Data Classification

Use these criteria to determine which data classification is appropriate for a particular information or infrastructure system. A positive response to the highest category in any row is sufficient to place that system into that classification. Electronic mail (e-mail) should be classified by the data or information contained therein. For example, e-mails that relate to specifically identified students must be kept as confidential education records. Each user should protect their e-mails as required under PS-107 and the “Use of E-Mail” policy.

NOTE: If you are creating a new information system that will store or handle Confidential Data, you MUST inform the IT Security & Policy Office.

  Confidential Data
(highest, most sensitive)
Private Data
(moderate level of sensitivity)
Public Data
(low level of sensitivity)
Legal Requirements Protection of data is required by law (i.e. HIPAA, FERPA, GLBA, etc.) LSU has a contractual obligation to protect the data Protection of data is at the discretion of the owner or custodian
Reputation Risk High Medium Low
Other Institutional Risks Information which provides access to resources, physical or virtual Smaller subsets of protected data from a school or department General university information
Access Only those individuals designated with approved access, signed non- disclosure agreements, and a need-to-know LSU employees and non-employees who have a business need-to-know LSU affiliates and general public with a need-to-know
Examples
  • Student education records
  • Individuals’ health records and information
  • Human subjects research data that identifies individuals
  • Prospective students
  • Personally Identifiable Financial Information
  • Campus Security Systems and Details
  • Credit card numbers
  • Certain management information
  • Social Security Numbers
  • Government restricted and/or classified Information
  • LSU “89” identification numbers
  • Financial transactions of students and employees
  • PS-69 Records
  • Personnel Records (Although certain records contained within employee personnel files may be “public records” subject to disclosure, personnel files should be maintained as confidential data and disclosure of “public records” shall only be made after a case-by-case determination.)
  • Information resources with access to confidential data
  • Research data or results that are not confidential data
  • Information covered by non-disclosure agreements
  • Materials for performance of official duties
  • Proprietary information of LSU or others contained within proposals, contracts, or license agreements
  • Campus maps
  • Personal directory information (e.g., contact information)
  • Departmental websites
  • Academic course descriptions
  • News
  • Information posted on University website
  • Budgets
  • Purchase Orders

 

Although certain records contained within employee personnel files may be “public records” subject to disclosure, personnel files should be maintained as confidential data and disclosure of “public records” shall only be made after a case-by-case determination.

This page was last updated Monday, January 12, 2015