Data Classification and Handling Policy

PRINT DISCLAIMER: Official version of this document is accessible in the online policy library at https://policyoffice.ku.edu/. Printed copies may not reflect the most recent updates.

DOCUMENT TYPE:

Policy

PURPOSE:

Information is a valuable University asset and is critical to the mission of teaching, research, and service to Kansans.

Determining how to protect and handle information depends on a consideration of the information’s type, importance, and usage.

Classification is necessary to understand which security practices should be used to protect different types of information. The more protected the information needs to be, the more practices are required.

APPLIES TO:

University employees (faculty, staff, student employees) and other covered individuals (e.g., affiliates, vendors, independent contractors, etc.) in their handling of University data, information, and records in any form (paper, digital text, image, audio, video, microfilm, etc.) during the course of conducting University business (administrative, financial, teaching, research, or service).

“Handling” information includes, but is not limited to, the following: creating, collecting, accessing, viewing, using, storing, transferring, mailing, managing, preserving, disposing, or destroying.

CAMPUS:

Lawrence

POLICY STATEMENT:

A. All University employees and other covered individuals are responsible for:

  1. Understanding what constitutes Private or Public University information; and
  2. Managing Private or Public University information in a manner consistent with the criticality of and the requirements for confidentiality associated with the data in any form (electronic, documentary, audio, video, etc.) throughout the entire information lifecycle (from creation through preservation or disposal).

B. All University information whether at rest (i.e., stored in databases, tables, email systems, file cabinets, desk drawers, etc.) or in use (i.e., being: processed by application systems, electronically transmitted, used in spreadsheets, or manually manipulated, etc.) must be classified into one of the three data classification levels described in this policy by each unit or department that is the Custodian of Records for that information.

  1. Determining classification level should be done according to an assessment of the need for Confidentiality of the information. 

    Confidentiality: Access to information must be strictly limited to protect the university and individuals form loss.

    Limiting access to authorized individuals/entities/devices ensures legal obligations are fulfilled and/or protects KU and its stakeholders from the disclosure of data which is sensitive in nature.

    Note: The appropriate classification of each data set is based on the classification of the most confidential data stored in the data set (e.g., the database, table, file, etc.), or accessed by systems or people. This is true even if the data set contains other information that would qualify for a lower level of protection if it were stored separately.
     
  2. The table below summarizes the Data Classification process. All individuals covered under this policy are required to handle University information per the procedural controls found at the Data Classification and Handling Procedures Guide.
Level I – Confidential Protection STOP! SPECIAL CARE IS REQUIRED
Level II – Sensitive Protection BE VERY CAUTIOUS
Level III – Public Protection PROCEED WITH AWARENESS

 

  • Level I – Confidential Information: High risk of significant financial loss, legal liability, public distrust, or harm if this data is disclosed. (Examples provided in Appendix 1: Data Classifications Levels I, II, and III, linked below).
  • Level II – Sensitive Information: Moderate requirement for Confidentiality and/or moderate or limited risk of financial loss, legal liability, public distrust, or harm if this data is disclosed. (Examples provided in Appendix 1: Data Classifications Levels I, II, and III, linked below)
  • Level III – Public Information: Low requirement for Confidentiality [information is public] and/or low or insignificant risk of financial loss, legal liability, public distrust, or harm if this data is disclosed. (Examples provided in Appendix 1: Data Classifications Levels I, II, and III, linked below)

Appendix 1: Data Classification Levels I, II and III

Data Classification and Handling Procedures Guide

EXCLUSIONS OR SPECIAL CIRCUMSTANCES:

Exceptions to this Policy shall only be allowed if previously approved by the KU Information Technology Security Office and this approval is documented and verified by the Chief Information Officer.

CONSEQUENCES:

Faculty, staff, and student employees who violate this University policy may be subject to disciplinary action for misconduct and/or performance based on the administrative process appropriate to their employment.

Students who violate this University policy may be subject to proceedings for non-academic misconduct based on their student status.

Faculty, staff, student employees, and students may also be subject to the discontinuance of specified information technology services based on the policy violation.

