Data Classification


This document establishes criteria to classify data.  When establishing a new information system that will handle or store confidential information, Information Technology Services (ITS) must be informed. 

Audience & Applicability

University employees, contractors, and students who are acting as agents of the University. This document is necessary to educate University employees, contractors, and students who are acting as agents of the University, so that they can properly classify data and follow the appropriate security measures surrounding data.   


University employees will use the criteria below to determine which data classification is appropriate for particular information or infrastructure system.  A positive response to the highest category in any row is sufficient to place the respective system into that specific classification.  Electronic mail (e-mail) should be classified by the data or information contained therein (e.g., e-mails that relate to specifically identified students must be kept as confidential education records).

If University employees are creating a new information system that will store or handle Confidential Data, they must inform ITS at prior to acquiring such a system.



Confidential Data
(highest, most sensitive)

Private Data
(moderate level of sensitivity)

Public Data
(low level of sensitivity)

Legal Requirements

Protection of data is required by law (i.e., HIPAA, FERPA, etc…)

The University of Kentucky (UK) has a contractual obligation to protect the data

Protection of data is at the discretion of the steward, owner or custodian

Reputation Risk




Other Institutional Risks

Information which provides access to resources, physical or virtual

Smaller subsets of protected data from a college, school, or department

General University information


Only those individuals designated with approved access, signed non-disclosure agreements, and a need-to-know

UK employees and non-employees who have a business need-to-know

UK affiliates and general public with a need-to-know


  • Individuals’ health record and information
  • Student education records
  • Human subjects research data that identifies individuals
  • Campus security systems and details
  • Government restricted and/or classified information
  • Personally Identifiable Financial Information
  • Prospective students
  • Financial transactions of students/employees
  • Personnel Records (although certain records within employee personnel files may be public records subject to disclosure, personnel files should be maintained as confidential data and disclosure of public records shall only be made after a case-by-case determination)
  • Social Security and Credit card numbers
  • Certain management information
  • Information resources with access to confidential data
  • Research data or results that are not confidential
  • Information covered by non-disclosure agreements
  • Proprietary information of UK or others contained within contracts, license agreements, or proposals
  • Materials for performance of official duties
  • Campus maps
  • Personal directory data (e.g., contact information)
  • Departmental websites
  • Academic course descriptions
  • News
  • Information posted on University website
  • Purchase Orders
  • Budgets




Data Custodian: In most cases, the Data Custodian is not the Data Owner. A system administrator or Data Custodian is a person who has technical control over an information asset dataset. Usually, this person has the administrator, system administrator, root account, or equivalent level of access. 


Data Owner(ship): The act of having legal rights and complete control over a single piece or set of data elements. It defines and provides information about the rightful owner of data assets and the acquisition, use, and distribution policy implemented by the data owner.


Data Steward: An individual responsible for the management and fitness of data elements - both the content and metadata. Data stewards ensure accuracy, integrity, consistency and quality of data so that exchanges of data can occur precisely and consistently between computer systems and to reuse data-related resources.


FERPA: (Family Educational Rights and Privacy Act of 1974) is federal legislation in the United States that protects the privacy of students' personally identifiable information (PII). The act applies to all educational institutions that receive federal funds. 

HIPAA: Health Insurance Portability and Accountability Act, a US law designed to provide privacy standards to protect patients' medical records and other health information provided to health plans, doctors, hospitals and other health care providers. 


Information System: An information system (IS) is an organized system for the collection, organization, storage and communication of information.


Infrastructure System: The fundamental structure of a system or organization. The basic, fundamental architecture of any system (electronic, mechanical, social, political, etc.) determines how it functions and how flexible it is to meet future requirements.  

Printed copies of this document are not considered to be official.