Information Classification Standard

Title

University of North Carolina at Chapel Hill Information Classification Standard

Introduction

Purpose

The Information Classification Standard sets a framework for the University of North Carolina's ("University" or "UNC-Chapel Hill") information. This framework helps us recognize, manage, and protect the types of University information we handle. The classification aligns with the Information Security Controls Standard (“MSS”) which sets the security measures needed. In some cases, data obligations include responsible data sharing driven by the University’s mission, scholarship, and research. Proper data management also involves data integrity, accuracy, and availability (e.g. records management). Classification is the first step to understanding how to properly handle University Information.

The University classifies information according to:

  • Law, regulation, administrative, and contractual requirements;
  • Ethical considerations;
  • Strategic or proprietary value; and
  • Operational use.

Classifying information correctly gives everyone at the University a framework that supports their University activities.

Scope

This policy applies to all members of the UNC-Chapel Hill community including, faculty, employees, students, and contractors.

Standard

This standard defines four tiers of information:

  • Tier 0: Public Information
  • Tier 1: Business Information
  • Tier 2: Confidential Information, and
  • Tier 3: Restricted Information.

Classifying information is an ongoing process. Information may shift between tiers many times throughout its existence, or fall into different tiers based on its context. Seek guidance when a classification is not clear. 

The University has three missions: education, research, and public service. Classification supports all three as some types of information must be more readily available than others.

Examples and description of information elements are below.

GENERAL INFORMATION

Tier 0: Public Information

Public Information, or Tier 0, is information that is approved to be published. There are no limits on disclosing public information. Information the University has published or intends to publish is Tier 0. Protecting Tier 0 information means protecting its accuracy, source authority, and integrity. Tier 0 information directs to MSS “Low” baseline controls by default. 

Examples of Public Information are:

  • Information in the University directory the public can see.
  • Information on University websites the public can see such as: 
    • Marketing material;
    • Descriptions of departments or programs;
    • Press releases; and
    • Requests to take part in research.
  • Business information that is archived (with limited exceptions).
  • Annual Clery reports.

Tier 1: Business Information

The public does not have direct access to Business Information, called Tier 1. Mainly for internal use, Business Information is usually about operating the University. 

To protect Tier 1 information, controls are in place on who can access it. By default, those controls are reflected in the MSS “Low” baseline controls. The controls are appropriate to the content. Everyone who uses Tier 1 information must protect it. 

As part of doing work, a person may need to share Tier 1 information with others who need it to do their work. Tier 1 information can be shared with others at the University who have a business need for it.  

Those with access to Tier 1 information should only share it with someone outside the University if their job requires it. They should take care to share only the information needed.  

Examples of Business Information are:

  • Memos, correspondence, meeting minutes, contact lists, or procedures (not otherwise restricted).
  • Records of budgets or purchases, including reports and vendor catalogs or brochures.
  • Chemical safety records such as Employee Right-To-Know reports.
  • Grant proposals and supporting documents once the grant is complete.
  • Information in the “twelve categories” that North General Statute § 126-23 identifies for personnel records.
  • Student information defined as “FERPA directory information” but not published. (Published information is Tier 0.)
  • PID, Onyen 
  • Unpublished findings from research (unless rated at a higher Tier because of their content, such as SSNs, clinical data protected by HIPAA, or data under nondisclosure or other confidentiality agreements) 
  • Intellectual property unless rated at a higher Tier due to their content or under nondisclosure or other confidentiality agreements. 

SENSITIVE INFORMATION

Tier 2 and Tier 3 information is "sensitive information" as it relates to University policies, standards, and procedures.

University units handling sensitive information must review how they classify and manage it. NOTE: All Sensitive information directs by default to baseline MSS "Moderate" (Tier 2) or "High" (Tier 3). See the MSS for additional "overlay" controls that may also apply. Items that the University Records Retention Schedule marks "Confidential" often contain elements that are Tier 2 Confidential or Tier 3 Restricted. 

Tier 2: Confidential Information

Tier 2 is typically information the University is required to keep confidential due to an external obligation. Examples include: 

  • Law,
  • Regulation,
  • Contract, or
  • State or System Office policy.

Tier 2 is the default classification until a different classification is identified.  Confidential Information includes information the University must keep confidential. For example:   

  • Education records such as grades and class schedules protected by the Family Educational Rights and Privacy Act (FERPA). 
  • The University's proprietary information including:
    • Findings from research,
    • Intellectual property, and
    • Donor/funding sources that this standard does not put in a different Tier.
  • Information in personnel files that the N.C. Human Resources Act protects. This includes the results of criminal background checks.
  • Communications between attorneys and clients.
  • Information subject to a confidentiality agreement.
  • Information protected by a contract. Information protected by a non-disclosure agreement. Examples are a vendor’s product roadmap or a sealed bid document.
  • The University may also determine to classify some proprietary information as Confidential, such as donor/funding sources that this standard does not put in a different Tier. 