CONTACT:

Office of the Chief Information Officer
1001 Sunnyside Avenue 
Lawrence, KS 66045
785-864-4999
kucio@ku.edu

APPROVED BY:

Provost and Executive Vice Chancellor

APPROVED ON:

2009-01-15

EFFECTIVE ON:

2009-01-15

REVIEW CYCLE:

Annual (As Needed)

RELATED STATUTES, REGULATIONS, AND/OR POLICIES:

Student Records Policy

Information Technology Security Policy

Electronic Data Disposal Policy

IT Security at KU

E-commerce Policy

Password Policy

Acceptable Use of Electronic Information Resources

Policy and Procedures for Investigative Contact by Law Enforcement

Electronic Mail (Email) Policy

Gramm-Leach-Bliley Student Financial Information Security Program

Laws:

Family Educational Rights and Privacy Act (FERPA), 20 USC §1232g (1974)

Health Insurance Portability and Accountability Act (HIPAA), P.L. 104-191(1996)

Gramm-Leach-Bliley Financial Services Modernization Act (GLB) P.L. 106-102, 113 Stat. 1338 (1999)

Kansas Open Records Act, K.S.A. §45-215 et. seq.

RELATED PROCEDURES:

Data Classification and Handling Procedures Guide

Electronic Data Disposal Procedure

DEFINITIONS:

Private Information: an overarching term used to indicate all Confidential and Sensitive Information as defined below. Private Information includes all information protected by state and/or federal law or that the University is contractually obligated to protect. Private Information also includes information designated by the University as Private (Confidential or Sensitive) through the creation of standards, procedures, and guidelines. Access to these data must be tightly monitored.

Confidential Information: a subset of Private Information that includes information protected by state and/or federal law and information that the university is contractually obligated to protect. The mishandling of Confidential Information may impact the University through financial and legal sanctions, loss of public confidence, and damage to the University’s reputation. Examples of Confidential Information include Social Security numbers, bank account information, BPC account numbers, healthcare records, educational records, and risk assessments that highlight potential weaknesses in the University’s utility/service infrastructure.

Sensitive Information: a subset of Private Information that includes non-public information (other than Confidential Information) that may cause harm to the University or to individuals if inappropriately used or disclosed. This category includes, for example, research data with commercial or societal value, and individual works of intellectual property.

Public Information: includes information developed for public access. If this information is disclosed, there is no risk of damage to the University’s reputation. Some examples include:

  • Publicly accessible web pages
  • Campus maps
  • University application forms and brochures

CHANGE HISTORY:

03/26/2025: Migration to TeamDynamix from Drupal.
08/30/2024: Updated broken link in Related Statutes section.
01/26/2022: Updated contact section.
11/17/2014: Policy formatting cleanup (e.g., bolding, spacing).

Was this helpful?
0 reviews
Print Article

Related Articles (21)

