Data Classification
(Stored or Transmitted Data)
There are four classification levels of institutional data at Florida Atlantic University. Institutional Data is categorized into data classifications as defined in Policy 12.7: Management of Institutional Data to ensure proper handling and sharing of data based on sensitivity and criticality of the information. Data classifications are listed below from most sensitive to least sensitive:
Data Classification (Stored or Transmitted Data)
Highly Sensitive Information (Level 1 Information)
Level 1 Health Information is health-related information collected or received by the University that the University is under an obligation to protect. This information may include Protected Health Information (PHI or ePHI) protected under the Federal Health Insurance Portability and Accountability Act (HIPAA), health information protected by the Florida Information Protection Act (FIPA), or records relating to healthcare functions related to students and covered under the Federal Family Educational Rights and Privacy Act (FERPA).
EXAMPLES
- Health Records
- Counseling Records
Level 1 Non-Health Information is highly sensitive information that may be used to open or access financial accounts belonging to another individual. This information includes personal identifiers and other information that can be used in conjunction with a person’s name to open a financial account.
EXAMPLES
- Social Security Numbers
- Bank Account Numbers
- Passport Numbers
- Credit Card Numbers
- Driver License Numbers
Level 1 Biometric Information is highly sensitive data based on physical personal identifiers that can be used to confirm an individuals identity.
EXAMPLES
- Iris Scans
- Fingerprints
- Voiceprints
- Scans of hand or face geometry
Sensitive Information (Level 2 Information)
Level 2 Information is classified as confidential information that the University has an obligation to protect under law or regulatory requirements not covered in Level 1 Information. This includes, but is not limited to, information defined under FERPA and the Gramm-Leach-Bliley Act (GLBA).
EXAMPLES
- Student records
- Web server access logs
- Data protected by regulation, law, or contractual obligations.
- Research data covered by contractual obligations or containing government CUI.
- Information protected by non-disclosure agreements or privacy agreements
Security-Related Information (Level 3 Information)
Level 3 Information is information that would adversely affect the institution’s physical or cyber security if disclosed but may not necessarily be protected by the University’s obligations under law or regulatory requirements.
EXAMPLES
- Detailed Building Diagrams
- Risk Assessments
- Fraud Procedures
- Internal Security Procedures
- Police Procedures
Non-Sensitive Information (Level 4 Information)
Level 4 Information is any information that is created and stored during the normal course of business that is not protected by law or any other obligations of the University.
EXAMPLES
- Course catalogs
- Directory listings
- Public websites
- Published Research
- University-wide policies
- Job postings
- Press releases
Data may fall into multiple classification levels. Such data may include Social Security Numbers included in Level 1 Health Information.