Title
University of North Carolina at Chapel Hill Information Classification Standard
Introduction
Purpose
The Information Classification Standard sets a framework for the University of North Carolina's ("University" or "UNC-Chapel Hill") information. This framework helps us recognize, manage, and protect the types of University information we handle. The classification aligns with the Information Security Controls Standard (“MSS”) which sets the security measures needed. In some cases, data obligations include responsible data sharing driven by the University’s mission, scholarship, and research. Proper data management also involves data integrity, accuracy, and availability (e.g. records management). Classification is the first step to understanding how to properly handle University Information.
The University classifies information according to:
- Law, regulation, administrative, and contractual requirements;
- Ethical considerations;
- Strategic or proprietary value; and
- Operational use.
Classifying information correctly gives everyone at the University a framework that supports their University activities.
Scope
This policy applies to all members of the UNC-Chapel Hill community including, faculty, employees, students, and contractors.
Standard
This standard defines four tiers of information:
- Tier 0: Public Information
- Tier 1: Business Information
- Tier 2: Confidential Information, and
- Tier 3: Restricted Information.
Classifying information is an ongoing process. Information may shift between tiers many times throughout its existence, or fall into different tiers based on its context. Seek guidance when a classification is not clear.
The University has three missions: education, research, and public service. Classification supports all three as some types of information must be more readily available than others.
Examples and description of information elements are below.
GENERAL INFORMATION
Tier 0: Public Information
Public Information, or Tier 0, is information that is approved to be published. There are no limits on disclosing public information. Information the University has published or intends to publish is Tier 0. Protecting Tier 0 information means protecting its accuracy, source authority, and integrity. Tier 0 information directs to MSS “Low” baseline controls by default.
Examples of Public Information are:
- Information in the University directory the public can see.
- Information on University websites the public can see such as:
- Marketing material;
- Descriptions of departments or programs;
- Press releases; and
- Requests to take part in research.
- Business information that is archived (with limited exceptions).
- Annual Clery reports.
Tier 1: Business Information
The public does not have direct access to Business Information, called Tier 1. Mainly for internal use, Business Information is usually about operating the University.
To protect Tier 1 information, controls are in place on who can access it. By default, those controls are reflected in the MSS “Low” baseline controls. The controls are appropriate to the content. Everyone who uses Tier 1 information must protect it.
As part of doing work, a person may need to share Tier 1 information with others who need it to do their work. Tier 1 information can be shared with others at the University who have a business need for it.
Those with access to Tier 1 information should only share it with someone outside the University if their job requires it. They should take care to share only the information needed.
Examples of Business Information are:
- Memos, correspondence, meeting minutes, contact lists, or procedures (not otherwise restricted).
- Records of budgets or purchases, including reports and vendor catalogs or brochures.
- Chemical safety records such as Employee Right-To-Know reports.
- Grant proposals and supporting documents once the grant is complete.
- Information in the “twelve categories” that North General Statute § 126-23 identifies for personnel records.
- Student information defined as “FERPA directory information” but not published. (Published information is Tier 0.)
- PID, Onyen
- Unpublished findings from research (unless rated at a higher Tier because of their content, such as SSNs, clinical data protected by HIPAA, or data under nondisclosure or other confidentiality agreements)
- Intellectual property unless rated at a higher Tier due to their content or under nondisclosure or other confidentiality agreements.
SENSITIVE INFORMATION
Tier 2 and Tier 3 information is "sensitive information" as it relates to University policies, standards, and procedures.
University units handling sensitive information must review how they classify and manage it. NOTE: All Sensitive information directs by default to baseline MSS "Moderate" (Tier 2) or "High" (Tier 3). See the MSS for additional "overlay" controls that may also apply. Items that the University Records Retention Schedule marks "Confidential" often contain elements that are Tier 2 Confidential or Tier 3 Restricted.
Tier 2: Confidential Information
Tier 2 is typically information the University is required to keep confidential due to an external obligation. Examples include:
- Law,
- Regulation,
- Contract, or
- State or System Office policy.
