Data Classification Procedure

The following procedure can be used to classify most data types.  If you have any use cases that cannot be addressed by this procedure, please contact the Information Security Office.

Category 4, Confidential Information Requiring Special Handling

Does your data contain any of the following information?

  • Identifiable permanent educational records that the University maintains about students. Examples include grade book records and transcripts1.
  • Personal health information including mental health or substance abuse information.
  • Information about disabilities.
  • Tax return data.
  • Non-public Criminal Justice Information (CJI) such as Criminal History Record Information (CHRI).
  • Child abuse or elder abuse information.
  • Other data that if compromised could result in an individual's personal harm or in legal sanctions or fines for the University.
  • Information about children under 13 that will part of a website (COPPA).

If your data is fully de-identified2, or does not contain the above elements, proceed below.  If any of the above apply, your data is classified as Category 4, Confidential Information Requiring Special Handling.

Category 3, Confidential Information

Does your data contain a first name (or first initial) and last name of an individual along with one of the following?

  • Social security number or the last four digits of the social security number.
  • Driver's license number or Washington identification card number.
  • Account number, credit or debit card number, or any required security code, access code, or password that would permit access to an individual's financial account, or any other numbers or information that can be used to access a person's financial account.
  • Full date of birth.
  • Private key that is unique to an individual and that is used to authenticate or sign an electronic record.
  • Student, military, or passport identification number.
  • Health insurance policy number or health insurance identification number.
  • Any information about a consumer's medical history or mental or physical condition or about a health care professional's medical diagnosis or treatment of the consumer.
  • Biometric data generated by automatic measurements of an individual's biological characteristics, such as a fingerprint, voiceprint, eye retinas, irises, or other unique biological patterns or characteristics that is used to identify a specific individual.

Or, does your data contain any of the following?

  • User name or email address, together with a password or security questions and answers that would allow access to an online account.
  • Most information concerning employee payroll and personnel records (see RCW 42.56.250).
  • A list of employees requested for commercial use (see RCW 42.56.070).
  • Information about the infrastructure and security of computer, telecommunication and infrastructure networks (see RCW 42.56.420).

Note that personal information does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.

If your data is fully de-identified2, or does not contain the above elements, proceed below.  If any of the above apply, your data is classified as Category 3, Confidential Information.

Category 2, Sensitive Information

Should your data be limited to official use only but is not specifically protected by law?  If so, your data is classified as Category 2 - Sensitive Information.  If not, proceed below.

Category 1, Public Information

If your data can be released to the public, it is Category 1 - Public Information

 

Definitions

1FERPA Record:  FERPA, also known as the Buckley Amendment, defines education records as all records that schools or education agencies maintain about students.  Records which are not accessible or revealed to the University are not protected under FERPA.  See federal code §1232g(a)(4)(B)(i).  

2De-identified Data: De-identified data is information that does not identify an individual and with respect to which there is no reasonable basis to believe that a combination of data elements can be used to identify an individual.