Data Classification
Use these criteria to determine which data classification is appropriate for a particular information or infrastructure system. A positive response to the highest category in any row is sufficient to place that system into that classification. E-mail should be classified by the data or information contained therein. For example, e-mails that relate to specifically identified students must be kept as confidential education records. Each user should protect their e-mails as required under PS-107 and the “Use of E-Mail” policy.
Note: If you are creating a new information system that will store or handle Confidential Data, you must inform the IT Security & Policy Office.
Data Type | Legal Requirements | Reputation Risk | Other Institutional Risk | Access | Examples |
---|---|---|---|---|---|
Confidential Data | Protection of data is required by law (i.e. HIPAA, FERPA, GLBA, etc.) | High | Information which provides access to resources, physical or virtual | Only those individuals designated with approved access, signed non-disclosure agreements, and a need-to-know |
|
Private Data | LSU has a contractual obligation to protect the data | Medium | Smaller subsets of protected data from a school or department | LSU employees and non-employees who have a business need-to-know |
|
Public Data | Protection of data is at the discretion of the owner or custodian | Low | General University information | LSU affiliates and general public with a need-to-know |
|