Information Classification Standard

Title

University of North Carolina at Chapel Hill Information Classification Standard

Introduction

Purpose

The Information Classification Standard gives a structure for the University of North Carolina's ("University" or "UNC-Chapel Hill") information. This structure helps us recognize the types of University Information we handle. It makes it easier to keep the information safe. This Standard considers the University's academic culture, which values sharing information.

The University classifies information according to:

  • law, regulation, administrative, and contractual requirements;
  • ethical considerations;
  • strategic or proprietary value; and
  • operational use.

Classifying information the right way gives everyone at the University, at every level, a structure that supports their University activities.

Scope

Everyone at UNC-Chapel Hill.

Standard

This standard defines four tiers of information. Classifying information is a fluid process, though. Information may change tiers many times over its lifecycle, and it can change tiers any time or in different contexts.

Some types of information need to be more available than others. This standard takes that into account. The University has three missions: education, research, and public service. Information needs to be available for all three.

Examples and description of information elements are below.

Tier 0: Public Information

Public Information, or Tier 0, is information that is approved to publish. There are no limits on disclosing public information. Information the University has published or intends to publish is Tier 0. Protecting Tier 0 information means protecting its accuracy, source authority, and integrity. 

Examples of Public Information are:

  • Information in the University directory the public can see.
  • Information on University websites the public can see such as: 
    • marketing material;
    • descriptions of departments or programs;
    • press releases; and
    • requests to take part in research.
  • Business information that is archived (though not always).
  • Annual Clery reports.

Tier 1: Business Information

The public does not have direct access to Business Information, called Tier 1. Mainly for internal use, Business Information is usually about operating the University. 

To protect Tier 1 information, controls are in place on who can access it. The controls are specific to the content and to what policies apply to it. Everyone who uses Tier 1 information must protect it. 

As part of doing work, a person may need to share Tier 1 information with others who need it to do work. Tier 1 information can be shared with others at the University who have a business need for it.  

Those with access to Tier 1 information should only share it with someone outside the University if their job requires it. They should take care to share only the information needed.  

Examples of Business Information are:

  • Memos, correspondence, meeting minutes, contact lists, or procedures (not otherwise restricted).
  • Records of budgets or purchases, including reports and vendor catalogs or brochures.
  • Chemical safety records such as Employee Right-To-Know reports.
  • Grant proposals and supporting documents once the grant is complete.
  • Information in the “twelve categories” that North General Statute § 126-23 identifies for personnel records.
  • Student information defined as “FERPA directory information” but not published. (Published information is Tier 0.)
  • PID, Onyen 

SENSITIVE INFORMATION

Tier 2 and Tier 3 information is "sensitive information" as it relates to University  

  • policies,
  • standards, and
  • procedures.

If a University unit handles sensitive information, they need to check how they classify and control the information. They need to apply stricter standards if needed. Items that the University Records Retention Schedule marks "Confidential" often contain elements that need to be classified as Confidential or Restricted. 

Tier 2: Confidential Information

University information is Confidential Information until determined otherwise. Confidential Information includes information the University must keep confidential because of a: 

  • law,
  • regulation,
  • contract, or
  • policy.

Examples of Confidential Information are:

  • Education records such as grades and class schedules.
  • The University's proprietary information including:
    • findings from research,
    • intellectual property, and
    • donor/funding sources that this standard does not put in a different Tier.
  • Information in personnel files that the N.C. Human Resources Act protects. This includes the results of criminal background checks.
  • Communications between attorneys and clients.
  • Information subject to a confidentiality agreement.
  • Information protected by a contract. Information protected by a non-disclosure agreement. Examples are a vendor’s product roadmap or a sealed bid document.

Tier 3: Restricted Information

Restricted Information, or Tier 3, has safety requirements set by:

  • contract,
  • law, or
  • regulation.

The University must protect Restricted Information in the strictest way. If we lose this information or disclose it without permission, we may have to notify people or pay fines. 

Examples of Restricted Information are:

  • Education records such as:
    • disciplinary conduct reports,
    • student health information,
    • sexual assault reports,
    • passports, and
    • financial aid information.
  • Identifiable data that the Federal Policy for the Protection of Human Subjects "Common Rule" applies to.
  • Personal Health Information as defined by the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
  • Information covered by the North Carolina Identity Theft Protection Act of 2005.
  • Payment Card Industry (PCI) information related to merchant activity.
  • Information that has controls on whether it can be exported (ITAR and EAR).
  • Information covered by the Gramm-Leach-Bliley Act.
  • Information that a contract protects. For example, a document that proves how a vendor keeps information secure.
  • Passwords and other ways to log into a computer system that are unique to a person.
  • Social security numbers.

