Data Classification

All UA data and information must be classified as either Unrestricted, Campus Use Only, Sensitive, or Controlled Unclassified Information (CUI).

Unrestricted

Unrestricted data may be disclosed to the public without an expectation of harm to UA or individuals and publication is consistent with applicable laws, regulations, and University policies.

When Unrestricted data are required by law, regulation, or UA policy to be made available to the public, such assets require security standards emphasizing availability and integrity. In all cases, management must oversee the implementation of required standards.

Unrestricted Data Examples

Unrestricted data and information include, but are not restricted to, the following examples. 

  • Data and information approved by management for publication to a UA public-facing website 
  • Enrollment figures published by the Office of Institutional Research and Assessment 
  • Research findings approved for publication 
  • Press releases from the Division of Strategic Communications 
  • General data and information about employee benefits published by the Benefits Office 
  • The Academic Catalog published by the Office of the University Registrar

Campus Use Only

Campus Use Only data may be shared with members of the campus community, including smaller subsets of individuals.

Campus Use Only data may not be released to the public. When information is shared with subsets of individuals, sharing permissions may be set by the data originator to restrict access outside of that subset.

Campus Use Only Data Examples

Campus Use Only data and information include, but are not limited to, the following examples. 

  • Non-public contracts 
  • Non-public UA policies and procedures 
  • Training materials for internal UA systems or processes 
  • UA internal memos, emails, reports, and budgets that neither contain nor relate to data or information classified as Sensitive or Controlled Unclassified Information (CUI) 
  • Unpublished research data that neither contain nor relate to data or information classified as Sensitive or Controlled Unclassified Information (CUI) 

Sensitive

Sensitive data are confidential in nature and carry significant risk from unauthorized access or uninterrupted availability is critical to UA operations. Access requires prior, explicit, authorization and legitimate need-to-know.

Need help finding sensitive data on your machine or in your mailbox? Spirion is a software package that searches data stored on your machine. With Spirion, UA faculty and staff can proactively find sensitive data on their University-owned machines.

Sensitive Data Examples

Sensitive data and information include, but are not limited to, the following examples.  

  • Biometric measurements and calculations related to a human’s characteristics and features  
  • Data and information used to access other data and information including a username or email address in combination with a password or security question and answer, security code, access code, expiration date or information, or a Personal Identification Number (PIN) that would permit access to an online account that is reasonably likely to contain or is used to obtain restricted information  
  • Government issued identity documents including a Social Security number, U.S. passport, and state-issued driver’s license  
  • Individually identifiable financial data and information  
  • Individually identifiable medical data and information subject to HIPAA and HITECH. 
  • Student data and information subject to FERPA.
Applicable laws, regulations, and industry standards for sensitive data

Applicable laws, regulations, and industry standards include, but are not limited to, the following list.

  • Alabama Data Breach Notification Act of 2018
    • Applies to businesses, government entities, and individuals that collect or maintain the following sensitive personally identifiable information (PII) of Alabama residents.
      • A non-truncated Social Security number or tax identification number. 
      • A non-truncated driver’s license number, state-issued identification card number, passport number, military identification number, or other unique identification number issued on a government document used to verify the identity of a specific individual. 
      • A financial account number, including a bank account number, credit card number, or debit card number, in combination with any security code, access code, password, expiration date, or PIN, that is necessary to access the financial account or to conduct a transaction that will credit or debit the financial account. 
      • Any information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional. 
      • An individual’s health insurance policy number or subscriber identification number and any unique identifier used by a health insurer to identify the individual. 
      • A username or email address, in combination with a password or security question and answer that would permit access to an online account affiliated with the covered entity that is reasonably likely to contain or is used to obtain sensitive personally identifying information. 
  • Family Educational Rights and Privacy Act (FERPA)
  • Health Insurance Portability and Accountability Act (HIPAA)
  • Health Information Technology for Economic and Clinical Health (HITECH)
  • Gramm-Leach-Bliley Act (GLB Act or GLBA)
  • Payment Card Industry Data Security Standards (PCI DSS)
  • Federal Information Security Management Act (FISMA)
  • General Data Protection Regulation (GDPR) and other international privacy laws and regulations

Controlled Unclassified Information (CUI)

Controlled Unclassified Information (CUI) is created or possessed by the federal government or is created or processed by an entity, such as UA, for or on behalf of the government or its contractors, that a law, regulation, or government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls. UA creates or processes multiple categories of CUI. Additional information about categories and controls is available on the OIT research security page. Access requires prior, explicit, authorization and legitimate need-to-know.

Categories of CUI
CUI CategoryCUI GroupingGovernment Department or AgencyUA Contact for Safeguarding or Dissemination Information
Controlled Technical Information (CTI)DefenseDefenseORED and OIT RIA
Export Controlled (EXPT)Export ControlStateORED
Criminal History Records Information (CHRI)Law EnforcementFBIUAPD and OIT Security
Federal Taxpayer 

Information (FTI)1
TaxFBIStudent Financial Aid

1Does not include income data entered manually on the Free Application for Federal Student Aid. 

University Policy

Visit the UA Policy website to view the Information Classification Policy in its entirety. OIT Security maintains an Information Protection Procedure to support the policy. If you access sensitive or restricted information for your job duties at UA, you should only use University equipment. Personal computers should not be used to access sensitive or restricted information.


Looking for a secure storage solution?

Consider OneDrive or Box to store information in a secure cloud environment! View our document management matrix below to see secure storage options.

Document Management Matrix

Available ServicesUnrestricted DataCampus Use Only DataSensitive Data
Blackboard LearnYesYesYes
UA BoxYesYesYes
UA EmailYesCautionCaution
Microsoft FormsYesCautionCaution
OnBaseYesCautionCaution
UA OneDriveYesYesYes
UA QualtricsYesYesCaution
Removable Media (USB, CD, etc.)YesCautionNo
UA Shared Network DriveYesYesNo
UA SharePointYesCautionNo
TeamsYesYesCaution

For guidance on using Microsoft Forms with sensitive data, click here.

Passwords should always be stored in Keeper.

UA Box Data Classification

User will need to apply classifications to content in UA Box to ensure that sensitive content is accessed by appropriate parties.

To apply a classification label to UA Box content, navigate to the item you wish to classify. Select the triple dot menu and select Classify. Choose the desired classification label and select apply.

Box classifications labels apply the following restrictions:

Public/Unrestricted – No restrictions.

Sensitive Information – Can only share with “People in your company (UA)” and invited people. FTP is blocked.

Restricted Information – Can only share with invited people. All external collaboration is blocked, but users can bypass this restriction by entering a business justification. FTP is blocked.

No Collaboration – Blocks all collaboration. FTP is blocked.