Printed on: 01/08/2026. Please go to policy.umn.edu for the most current version of the document.
University of Minnesota  Administrative Policy

Data Classification and Security Level

Sidebar

Expand all

Sidebar

Table of Contents

Questions?

Please use the contact section below.

Leave Feedback

Policy Statement

The University uses data classification and security level to ensure all data and the systems that interact with it have appropriate security controls to identify and protect the confidentiality, integrity, and availability of the data. Systems interact with data when they store, access, transmit, or have the ability to impact the security of the data.

To protect the security and integrity of University of Minnesota data, and comply with applicable state and federal laws and regulations, all University of Minnesota data must be classified and managed appropriately. 

Data Classification

Data Classification is a category assigned according to data sensitivity, value, and criticality. The University’s data classifications are:

  • Public - Public data are University data that, by law, are available to the public upon request, and that the loss of the data would not cause significant personal, institutional or other harm. See Administrative Policy: Public Access to University Information. (ex. public facing website indicating course offerings).
  • Private-Restricted - Private-Restricted data are University data that by law are not public and are available within the institution only to those with a business need, but are not so highly sensitive that the loss of confidentiality of the data would cause significant personal, institutional, or other harm, and no law, regulation, or contract require a higher degree of security. (ex. Student grades or UCard number).
  • Private-Highly Restricted  – Private-Highly Restricted data are University data that are available to only those within the institution with a legitimate need to know, and (1) are so highly sensitive that the loss of confidentiality of the data could cause significant personal, institutional, or other harm; (2) by law, regulation, or contract require a high degree of security. (ex. Social security number, medical records as defined by HIPAA, or credit card number).

See Administrative Procedure: Classifying Data to help identify the appropriate data classification.

Security Level

The University Security Level defines security requirements for the technology, device, application, or resource used to store, transmit, or process University information. Security Level is determined based on a combination of the data classification confidentiality, integrity, and technology availability requirements, which may be influenced by the sensitivity, criticality, and quantity of the data held. See Administrative Procedure: Identifying Security Level of an IT Resource.

The University’s Security Levels are:

  • Low - This level most frequently applies to technologies that interact with operations and information that are public, or which would not likely result in significant personal, institutional, or other harm in the event of compromise. The primary concern of systems at this level is integrity and availability.
  • Medium - This level most frequently applies to technologies that interact with Private-Restricted data or other sensitive operations. The loss of confidentiality, integrity, or availability may result in personal, institutional or other harm. Systems in this level are not intended to be available to the general public, are restricted in access, and may be subject to specific laws, regulations, or contractual agreements due to the systems’ intended primary use case or underlying data.
  • High - This level most frequently applies to technologies that interact with Private-Highly Restricted data. The loss of data and the loss of confidentiality, integrity, or availability, can reasonably be expected to result in personal, institutional, or other harm. Specific laws, regulations, or contractual agreements require a high level of security, or may require security controls above and beyond those attributed to this security level in Administrative Policy: Information Security.

See Administrative Procedure: Identifying Security Level of an IT Resource to help identify the appropriate Security Level.

Data Classification and Security Level Responsibilities

Where defined, Data Owners (as defined in Appendix: Data Classification Owner/Custodian Table) are responsible for setting the appropriate Data Classification and Security Level for their data. They do this in a way that follows state and federal laws and regulations, any specific contractual requirements, and protects the confidentiality, integrity and availability of the data. Data Owners and Data Custodians must communicate the data classifications and security levels to affected groups and individuals. Data Owners are responsible for reviewing data classification annually.

University community members and data users must:

The Vice President for Information Technology will consult with the appropriate vice president to resolve any ambiguity as to the Data Classification or Security Level of data by the Data Owner.

Reason for Policy

University data are valuable assets. Often, University data are subject to state and federal regulations which outline various control requirements to ensure appropriate confidentiality, availability and integrity of the data. This policy provides a foundation for facilitating compliance with the related regulations and adherence to the appropriate security practices.

Procedures

Forms/Instructions

There are no forms associated with this policy.

Appendices

Frequently Asked Questions

  1. Where can I find further guidance on research data?

    Consult the Administrative Procedure: Identifying Security Level of an IT Resources for guidance on classifying and identifying security level for research data.

