Data Classification Categories

Tags governance

Question

What are the data classification categories used at the University of South Dakota?

Answer

What is data classification?

Data classification is the process of separating and organizing data into relevant groups (“classes”) based on their shared characteristics, such as their level of sensitivity, the risks they present, and the compliance regulations that protect them. To protect sensitive data, it must be located, classified according to its level of sensitivity, and accurately tagged. Then, enterprises must handle each group of data in ways that ensure only authorized people can gain access, both internally and externally, and that the data is always handled in full compliance with all relevant regulations.

There are endless ways to classify data, but the University of South Dakota categorizes data as variations of a three-level data classification schema — public, internal, and restricted.

note: By default, all university data is considered Internal unless classified otherwise.
 

  1. Public — Information intended for public use or information that can be disclosed without any risk to the university or individuals. Unauthorized disclosure, alteration, or destruction has low or no financial or reputational impact. 

    Examples of Public data include directory information, job postings, public campus maps, policies, etc. This data may be accessed by employees, students, and the public without prior authorization.
     
  2. Internal — Information intended for use within the university that, if disclosed, would not result in significant harm but is not intended for public dissemination. Unauthorized disclosure, alteration, or destruction could have moderate financial or reputational impact to USD or the SDBOR. 

    Examples of Internal data include internal email, non-public reports, budgets, procedures, etc. This is non-public information that may be accessed by eligible employees and designated appointees of the university for purposes of university business. Access restrictions should be applied accordingly.
     
  3. Restricted — Sensitive information that requires strict controls due to legal, regulatory, or policy requirements. Unauthorized disclosure, alteration, or destruction could have criminal or extreme financial or reputational impact to USD or the SDBOR. 

    Examples include customers’ academic, Personal Identifying Information (PII), Personal Health Information (PHI), banking, credit card or financial information. FERPA data, HIPAA data, or GLBA data are other examples.
     

How do I set the label or classification on my documents?


If you need further assistance, please contact the Service Desk 

 
Print Article

Related Articles (5)

Approved Methods of Storing and Sharing Data and Files
What options do I have to share data and files?
Classify, Label, and Protect Documents
How do I classify a document?
Data Governance Roles
Roles used in Data Governance at USD under the SD Board of Regents
USD Generative AI IT Security Policy
Establish USD Generative AI IT Security Policy