UWM Data Classification Guidelines

Introduction

UW System Administration Policy 1031 provides the standards by which UW institutions classify their data. The policy divides data into High Risk, Moderate Risk, and Low Risk. These risk categories are used by other policies to determine the required level of protection, response obligations, and other responsibilities.


https://www.wisconsin.edu/uw-policies/uw-system-administrative-policies/information-security-data-classification-and-protection/

Definitions & Standards

High Risk Data

High Risk data is any data where unauthorized disclosure, alteration, loss, or destruction:

  • May cause financial loss or violate a law, OR would violate a confidentiality agreement, OR would cause serious repetitional harm to the University, OR would require the University of Wisconsin system to inform the government or public of a
    breach

Examples of High Risk data include:

  • HIPAA data
  • PCI data
  • Personal Health Information (PHI)
  • FERPA information in conjunction with Student ID numbers or Social Security numbers
    (SSN)
  • Information that is exempt from public record laws
  • Information that might pose a risk of identity theft (first initial and last name when linked with
    other information such as DNA, SSN, Driver’s License ID and financial data)
  • Any passwords that grant access to other High Risk data

Please note: By our current data categories, it is likely that much of the university data you are responsible for should be classified as High Risk.

Moderate Risk Data

Moderate Risk data is defined as “Any data if released to unauthorized individuals could have a mildly adverse impact on the institution or UW System mission, safety, finances, or reputation.” Any data that is not categorized as High or Low will be categorized as moderate.

Examples of Moderate Risk data include:

  • Student educational records without identifying references
  • Directory information for employees who have chosen to withhold their personal information
  • Donor or other third-party partner information maintained by the University
  • Proprietary financial, budgetary or personnel information not explicitly authorized for public
    release

Low Risk Data

Low Risk data is, essentially, public information.

Download the PDF