Room Policy is to describe the minimum requirements for designing, installing, securing, monitoring, maintaining, protecting, and decommissioning a data center or server room at the University of Kansas.
Data Center and Server Room Standards
The purpose of the Data Center and Server Room Standards is to describe the minimum requirements for designing, installing, securing, monitoring, maintaining, protecting, and decommissioning a data center or server room at the University of Kansas.
Data Classification and Handling Procedures Guide
This Procedures Guide for the University community was created to help you effectively manage information in your daily mission-related activities. Determining how to protect & handle information depends on a consideration of the information’s type, importance, and usage. These procedures outline the minimum level of protection necessary when performing certain activities, based on the classification of the information being handled. Classification is necessary to understand which security p
Data Protection Privacy Notice - General Data Protection Regulation (GDPR)
This GDPR- Privacy Notice is a supplement to the University’s General Privacy Policy and the GDPR Policy of the University of Kansas Medical Center (KUMC). This GDPR-Privacy Notice governs the capture, use, transfer, and storage of your personal data, as defined under the GDPR. This Privacy Notice will be provided to you whenever you provide personal data to the University or its affiliated entities, as applicable, and is available at: https://policy.ku.edu/This GDPR- Privacy Notice explains how
E-commerce Policy
To provide the requirements for processing e-commerce transactions and any acceptance of credit card payments by administering entities for the University of Kansas Lawrence campus and its reporting units; to establish protocols to reduce the risk of exposure of cardholders’ personal financial information when such information is processed electronically through an e-commerce transaction; and to subject all e-commerce transactions to mandatory compliance with the Payment Card Industry (PCI) Data
Electronic Data Disposal Policy
Data confidentiality is an issue of legal and ethical concern. The purpose of this policy is to provide for proper cleaning or destruction of sensitive/confidential data and licensed software on all computer systems, electronic devices and electronic media being disposed, recycled or transferred either as surplus property or to another user.
Electronic Mail Policy
To define appropriate use of electronic mail in the University
Gramm-Leach-Bliley Student Financial Information Security Program
This document outlines the University of Kansas, Lawrence, program to protect critical information and data and to comply with Federal Law[1] on student financial information. The goal of this document is to define the University's Gramm Leach Bliley (GLB) Student Financial Information Security Program, to provide an outline to assure ongoing compliance with federal regulations related to the Program and to enhance the University’s ability to respond to likely future privacy and security regulat
Healthcare Privacy and Information Security Sanctions Policy
To establish the framework and define the sanctions that may be imposed for violations of University policies and procedures related to the Health Insurance Portability and Accountability Act (HIPAA), healthcare privacy, and information security.
Information Technology Security Policy
This Information Security Policy (“Policy”) defines the security requirements that everyone who works or studies at KU Lawrence campus and all reporting units is expected to be familiar with and consistently follow. These security measures are set forth to avoid problems that affect the Confidentiality, Integrity, and Availability of information and systems at the University.
Investigative Contact by Law Enforcement, Policy and Procedures
To assist University faculty and staff in responding to investigative contact by law enforcement officials.
IT Security Incident Response Policy
The Information Technology (IT) Security Incident Response Policy defines the responsibilities of KU Lawrence campus and all reporting units staff when responding to or reporting security incidents.
Password Policy
The purpose of this policy is to establish a standard for creation of strong passwords, the protection of those passwords, and the frequency of password change.
Privacy Policy, General
To set forth requirements regarding information entrusted to the University by the public and members of the KU community.
Remote Work Policy
Defines the philosophy and expectations regarding remote work to strategically facilitate continuity of business operations, ensure effective use of facility resources, and enhance the quality of work life for employees.
Roles and Responsibilities for Information Management Policy
The proper stewardship and custodianship of University administrative information will facilitate access to data that supports the work of those with official educational or administrative responsibilities within the institution, consistent with legal, ethical, competitive, and practical considerations.This document informs information stewards, managers, custodians, and users of data of their responsibilities.Note:  Nothing in this document precludes or addresses the release of institutional da
Secure Movement of Physical and Electronic Files
To provide guidance to KU faculty, staff and researchers when planning a move of office files from one location to another, regardless of media used.
Server Hosting Policy
To ensure the registration and collection of accurate information about all servers owned, operated or housed by the University of Kansas Lawrence campus and all reporting units and affiliated organizations, or servers that store data belonging to the University regardless of their location. This policy also describes the criteria for centralization of these systems into centrally administered data centers.
Student Records Policy
This policy is intended to inform students of their rights and responsibilities pertaining to their university records, in compliance with federal notification requirements; to reflect the University's responsibility; to protect the privacy of student records; and to articulate definitions relating to student records, how they may be accessed and disclosed, the complaint procedure and other information relevant to the student record.
Survey Coordination Policy
To balance the demand for survey information with the burden surveys impose on students, faculty, and staff. To establish a process of best practices regarding survey development, submission, distribution, and approval and to outline protocols for survey data collection and access for the campus-wide community.
Systems Development Life Cycle (SDLC) Policy
The purpose of the Systems Development Life Cycle (SDLC) Policy is to describe the requirements for developing and/or implementing new software and systems at the University of Kansas and to ensure that all development work is compliant as it relates to any and all regulatory, statutory, federal, and /or state guidelines.
Systems Development Life Cycle (SDLC) Standard
The purpose of the Systems Development Life Cycle (SDLC) Standards is to describe the minimum required phases and considerations for developing and/or implementing new software and systems at the University of Kansas.
Use of Electronic Signatures
This policy identifies the written standards governing the use of electronic signatures.