Title
University of North Carolina at Chapel Hill Information Classification Standard
Introduction
Purpose
The Information Classification Standard gives a structure for the University of North Carolina's ("University" or "UNC-Chapel Hill") information. This structure helps us recognize the types of University Information we handle. It makes it easier to keep the information safe. This Standard considers the University's academic culture, which values sharing information.
The University classifies information according to:
- law, regulation, administrative, and contractual requirements;
- ethical considerations;
- strategic or proprietary value; and
- operational use.
Classifying information the right way gives everyone at the University, at every level, a structure that supports their University activities.
Scope
Everyone at UNC-Chapel Hill.
Standard
This standard defines four tiers of information. Classifying information is a fluid process, though. Information may change tiers many times over its lifecycle, and it can change tiers any time or in different contexts.
Some types of information need to be more available than others. This standard takes that into account. The University has three missions: education, research, and public service. Information needs to be available for all three.
Examples and description of information elements are below.
Tier 0: Public Information
Public Information, or Tier 0, is information that is approved to publish. There are no limits on disclosing public information. Information the University has published or intends to publish is Tier 0. Protecting Tier 0 information means protecting its accuracy, source authority, and integrity.
Examples of Public Information are:
- Information in the University directory the public can see.
- Information on University websites the public can see such as:
- marketing material;
- descriptions of departments or programs;
- press releases; and
- requests to take part in research.
- Business information that is archived (though not always).
- Annual Clery reports.
Tier 1: Business Information
The public does not have direct access to Business Information, called Tier 1. Mainly for internal use, Business Information is usually about operating the University.
To protect Tier 1 information, controls are in place on who can access it. The controls are specific to the content and to what policies apply to it. Everyone who uses Tier 1 information must protect it.
As part of doing work, a person may need to share Tier 1 information with others who need it to do work. Tier 1 information can be shared with others at the University who have a business need for it.
Those with access to Tier 1 information should only share it with someone outside the University if their job requires it. They should take care to share only the information needed.
Examples of Business Information are:
- Memos, correspondence, meeting minutes, contact lists, or procedures (not otherwise restricted).
- Records of budgets or purchases, including reports and vendor catalogs or brochures.
- Chemical safety records such as Employee Right-To-Know reports.
- Grant proposals and supporting documents once the grant is complete.
- Information in the “twelve categories” that North General Statute § 126-23 identifies for personnel records.
- Student information defined as “FERPA directory information” but not published. (Published information is Tier 0.)
- PID, Onyen
SENSITIVE INFORMATION
Tier 2 and Tier 3 information is "sensitive information" as it relates to University
- policies,
- standards, and
- procedures.
If a University unit handles sensitive information, they need to check how they classify and control the information. They need to apply stricter standards if needed. Items that the University Records Retention Schedule marks "Confidential" often contain elements that need to be classified as Confidential or Restricted.
Tier 2: Confidential Information
University information is Confidential Information until determined otherwise. Confidential Information includes information the University must keep confidential because of a:
- law,
- regulation,
- contract, or
- policy.
Examples of Confidential Information are:
- Education records such as grades and class schedules.
- The University's proprietary information including:
- findings from research,
- intellectual property, and
- donor/funding sources that this standard does not put in a different Tier.
- Information in personnel files that the N.C. Human Resources Act protects. This includes the results of criminal background checks.
- Communications between attorneys and clients.
- Information subject to a confidentiality agreement.
- Information protected by a contract. Information protected by a non-disclosure agreement. Examples are a vendor’s product roadmap or a sealed bid document.
Tier 3: Restricted Information
Restricted Information, or Tier 3, has safety requirements set by:
- contract,
- law, or
- regulation.
The University must protect Restricted Information in the strictest way. If we lose this information or disclose it without permission, we may have to notify people or pay fines.
Examples of Restricted Information are:
- Education records such as:
- disciplinary conduct reports,
- student health information,
- sexual assault reports,
- passports, and
- financial aid information.
- Identifiable data that the Federal Policy for the Protection of Human Subjects "Common Rule" applies to.
- Protected Health Information as defined by the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
- Information covered by the North Carolina Identity Theft Protection Act of 2005.
- Payment Card Industry (PCI) information related to merchant activity.
- Information that has controls on whether it can be exported (ITAR and EAR).
- Information covered by the Gramm-Leach-Bliley Act.
- Information that a contract protects. For example, a document that proves how a vendor keeps information secure.
- Passwords and other ways to log into a computer system that are unique to a person.
- Social security numbers.
Exceptions
The Data Governance Oversight Group may need to classify some information to:
- address legal requirements,
- address a work need,
- protect the welfare of people, or
- resolve conflicts in how we classify information.
Definitions
Information: Any communication or representation of knowledge such as facts, data, or opinions in any medium or form, including textual, numerical, graphic, cartographic, verbal, or audio/visual.
Risk of harm: Risk to the University's mission, state of compliance, finances, operations, and/or reputation.
University Information: University-owned information, or information made or received in connection with the transaction of University business by a Constituent of UNC-Chapel Hill. Data, information, or records maintained by the University in any medium or form. Information the University has a legal or ethical responsibility to protect or disseminate.
Related Requirements
External Regulations and Consequences
Failure to comply with this standard may put University information assets at risk and may have disciplinary consequences for employees, up to and including termination of employment. Students who fail to adhere to this standard may be referred to the UNC- Chapel Hill Office of Student Conduct. Contractors, vendors, and others who fail to adhere to this standard may face termination of their business relationships with UNC- Chapel Hill.
Violation of this standard may also carry the risk of civil or criminal penalties.
University Policies, Standards, and Procedures
Contact Information
Primary Contacts
Subject |
Contact |
Telephone |
Online/Email |
Standard Questions |
ITS Policy Office |
919-962-HELP |
help.unc.edu |
Request Information Security Consulting |
UNC-Chapel Hill ITS Information Security Office |
919-962-HELP |
help.unc.edu |
Report a Violation |
UNC-Chapel Hill ITS Information Security Office |
919-962-HELP |
N/A |