Exceptions

The Data Governance Oversight Group may need to classify some information to:

  • address legal requirements,
  • address a work need,
  • protect the welfare of people, or
  • resolve conflicts in how we classify information.

Definitions

Information: Any communication or representation of knowledge such as facts, data, or opinions in any medium or form, including textual, numerical, graphic, cartographic, verbal, or audio/visual.

Risk of harm: Risk to the University's mission, state of compliance, finances, operations, and/or reputation.

University Information: University-owned information, or information made or received in connection with the transaction of University business by a Constituent of UNC-Chapel Hill. Data, information, or records maintained by the University in any medium or form. Information the University has a legal or ethical responsibility to protect or disseminate.

Related Requirements

External Regulations and Consequences

Failure to comply with this standard may put University information assets at risk and may have disciplinary consequences for employees, up to and including termination of employment. Students who fail to adhere to this standard may be referred to the UNC- Chapel Hill Office of Student Conduct. Contractors, vendors, and others who fail to adhere to this standard may face termination of their business relationships with UNC- Chapel Hill. 

Violation of this standard may also carry the risk of civil or criminal penalties.

University Policies, Standards, and Procedures

Contact Information

Primary Contacts
Subject Contact Telephone Online/Email
Standard Questions ITS Policy Office 919-962-HELP help.unc.edu
Request Information Security Consulting UNC-Chapel Hill ITS Information Security Office 919-962-HELP help.unc.edu
Report a Violation UNC-Chapel Hill ITS Information Security Office 919-962-HELP N/A
100% helpful - 1 review

Details

Article ID: 131244
Created
Thu 4/8/21 9:04 PM
Modified
Fri 10/28/22 12:12 PM
Effective Date
If the date on which this document became/becomes enforceable differs from the Origination or Last Revision, this attribute reflects the date on which it is/was enforcable.
12/07/2020 2:13 PM
Issuing Officer
Name of the document Issuing Officer. This is the individual whose organizational authority covers the policy scope and who is primarily responsible for the policy.
Issuing Officer Title
Title of the person who is primarily responsible for issuing this policy.
Vice Chancellor for Information Technology and Chief Information Officer
Last Review
Date on which the most recent document review was completed.
10/28/2022 12:00 AM
Last Revised
Date on which the most recent changes to this document were approved.
10/28/2022 12:00 AM
Next Review
Date on which the next document review is due.
10/28/2025 12:00 AM
Origination
Date on which the original version of this document was first made official.
01/22/2016 11:00 PM
Responsible Unit
School, Department, or other organizational unit issuing this document.
Information Technology Services

Related Articles (4)

Adams School of Dentistry: Choose Your Own Device Policy
The UNC-Chapel Hill Adams School of Dentistry has a legal and ethical responsibility to safeguard patient information. This responsibility includes ensuring that devices storing Protected Health Information ("PHI") or other Sensitive Information are properly encrypted and are serviced by an appropriate vendor. The purpose of this Policy is to ensure that all Computing Devices used by students will meet institutional security requirements.
Enterprise Data Governance Standard
This Standard to the Policy on Enterprise Data Governance describes each role that plays a part in governing University Data at the University of North Carolina at Chapel Hill ("University"). The roles are: Enterprise Data Coordinating Committee (EDCC); data trustees, data stewards, and data managers, who make up the Data Governance Oversight Group (DGOG); and data custodians in units across campus. This Standard also defines what kind of data makes up the University’s "enterprise data."
Transmission of Sensitive Information Standard
Protected Health Information (PHI) and Sensitive Information (SI) that is transmitted or received on behalf of the University of North Carolina at Chapel Hill by any Constituent must be encrypted in accordance with this Standard, which details required minimum encryption standards for University Tier 2 and Tier 3 information. Particular transmissions may require a heightened encryption requirement or consideration of additional legal or policy requirements.
University Data Governance Policy
This policy sets up a framework for protecting University data. This framework: gives responsibilities to the stewards, managers, and custodians of University data; empowers the Enterprise Data Coordinating Committee (EDCC) to give advice about the best way to manage and protect enterprise data that still meets the University’s needs; and charges the EDCC with recommending standards and procedures for governing enterprise data.