Sidebar
Questions?
Please use the contact section below.
Policy Statement
To protect the security and integrity of University of Minnesota data, and comply with applicable state and federal laws and regulations, all University of Minnesota data must be classified appropriately. The University uses data security classification and security level to ensure all data and the systems on which it is stored, accessed, transmitted, or have the ability to impact the security of the data have appropriate security controls to protect the confidentiality, integrity, and availability of the data.
The University's data security classifications are:
- Private-Highly Restricted – Private-Highly Restricted data are University data that are not public and are available within the institution only to those with a legitimate need to know, and (1) are so highly sensitive that the loss of confidentiality of the data could cause significant personal, institutional, or other harm; (2) by law, regulation, or contract require a high degree of security.
- Private-Restricted - Private-Restricted data are University data that by law are not public and are available within the institution only to those with a legitimate need to know, but are not so highly sensitive that the loss of confidentiality of the data would cause significant personal, institutional, or other harm, and no law, regulation, or contract require a higher degree of security.
- Public - Public data are University data that by law are available to the public upon request, and that the loss of the data would not cause significant personal, institutional or other harm.
Data owners are responsible for setting the appropriate data security classification and security level for their various types of data to meet state and federal laws and regulations, specific contractual requirements, and appropriate security controls to protect the confidentiality, integrity and availability of the data. Data owners and data custodians must communicate the data security classifications and security levels to affected groups and individuals.
University community members and data users must follow security controls that are appropriate for the data security classifications and the security level. For electronic data, the controls are specified in Administrative Policy: Information Security.
The Vice President for Information Technology will consult with the appropriate vice president to resolve any ambiguity as to the classification or security level of data by the data owner.
Reason for Policy
University data are valuable assets. Often, University data are subject to state and federal regulations which outline various control requirements to ensure appropriate confidentiality, availability and integrity of the data. This policy provides a foundation for facilitating compliance with the related regulations and adherence to the appropriate security practices.