Tier 2 information directs to MSS "Moderate" baseline controls by default. Also check for an Overlay that may apply. 

Tier 3: Restricted Information

Restricted Information, or Tier 3, is information that is often called “need to know.” It should be shared with specific individuals only. Tier 3 has safety requirements set by external obligations the University must fulfill derived primarily from law, but potentially other sources as well. 

The University must use rigorous protections for Restricted Information. MSS "High" baseline controls apply by default, and most Tier 3 information will have additional Overlay controls as well. Loss or unauthorized disclosure of this information may require have that the University notify people or pay fines. In some cases, people may be subject to criminal penalties for improper disclosure of some types of Tier 3 data. Tier 3 data is primarily personal information that could harm people if it is disclosed improperly. 

Examples of Restricted Information are:

  • Some Education records protected by FERPA such as:
    • Disciplinary conduct reports,
    • Student health information,
    • Sexual assault reports,
    • Passports, and
    • Financial aid information.
  • Identifiable data that the Federal Policy for the Protection of Human Subjects "Common Rule" applies to.
  • Protected Health Information as defined by the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
  • Financial Information covered by the North Carolina Identity Theft Protection Act of 2005. (Please note that this is highly contextual. Seek guidance.)
  • Information that has controls on whether it can be exported (ITAR and EAR).
  • Information covered by the Gramm-Leach-Bliley Act.
  • Passwords and other ways to log into a computer system that are unique to a person.
  • Social security numbers.

Exceptions

If a classification is not clear, please seek guidance from the University’s Data Governance authorities. The site datagov.unc.edu has guidance and a link to ask for “Data Assistance” help, at the bottom of the main page. The Data Governance Oversight Group, working with campus authorities and subject matter experts, can provide authoritative information on classification, new determinations, and any exceptions to this Standard, Exceptions may:

  • Clarify context,
  • Address legal requirements,
  • Address a work need,
  • Protect the welfare of people,
  • Address risk level, and/or
  • Resolve conflicts in how we classify information.

Definitions

Information: Any communication or representation of knowledge such as facts, data, or opinions in any medium or form, including textual, numerical, graphic, cartographic, verbal, or audio/visual.

Risk of harm: Risk to the University's mission, state of compliance, finances, operations, and/or reputation.

University Data: Also called University Information or Enterprise Data. University Data includes any data the University has a legal, business, or ethical responsibility or right to protect or share. It includes all data and records created or received in the course of University business, except where excluded under the Policy or Standard on University Data Governance. University Data includes, but is not limited to, machine-readable data, data in electronic communication systems, data in print, and backup and archived data on all media. 

Related Requirements

External Regulations and Consequences

Failure to comply with this standard may put University information assets at risk and may have disciplinary consequences for employees, up to and including termination of employment. Students who fail to adhere to this standard may be referred to the UNC-Chapel Hill Office of Student Conduct. Contractors, vendors, and others who fail to adhere to this standard may face termination of their business relationships with UNC-Chapel Hill. 

Violation of this standard may also carry the risk of civil or criminal penalties.

University Policies, Standards, and Procedures

Contact Information

Primary Contacts
Subject Contact Telephone Online/Email
Standard Questions ITS Policy Office 919-962-HELP help.unc.edu
Classification and related guidance UNC-Chapel Hill ITS Information Security Office 919-962-HELP help.unc.edu "University Data Assistance Request"
Report a Violation UNC-Chapel Hill ITS Information Security Office 919-962-HELP N/A
100% helpful - 4 reviews
Print Article

Related Articles (4)

The UNC-Chapel Hill Adams School of Dentistry has a legal and ethical responsibility to safeguard patient information. This responsibility includes ensuring that devices storing Protected Health Information ("PHI") or other Sensitive Information are properly encrypted and are serviced by an appropriate vendor. The purpose of this Policy is to ensure that all Computing Devices used by students will meet institutional security requirements.
This Standard to the Policy on Enterprise Data Governance describes each role that plays a part in governing University Data at the University of North Carolina at Chapel Hill ("University"). The roles are: Enterprise Data Coordinating Committee (EDCC); data trustees, data stewards, and data managers, who make up the Data Governance Oversight Group (DGOG); and data custodians in units across campus. This Standard also defines what kind of data makes up the University’s "enterprise data."
Protected Health Information (PHI) and Sensitive Information (SI) that is transmitted or received on behalf of the University of North Carolina at Chapel Hill by any Constituent must be encrypted in accordance with this Standard, which details required minimum encryption standards for University Tier 2 and Tier 3 information. Particular transmissions may require a heightened encryption requirement or consideration of additional legal or policy requirements.
This policy sets up a framework for protecting University data. This framework: gives responsibilities to the stewards, managers, and custodians of University data; empowers the Enterprise Data Coordinating Committee (EDCC) to give advice about the best way to manage and protect enterprise data that still meets the University’s needs; and charges the EDCC with recommending standards and procedures for governing enterprise data.