Printed on: 01/08/2026. Please go to policy.umn.edu for the most current version of the document.
University of Minnesota  Procedure

Classifying Data

Sidebar

Expand all

Sidebar

Table of Contents

TOC placeholder

Questions?

Please use the contact section in the governing policy.

Leave Feedback

This procedure outlines steps for determining the appropriate classification of data.

For University Data Owners

Data Owners are defined in Administrative Policy: Data Classification and Security Level. See Appendix: Data Classification Owner/Custodian Table for a listing of current Data Owners and Custodians. 

  1. Consider the following when determining the appropriate Data Classification:
    • Are there any laws and regulations governing the data or requiring security controls?
    • Are there contractual obligations related to the data?
    • What is the impact to the individual and/or to the University if the confidentiality of the data were negatively affected?
  2. Based on responses to the above questions, determine if the data falls within the Public, Private–Restricted, or Private–Highly Restricted category. See Appendix: Data Classifications by Type for examples of data that have been previously classified.
  3. If changes to a Data Classification are determined, the Data Owner must send a request to University Information Security via [email protected] to update the Appendix: Data Classifications by Type.
  4. Notify data users, as appropriate, of the Data Classification. Data Owners are responsible for reviewing Data Classification annually.

For Data Users

If working with or generating data, follow the steps below to determine the Data Classification and the appropriate security controls.

  1. Determine if the data used have been previously classified by a Data Owner. See Appendix: Data Classifications by Type.
  2. If yes, protect the data as required for that classification using the appropriate security level. See Administrative Procedure: Identifying Security Level of an IT Resource.
  3. If the data have not been classified or requires clarification, contact the Data Owner responsible for similar types of data, the Office of General Counsel at [email protected], or the University Chief Information Security Officer at [email protected].
  4. The Vice President for Information Technology or designee will review any exceptions to the Data Classification established by the Data Owner.