Information Classification Standard

Title

University of North Carolina at Chapel Hill Information Classification Standard

Introduction

Purpose

The University of North Carolina at Chapel Hill's (UNC-Chapel Hill) Information Classification Standard defines a structure for the University's institutional information. This Standard is intended to guide University Affiliates in recognizing the types of University Information they handle in order to better safeguard that information. This Standard takes into account the open, information sharing mission of the University's academic culture. The University classifies institutional information in accordance with legal, regulatory, administrative, and contractual requirements; ethical considerations; strategic or proprietary value; and/or operational use. Proper information classification provides Affiliates, at every level, the structure to support their University activities.

Scope of Applicability

All UNC-Chapel Hill Affiliates.

Standard

University information classification is a fluid process. Information may change between tiers in this standard many times over its lifecycle. Reclassification can occur at any time.

This standard takes into consideration that certain types of information must be disseminated more widely than others in order to fulfill the educational, research, and public-service missions of the University.

Examples of information elements are given below, but these are not intended to be exhaustive lists.

Tier 0: Public Information

has no disclosure restrictions. Public Information has been approved for public release.

The following are examples of Public Information elements:

  • Information published on public-facing University websites including marketing materials, department or program descriptions, press releases, and requests for research participation
  • Business Information once transferred to Archives may become Public Information
  • Annual Clery Reports

Tier 1: Business Information

is not available to the public and is typically operational information intended primarily for internal use. Business Information is that which may be routinely communicated to outside parties with no contractual or other restrictions in the course of University business.

The following are examples of Internal Information elements:

  • Memos, correspondence, meeting minutes, contact lists, or procedural documentation (not otherwise restricted)
  • Budget or purchase records including reports, vendor catalogs or brochures Chemical safety records such as Employee Right-To-Know reports
  • Grant proposals and supporting documentation once the grant is completed

 

SENSITIVE INFORMATION: Tier 2 and Tier 3 information is "Sensitive Information" for the purposes of interpreting existing University policies, standards, procedures, and other documents. It is incumbent upon organizational units handling any sensitive information to evaluate classification and control, and to apply stricter standards when appropriate. Those items in the University Records Retention Schedule with a "Confidential" notation are likely to contain elements which would require a Confidential or Restricted classification.

Tier 2: Confidential Information

is the default classification of University information until determined otherwise. Confidential Information includes information which the University is required by law, regulation, contract, policy, or other governing requirement to keep confidential.

The following are examples of Confidential Information elements:

  • Education records such as grades and class schedules
  • The University's proprietary information including, but not limited to, intellectual research findings, intellectual property, financial data and donor/funding sources not otherwise classified under this standard
  • Confidential personnel file information protected by the N.C. Human Resources Act, including criminal background check results
  • Attorney-client communications
  • Information subject to a confidentiality agreement
  • Information protected by contractual agreements or non-disclosure agreements such as vendor product roadmaps, bid documents sealed for a limited time

Tier 3: Restricted Information

includes any information that the University has a contractual, legal or regulatory obligation to safeguard in the most stringent manner. Unauthorized disclosure or loss of this information may require notification.

The following are examples of Restricted Information:

  • Education records such as disciplinary conduct reports, student health information, sexual assault reports, passports, or financial aid information
  • Some types of Federal Policy for the Protection of Human Subjects "Common Rule" data that remains identifiable
  • Personal Health Information as defined by the Health Insurance Portability and Accountability Act of 1996 (HIPAA)
  • Information covered by the North Carolina Identity Theft Protection Act of 2005
  • Payment Card Industry (PCI) information related to merchant activity
  • Export controlled information (ITAR/EAR)
  • Information covered by Gramm-Leach-Bliley Act (GLBA)
  • Information protected by contractual obligations such as vendor information security documentation
  • Passwords
  • Social Security Numbers (SSNs)

Exceptions

None.

Definitions

Information: Any communication or representation of knowledge such as facts, data, or opinions in any medium or form, including textual, numerical, graphic, cartographic, verbal, or audio/visual.

Risk of harm: Risk to the University's mission, state of compliance, finances, operations and/or reputation.

University Information: University-owned information, or information made or received in connection with the transaction of University business by an Affiliate of UNC-Chapel Hill. Data, information, or records maintained by the University in any medium or form.

UNC-Chapel Hill Affiliate: UNC-Chapel Hill faculty, staff, students, retirees, contractors, distance learners, visiting scholars and others who require UNC-Chapel Hill resources to work in conjunction with UNC-Chapel Hill.

Related Requirements

External Regulations and Consequences

Failure to comply with this standard may put University information assets at risk and may have disciplinary consequences for employees, up to and including termination of employment. Students who fail to adhere to this standard may be referred to the UNC- Chapel Hill Office of Student Conduct. Contractors, vendors, and others who fail to adhere to this standard may face termination of their business relationships with UNC- Chapel Hill.

Violation of this standard may also carry the risk of civil or criminal penalties.

University Policies, Standards, and Procedures

UNC-Chapel Hill General Records Retention and Disposition Schedule

Contact Information

Primary Contacts
Subject Contact Telephone Online/Email
Standard Questions ITS Policy Office 919-962-HELP help.unc.edu
Request Information Security Consulting UNC ITS Information Security Office 919-962-HELP help.unc.edu
Report a Violation UNC ITS Information Security Office 919-962-HELP N/A
100% helpful - 1 review

Details

Article ID: 131244
Created
Thu 4/8/21 9:04 PM
Modified
Wed 7/14/21 10:57 AM
Effective Date
If the date on which this document became/becomes enforceable differs from the Origination or Last Revision, this attribute reflects the date on which it is/was enforcable.
12/07/2020 2:13 PM
Issuing Officer
Name of the document Issuing Officer. This is the individual whose organizational authority covers the policy scope and who is primarily responsible for the policy.
Issuing Officer Title
Title of the person who is primarily responsible for issuing this policy.
Vice Chancellor for Information Technology and Chief Information Officer
Last Review
Date on which the most recent document review was completed.
12/07/2020 2:13 PM
Last Revised
Date on which the most recent changes to this document were approved.
11/04/2019 1:55 PM
Origination
Date on which the original version of this document was first made official.
01/22/2016 11:00 PM
Responsible Unit
School, Department, or other organizational unit issuing this document.
Information Technology Services