What Is Data Classification?
"All Data is Not Created Equal..."
When it comes to the security of information, there is no "one size fits all" protection. Different types of data should be secured in different ways. Imagine if your work or school e-mail address was subject to the same security requirements as your social security number. It would be challenging for people to contact you, even for legitimate business.
The act of classifying data, contrary to what we might have seen on the silver screen, simply means putting the data into a category based on its sensitivity. The following questions must be answered for successful classification:
- Who owns the data?
- Who should have access to the data?
- How should such access be granted or revoked?
- What precautions must be taken, ensuring that only authorized individuals can access the data?
Different systems are used at the University, across the Commonwealth of Virginia, throughout our nation, and around the globe. Data classification always originates from the owner. In essence, data owned by the United States federal government must use the classification scheme relevant there. Data held by the University must use our classification processes, which generally work with those of the Commonwealth of Virginia.
Once you have determined who owns particular data, you may use this online tool to help you determine the data category and obtain general information on how the data is handled. Please note that this tool is for informational purposes only. It is not intended to replace official policies or laws or to provide legal advice.
The VCU Data Classification Standard policy classifies all data generated, processed, stored, transmitted, or used by all VCU faculty, staff, contractors, and third-party business partners on behalf of VCU. VCU data classification levels include Category I (Confidential and Regulated), Category II (Sensitive), and Category III (Public) information.
Information protected under federal, state or industry regulations and / or other civil statutes, where if lost may require breach notification and cause potential regulatory sanctions, fines and damages to the institution’s mission and reputation (Confidential and Regulated data).
All proprietary information that if improperly released has the potential to cause harm to the institution, its mission or its reputation, but do not require breach notifications, and security or privacy of such data is not regulated or required by law or contract. Such data includes proprietary and properly de-identified research information, business related email or other communication records, financial information, employee performance records, operational documentations, contractual information, intellectual property, internal memorandums, salary information, and all other information releasable in accordance with the Virginia Freedom of Information Act (Code of Virginia 2.2-3700). (Sensitive data)
All non-proprietary data that is considered publicly available for unrestricted use and disclosure, where if lost or illegitimately modified, these data will generate no negative impacts to individual departments, schools, colleges, or the institution as a whole. Such information is available to all members of the university community and to all individuals and entities external to the University community. Such data can make up public website information, public press release, public marketing information, directory information, and public research information. (Public Data/Information)