Why is data classification important?At any institution, people are both the greatest asset and the greatest threat to data security. Mishandling data, including mislabeling data with incorrect classifications, can have serious security implications for the University, including its most important members: faculty, staff, and students. Data classification is the first step in treating data with the appropriate security controls.
How do we classify data at WFU?
The Wake Forest Information Security Policy outlines the 3 levels of data classification used at the University:
- Confidential is reserved for sensitive personal and institutional information and any personally identifiable information (PII), such as social security numbers. Confidential information, if accessed by the wrong person(s), could result in significant financial loss, invasion of privacy, reputation, and/or operations of an individual or the institution. It is important to note that when data is classified as Confidential, different levels of access controls can be given to that particular data depending on who needs access to it.
- Internal Use Only classifies data that is not as sensitive as Confidential, but which should not be available to the general public. Were it available to the general public, it may cause some adverse impacts on the University. An internal memo would be an example of Internal Use Only.
- Public classifies data which is accessible by the general public or, if not accessible, would at least have no material adverse effect on the University or any individuals were it to be released.
How do I know how to classify my data?
Follow the guidelines in the Wake Forest Information Security Policy. The information provided above is meant to be a summary and is not intended to be a replacement for the policy. When in doubt, err on the side of caution.
It is critical to conduct a thorough review of the data you are collecting to ensure it is classified correctly, particularly if the data contains personally identifiable information, such as some of the data that is collected for research using human subjects.
What if I am doing research with human subjects?
Human research is an area where confidential data is frequently collected. Included here are some examples of how to classify data related to research with human subjects.
- Examples of confidential data: personally identifiable human research data involving sensitive topics, genetic information, and/or certain medical information.
- Examples of internal use only data: information protected by FERPA (e.g., non-directory student information and directory information about students who have requested a FERPA block); unpublished research data.
- Examples of public data: human research data that has been de-identified; published research data.
What if I still have questions?
Please reach out to firstname.lastname@example.org to schedule a consultation about data classification.