  2. Who should I reach out to if I have questions or concerns about how data has been classified? 

    Consult the Appendix: Data Classification Owner/Custodian Table for guidance on who to reach out to based on the data in question. 

  3. Where can I find further guidance on protected health information?

    See Administrative Policy: Protected Health Information. For questions or further guidance contact Health Information Privacy and Compliance Office at [email protected].

Contacts

SubjectContactFax/Email
Primary ContactChris Herdt[email protected]
Information SecurityUniversity Chief Information Security Officer[email protected]
Data Classification QuestionsSee Data Classification Owner/Custodian Table 
Export Controls and Research Security QuestionsExport Controls Office[email protected]
FERPA QuestionsFERPA Compliance team in Academic Support Resources (ASR)[email protected]
HIPAA QuestionsHealth Information Privacy and Compliance Office[email protected]
Unfunded Research AgreementsUnfunded Research Agreements Group[email protected]
Responsible Individuals
Responsible Officer Policy Owner Primary Contact
  • Vice President and Chief Information Officer, Office of Information Technology
  • Interim Chief Information Security Officer
  • Chris Herdt
    Interim Chief Information Security Officer

Definitions

Availability

Timely and reliable access to IT resources.

Compliance Officer

The University designated individual responsible for compliance for a broad type of data (e.g. HIPAA, PCI DSS, FERPA) or data set (e.g. research data) across the University, consistent with University policy and all applicable state and federal laws, and contractual agreements.

Confidentiality

Controls mechanisms used to prevent unauthorized access to data, processes, or IT resources.

Data

Any information, regardless of format (electronic, physical, verbal, etc) that is collected, stored, or transmitted.

Data Custodian

A representative of the University who is assigned responsibility to serve as steward of University data in a particular area (e.g., principal investigator (PI)).

Data Owner

Individual with primary authority and accountability for specified information (e.g., a specific business function) or type of data (e.g., research). Where there is a designated University Compliance Officer, the Compliance Officer is the data owner.

Data User

An individual, who in the course of carrying out official University business or research, may collect, store, transfer or report data consistent with their function at the institution.

Enterprise System or Application

A system or application that is designated by the Vice President for Information Technology or their designee. Enterprise Systems or Applications are typically used across one or more campuses.

Family Educational Rights & Privacy Act (FERPA)

Federal law (P.L. 93-568, 2) as amended in 1974 (with updates). Specifies rights and responsibilities of students and colleges regarding access to student data.

Health Insurance Portability and Accountability Act (HIPAA)

Health Insurance Portability and Accountability Act of 1996 and its implementing regulations and any updates or amendments to the same.

Information Technology Resource (IT Resource)

Facilities, technologies, and information resources used for information retrieval, processing, transfer, storage, and communications in support of University research, education, outreach, and administrative needs. This definition is not all inclusive but rather reflects examples of equipment, data, content, tools, supplies, and services. This also includes services that are University owned, leased, operated or provided by the University or otherwise connected to University resources, such as cloud and Software-as-a-Service (SaaS) or Infrastructure-as-a-service (IaaS), or any other connected/hosted service.

Included in this definition are computers, mobile devices, computing and electronic communications devices and services, authentication credentials, e-mail, networks, telephones (including cellular), voice mail, fax transmissions, video, multimedia, licensed information resources, computer labs, classroom technologies, and research and instructional materials.

Integrity

Controls protecting against unauthorized modification of data or IT resources. Integrity is dependent upon confidentiality and access control.

Payment Card Industry Data Security Standards (PCI DSS)

A multifaceted security standard developed and owned by the major payment card companies that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures.

Proprietary Research

Industry-sponsored research that uses the sponsor's proprietary information or results in intellectual property for which the sponsor has an option to an exclusive license. These sponsors often request restrictions on who can discuss the research and under what circumstances. They also may prohibit publication of confidential company information or ask the researcher to delay publication of research results so that they can review the material for proprietary information or take steps to secure intellectual property rights to possible inventions.

Security Controls

Processes, software, configurations, or hardware used by system and network administrators to ensure the integrity, confidentiality, and availability of information technology resources and data. 

