Marian University Data Classifications

Marian University Data Classifications

The purpose of data classifications is to provide a framework for identifying and managing university data based on its sensitivity, intended use, and potential impact if disclosed, altered, or lost. By categorizing data into different security levels, the institution can implement appropriate safeguards to protect privacy, ensure compliance with legal and regulatory standards, and mitigate operational, financial, and reputational risks.

Public Data

Information that is intentionally made available to the public with minimal or no restrictions on access. This is low sensitivity data that poses little or no risk to the institution or individuals if disclosed.

Examples

• Course catalogs
• Press releases and promotional materials
• Public research findings published in journals
• University website content
• University presentations
• Integrated Post-Secondary Data System (IPEDS) data

Security Measures

• No special access controls required
• General integrity and availability safeguards (basic backups, secure web hosting)

Internal/Private Data

Information intended for use within the university community. Unauthorized disclosure could have minor consequences. This data, considered medium sensitivity, is not public but does not require extensive security measures. It is primarily related to business operations or internal processes.

Examples

• Internal memos and non-confidential meeting minutes
• University staff directories (non-sensitive contact information)
• Non-confidential academic policies, such as grading policies or degree requirements
• Unpublished research drafts
• Aggregate/non-identifiable student data, such as cohort assessment scores
• Course content and creative works
• Program review and department reports

Security Measures

• Restricted access based on university affiliation (faculty, staff, students)
• Limited access via internal systems with basic authentication

Confidential/Restricted Data

Data requiring protection due to legal, ethical, or contractual obligations. Unauthorized access could cause significant harm. This data is highly sensitive and improper disclosure or loss could impact individuals, operations, or reputation. Legal or regulatory protections may apply.

Examples

• Identifiable student data, such as individual grades (protected by FERPA)
• Employee personnel records (payroll, benefits, evaluations)
• Proprietary research data
• Donor information

Security Measures

• Strong access controls (role-based access, unique user IDs)
• Encryption for data at rest and in transit
• Multi-factor authentication (MFA)
• Auditing and logging access
• Must never be accessible by the general public

Sensitive/Highly Confidential Data

Data that requires the highest level of protection due to extreme sensitivity. Disclosure could result in severe harm to individuals, the institution, or external stakeholders.  This data is likely governed by strict regulatory or contractual constraints and could result in legal liability, financial loss, or critical reputational damage.

Examples

• Personally Identifiable Information (PII) combined with sensitive details (e.g., Social Security numbers, financial account numbers)
• Health records (protected under HIPAA)
• Legal documents involving litigation
• Research data under confidentiality agreements

Security Measures

• Access on a strict need-to-know basis only
• Enforced encryption for storage and transmission
• Secure storage (e.g., dedicated servers or encrypted cloud environments)
• Regular security audits and penetration testing
• Incident response plans tailored for highly sensitive data breaches
• Should not be emailed to external recipients
• May be emailed to internal recipients but must be password protected with password sent in separate email and accessed via a secure network
• Must never be accessible by the general public