Tier 2 is the default classification until a different classification is identified. Confidential Information includes information the University must keep confidential. For example:
- Education records such as grades and class schedules protected by the Family Educational Rights and Privacy Act (FERPA).
- The University's proprietary information including:
- Findings from research,
- Intellectual property, and
- Donor/funding sources that this standard does not put in a different Tier.
- Information in personnel files that the N.C. Human Resources Act protects. This includes the results of criminal background checks.
- Communications between attorneys and clients.
- Information subject to a confidentiality agreement.
- Information protected by a contract. Information protected by a non-disclosure agreement. Examples are a vendor’s product roadmap or a sealed bid document.
- The University may also determine to classify some proprietary information as Confidential, such as donor/funding sources that this standard does not put in a different Tier.
Tier 2 information directs to MSS "Moderate" baseline controls by default. Also check for an Overlay that may apply.
Tier 3: Restricted Information
Restricted Information, or Tier 3, is information that is often called “need to know.” It should be shared with specific individuals only. Tier 3 has safety requirements set by external obligations the University must fulfill derived primarily from law, but potentially other sources as well.
The University must use rigorous protections for Restricted Information. MSS "High" baseline controls apply by default, and most Tier 3 information will have additional Overlay controls as well. Loss or unauthorized disclosure of this information may require have that the University notify people or pay fines. In some cases, people may be subject to criminal penalties for improper disclosure of some types of Tier 3 data. Tier 3 data is primarily personal information that could harm people if it is disclosed improperly.
Examples of Restricted Information are:
- Some Education records protected by FERPA such as:
- Disciplinary conduct reports,
- Student health information,
- Sexual assault reports,
- Passports, and
- Financial aid information.
- Identifiable data that the Federal Policy for the Protection of Human Subjects "Common Rule" applies to.
- Protected Health Information as defined by the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
- Financial Information covered by the North Carolina Identity Theft Protection Act of 2005. (Please note that this is highly contextual. Seek guidance.)
- Information that has controls on whether it can be exported (ITAR and EAR).
- Information covered by the Gramm-Leach-Bliley Act.
- Passwords and other ways to log into a computer system that are unique to a person.
- Social security numbers.
Exceptions
If a classification is not clear, please seek guidance from the University’s Data Governance authorities. The site datagov.unc.edu has guidance and a link to ask for “Data Assistance” help, at the bottom of the main page. The Data Governance Oversight Group, working with campus authorities and subject matter experts, can provide authoritative information on classification, new determinations, and any exceptions to this Standard, Exceptions may:
- Clarify context,
- Address legal requirements,
- Address a work need,
- Protect the welfare of people,
- Address risk level, and/or
- Resolve conflicts in how we classify information.
Definitions
Information: Any communication or representation of knowledge such as facts, data, or opinions in any medium or form, including textual, numerical, graphic, cartographic, verbal, or audio/visual.
Risk of harm: Risk to the University's mission, state of compliance, finances, operations, and/or reputation.
University Data: Also called University Information or Enterprise Data. University Data includes any data the University has a legal, business, or ethical responsibility or right to protect or share. It includes all data and records created or received in the course of University business, except where excluded under the Policy or Standard on University Data Governance. University Data includes, but is not limited to, machine-readable data, data in electronic communication systems, data in print, and backup and archived data on all media.
Related Requirements
External Regulations and Consequences
Failure to comply with this standard may put University information assets at risk and may have disciplinary consequences for employees, up to and including termination of employment. Students who fail to adhere to this standard may be referred to the UNC-Chapel Hill Office of Student Conduct. Contractors, vendors, and others who fail to adhere to this standard may face termination of their business relationships with UNC-Chapel Hill.
Violation of this standard may also carry the risk of civil or criminal penalties.
University Policies, Standards, and Procedures
Contact Information
Primary Contacts
Subject |
Contact |
Telephone |
Online/Email |
Standard Questions |
ITS Policy Office |
919-962-HELP |
help.unc.edu |
Classification and related guidance |
UNC-Chapel Hill ITS Information Security Office |
919-962-HELP |
help.unc.edu "University Data Assistance Request" |
Report a Violation |
UNC-Chapel Hill ITS Information Security Office |
919-962-HELP |
N/A |