Data Classification

Use these criteria to determine which data classification is appropriate for a particular information or infrastructure system. A positive response to the highest category in any row is sufficient to place that system into that classification. E-mail should be classified by the data or information contained therein. For example, e-mails that relate to specifically identified students must be kept as confidential education records. Each user should protect their e-mails as required under PS-121-ST-3 (Applications Acceptable Use) and PS-124 (Data Management).

Note: If you are creating a new information system that will store or handle Confidential Data, you must inform the IT Security & Policy Office.

 

 

 
Confidential Data
(highest, most sensitive)
Private Data
(moderate level of sensitivity)
Discretionary Data
(low level of sensitivity or public)
Description
Data and/or set of data elements that requires the highest level of security and governance. Governance of such data is typically driven by regulations (e.g., FERPA, GLBA, HIPAA, etc.) or when unauthorized disclosure, destruction, or modification of such data poses a significant risk to the University.
Data and/or set of data elements that requires moderate level of security and governance as defined by contractual obligations, University policies, etc., or when unauthorized disclosure, destruction, or modification of such data poses a moderate risk to the University.
Data and/or set of data elements that is already published to the public or internally held data that may be published to the public at the discretion of the Data Functional Owner. Unauthorized disclosure, destruction, or modification of such data poses a low risk or poses little harm to the University.
Access Only those individuals designated with approved access, signed non-disclosure agreements, and/or a need-to-know LSU employees and non-employees who have a business need-to-know LSU employees, non-employees, LSU affiliates and/or general public with a need-to-know
Examples
  • Student education records
  • Individuals’ health records and information (PHI)
  • Research data or results that are confidential data, if classified as such by the Researcher(s), Grant sponsor and/or agency
  • Prospective students
  • Personally Identifiable Financial Information
  • Campus Security Systems and Details
  • Credit card numbers
  • Certain management information
  • Social Security Numbers
  • Government restricted and/or classified Information
  • Financial transactions of students and employees
  • PS-69 Records
  • Personnel Records (Although certain records contained within employee personnel files may be “public records” subject to disclosure, personnel files should be maintained as confidential data and disclosure of “public records” shall only be made after a case-by-case determination.)
  • Information resources with access to confidential data
  • Research data or results that are not confidential data
  • Information covered by non-disclosure agreements
  • Materials for performance of official duties
  • Proprietary information of LSU or others contained within proposals, contracts, or license agreements
  • Campus maps
  • Personal directory information (e.g., contact information)
  • Departmental websites
  • Academic course descriptions
  • News
  • Information posted on University website
  • Budgets
  • Purchase Orders