Acceptable Use of Electronic Information Resources
This policy outlines the expectations for the use of electronic information resources at the University of Kansas.
Data Center and Server Room Policy
The purpose of the Data Center and Server Room Policy is to describe the minimum requirements for designing, installing, securing, monitoring, maintaining, protecting, and decommissioning a data center or server room at the University of Kansas.
Data Center and Server Room Standards
The purpose of the Data Center and Server Room Standards is to describe the minimum requirements for designing, installing, securing, monitoring, maintaining, protecting, and decommissioning a data center or server room at the University of Kansas.
Data Classification and Handling Procedures Guide
This Procedures Guide for the University community was created to help you effectively manage information in your daily mission-related activities. Determining how to protect & handle information depends on a consideration of the information’s type, importance, and usage. These procedures outline the minimum level of protection necessary when performing certain activities, based on the classification of the information being handled. Classification is necessary to understand which security p
Data Protection Privacy Notice - General Data Protection Regulation (GDPR)
This GDPR- Privacy Notice is a supplement to the University’s General Privacy Policy and the GDPR Policy of the University of Kansas Medical Center (KUMC). This GDPR-Privacy Notice governs the capture, use, transfer, and storage of your personal data, as defined under the GDPR. This Privacy Notice will be provided to you whenever you provide personal data to the University or its affiliated entities, as applicable, and is available at: https://policy.ku.edu/This GDPR- Privacy Notice explains how
E-commerce Policy
To provide the requirements for processing e-commerce transactions and any acceptance of credit card payments by administering entities for the University of Kansas Lawrence campus and its reporting units; to establish protocols to reduce the risk of exposure of cardholders’ personal financial information when such information is processed electronically through an e-commerce transaction; and to subject all e-commerce transactions to mandatory compliance with the Payment Card Industry (PCI) Data
Electronic Data Disposal Policy
Data confidentiality is an issue of legal and ethical concern. The purpose of this policy is to provide for proper cleaning or destruction of sensitive/confidential data and licensed software on all computer systems, electronic devices and electronic media being disposed, recycled or transferred either as surplus property or to another user.
Electronic Mail Policy
To define appropriate use of electronic mail in the University
Gramm-Leach-Bliley Student Financial Information Security Program
This document outlines the University of Kansas, Lawrence, program to protect critical information and data and to comply with Federal Law[1] on student financial information. The goal of this document is to define the University's Gramm Leach Bliley (GLB) Student Financial Information Security Program, to provide an outline to assure ongoing compliance with federal regulations related to the Program and to enhance the University’s ability to respond to likely future privacy and security regulat
Information Technology Security Policy
This Information Security Policy (“Policy”) defines the security requirements that everyone who works or studies at KU Lawrence campus and all reporting units is expected to be familiar with and consistently follow. These security measures are set forth to avoid problems that affect the Confidentiality, Integrity, and Availability of information and systems at the University.
Investigative Contact by Law Enforcement, Policy and Procedures
To assist University faculty and staff in responding to investigative contact by law enforcement officials.
IT Security Incident Response Policy
The Information Technology (IT) Security Incident Response Policy defines the responsibilities of KU Lawrence campus and all reporting units staff when responding to or reporting security incidents.
Password Policy
The purpose of this policy is to establish a standard for creation of strong passwords, the protection of those passwords, and the frequency of password change.
Privacy Policy, General
To set forth requirements regarding information entrusted to the University by the public and members of the KU community.
Remote Work Policy
Defines the philosophy and expectations regarding remote work to strategically facilitate continuity of business operations, ensure effective use of facility resources, and enhance the quality of work life for employees. 
Roles and Responsibilities for Information Management Policy
The proper stewardship and custodianship of University administrative information will facilitate access to data that supports the work of those with official educational or administrative responsibilities within the institution, consistent with legal, ethical, competitive, and practical considerations.This document informs information stewards, managers, custodians, and users of data of their responsibilities.Note:  Nothing in this document precludes or addresses the release of institutional da
Secure Movement of Physical and Electronic Files
To provide guidance to KU faculty, staff and researchers when planning a move of office files from one location to another, regardless of media used.
Server Hosting Policy
To ensure the registration and collection of accurate information about all servers owned, operated or housed by the University of Kansas Lawrence campus and all reporting units and affiliated organizations, or servers that store data belonging to the University regardless of their location. This policy also describes the criteria for centralization of these systems into centrally administered data centers.
Student Records Policy
This policy is intended to inform students of their rights and responsibilities pertaining to their university records, in compliance with federal notification requirements; to reflect the University's responsibility; to protect the privacy of student records; and to articulate definitions relating to student records, how they may be accessed and disclosed, the complaint procedure and other information relevant to the student record.
Systems Development Life Cycle (SDLC) Policy
The purpose of the Systems Development Life Cycle (SDLC) Policy is to describe the requirements for developing and/or implementing new software and systems at the University of Kansas and to ensure that all development work is compliant as it relates to any and all regulatory, statutory, federal, and /or state guidelines.
Systems Development Life Cycle (SDLC) Standard
The purpose of the Systems Development Life Cycle (SDLC) Standards is to describe the minimum required phases and considerations for developing and/or implementing new software and systems at the University of Kansas.