University Community Members

University faculty, staff, students, and alumni are generally defined as members of the University community. The General Counsel may designate additional groups as members of the University community.

University Data

Any information, regardless of format (electronic, physical, verbal, etc.) that is collected, manipulated, stored, reported, or presented by any unit of the University in support of the University mission.

Responsibilities

Data Custodian

Responsible for following the procedures determined by the data owner to maintain the confidentiality, integrity, and availability of the data consistent with University policy, applicable state and federal laws, and contracts. Responsible for communicating the data classification and security level to affected groups and individuals.

Data Owner

Accountable for specified information (e.g., a specific business function), broad type of data (e.g., HIPAA, PCI DSS, FERPA), or type of data set (e.g., research data).

Responsible for setting data classification and security levels. Data owners must perform annual reviews to meet state and federal laws and regulations, specific contractual requirements, University policy, and appropriate security controls to protect the confidentiality, integrity, and availability of the data.

Responsible for delegating responsibility to appropriate data custodian(s).

Data User

Responsible for maintaining the confidentiality, integrity, and availability of University data they manage and for following all University policies, procedures, and standards related to the data classification and security level, including applicable state and federal laws, and contracts.

Export Controls and Research Security (ECRS)

Responsible for system-wide compliance with export controls, foreign data, economic sanctions, and certain federal research security requirements. ECRS can assist with questions about non-US data.

FERPA Compliance team in Academic Support Resources

Responsible for system-wide compliance with FERPA, the U.S. Federal Law that protects all student educational records.

Health Information Privacy and Compliance Office

The single authority for determining whether or not data falls under the Health Insurance Portability & Accountability Act (HIPAA) compliance requirements during the IRB review process.

Principal Investigator (PI)

PIs must ensure that research data are protected according to application specifications in Administrative Policies: Data Security Classification and Information Security. Additional policies include: Administrative Policy: Responsible and Ethical Conduct of Research Education and Board of Regents Policy: Submitting and Accepting Sponsored Projects.

Sponsored Projects Administration

Proposes, negotiates, and administers research grants, contracts, and cooperative agreements. The Unfunded Research Agreements (UFRA) group ([email protected]) within SPA manages research-related agreements that generally do not have funding, such as certain data use agreements, non-disclosure/confidentiality agreements, and incoming material transfer agreements.

University Chief Information Security Officer or Designate

Specifies the information security controls for each Data Classification and Security Level. Assists data users in classifying their data that is not currently classified.

Vice President of Information Technology & Chief Information Officer (CIO)

Consults with the appropriate vice president to resolve any ambiguity as to the Data Classification or Security Level of data by the data owner.

Related Information

Related Policies

Related Laws and Regulations

History

Amended:

December 2025 - Comprehensive Review Revisions:

  1. Updated title: Administrative Policy: Data Classification & Security Level
  2. Clarified and provided additional guidance in policy statement section
  3. Defined sections, definitions, and examples for Data Classification and Security Level
  4. Added further clarification to distinguish between Data Classification and Security Level
  5. Data Security Classification Responsibilities: Header & layout change
  6. Added 2 new Frequently Asked Questions
  7. New definitions for the following: Availability, Confidentiality, Integrity
  8. Updated definition for: Data, IT Resources, and University Data to keep consistent across policies

Amended:

June 2017 - Comprehensive Review, Minor Revisions. 1. Revise policy statement section to better define the data security classifications and clarify roles/responsibilities. Data owner replaces data custodian in policy statement, procedures and appendices. Privacy Officers are now called compliance officers and are a type of data owner. 2. Update additional contacts, responsibilities, definitions, contacts and related information sections. 3.Add a frequently asked question related to research.4. Add a Related Laws and Regulations sub-section to Related Information. 5. Change the Identifying Security Level appendix to an administrative procedure. Revise to use examples to help identify the security level.

Effective:

June 2013 - New Policy. 1. Establishes more refined data security classifications, so that data can be accorded the appropriate level of security controls according to the characteristics of the data, with the most sensitive data receiving the highest security. Prior to this policy, there were only two classifications (public and nonpublic). 2. Specifies who is responsible for classifying the data for which they are responsible.