UW System Administrative Policy 1031

Information Security: Data Classification

Original Issuance Date: September 14, 2016 

Last Revision Date: March 4, 2024

Effective Date: December 1, 2024 

1.     Policy Purpose

This policy establishes a framework for classifying University of Wisconsin (UW) System data based on its level of sensitivity, value, and criticality to the Institution. Data classifications are necessary to secure and protect data in a predictable manner consistent with the risk posed to the organization.

2.     Responsible UW System Officer

Associate Vice President for Information Security

3.     Scope and Institutional Responsibilities

This policy applies to all UW System data, including all operational and research data. Institutions may elect to develop their own procedures and/or guidance to support compliance with this policy.

4.     Background

UW System uses a variety of data in support of its teaching, research, administrative, and outreach missions. Data is a valued resource institutions must govern, classify, and protect. Laws and regulations also require that institutions limit access to certain categories of data to protect the privacy of individuals.

To ensure appropriate protection from threats to the confidentiality, integrity, and availability of UW System’s data, it is necessary to determine the level of risk associated with the data. Data classification assigns such levels and helps inform which technical, administrative, and physical controls should be applied to protect the data from theft, alteration, loss of integrity, and/or misuse. Proper data security handling practices must be employed commensurate with the sensitivity of the data and the risk to UW System. This policy also seeks to ensure strong and consistent data handling standards throughout UW System.

5.     Definitions

Please see SYS 1000, Information Security: General Terms and Definitions, for a list of general terms and definitions. Terms and definitions found within this policy include:

  • Data Domain
  • Data Steward
  • Data Trustee

6.     Policy Statement

Institutions shall use the following framework to evaluate and classify data.

A. Data Classifications

UW System utilizes a three-tier data classification schema, with each tier representing the level of risk the data poses to the organization. Data Stewards shall classify data they are responsible for overseeing in a consistent manner to align with the classification levels listed below.

Specific examples for each classification can be found in SYS 1031 Guidance: Data Classification Examples.

I. Low Risk

Data is classified as low risk when the loss of confidentiality, integrity, or availability of data could result in negligible operational, financial, legal, or reputational impact to the organization. This includes:

      1. Public Data – Data made available for public use and consumption and can be openly shared or discussed with anyone.
      2. Internal Data – Data made available to internal users but not intended to be openly shared on public websites or in other public forums.

II. Moderate Risk

Data is classified as moderate risk when the loss of confidentiality, integrity, or availability of data could result in a moderate operational, financial, legal, or reputational impact to the organization. This includes:

      1. Sensitive Data – Data limited to defined users, roles, or groups within the organization based on specific business needs. By default, all institutional data that is not explicitly classified must be treated as Sensitive data.

III. High Risk

Data is classified as high risk when the loss of confidentiality, integrity, or availability of data could result in a significant operational, financial, legal, or reputational impact to the organization. This includes:

      1. Restricted Data – Data limited to a highly defined small set of users.

B. Data Reclassification

Data stewards shall periodically reevaluate the classification of data to ensure the assigned classification is still appropriate based on changes to legal and contractual obligations, as well as changes in the use of the data or its value to the institution. These evaluations shall be conducted by the appropriate data steward. Evaluations on an annual basis are encouraged; however the data steward should determine what frequency is most appropriate.

C. Classification Documentation

Data stewards shall maintain documentation of data classifications for data they are responsible for overseeing.

7.     Related Documents

SYS 1031 Guidance: Data Classification Examples

8.     Policy History

Revision 6:                 March 4, 2024

Revision 5:                 December 1, 2023

Revision 4:                 November 13, 2020

Revision 3:                 December 9, 2019

Revision 2:                 January 9, 2019

Revision 1:                 July 31, 2017

First approved:         September 14, 2016

9.     Scheduled Review

December 2028