Institutional Data Classification

USU’s data classification system organizes data into three tiers based on the potential adverse impact of unauthorized access, use, or alteration. This system helps us manage risks associated with different types of institutional data and supports critical processes like information management, vendor oversight, and incident response. Each level—from low to high risk—considers potential impacts on individuals and the university, as well as legal, regulatory, and contractual requirements. Understanding this classification ensures we protect sensitive information while upholding compliance and supporting USU’s data privacy efforts.

On This Page

See Also: Data Census See Also: Data Storage

General Guidelines

When a data element falls into more than one category, it should be classified in the highest applicable risk category.

Ex: if a data element meets the definition for both Moderate Risk and High-Risk data, it should be classified as High Risk.

When a data set includes more than one data element, the data set should be classified based on the highest applicable risk category.

Ex: if a database contains both Low Risk and Moderate Risk data, the database should be classified as Moderate Risk.
Data may be classified at a higher risk than is required by the classifications below; if that is the case, the data element must meet the security measures for the higher classification level.
Justification for classifying data as a higher risk level than indicated by a standard assessment should be documented.

Low-Risk Data

Data is classified as Low Risk if either of the following conditions apply:

  1. The data is generally available to the public, or
  2. The unauthorized use, access, or alteration of the data would not have an adverse impact on the University or an individual community member.

Moderate-Risk Data

Data is classified as Moderate Risk if any of the following conditions apply:

  1. The data is governed by laws or regulations that restrict the use or disclosure of such data, or
  2. The data is subject to contractual restrictions that restrict the use or disclosure of such data, or
  3. The unauthorized use, access, or alteration of the data could have an adverse impact on USU or an individual community member.

High-Risk Data

Data is classified as High Risk if either of the following conditions apply:

  1. The data is governed by laws or regulations that require USU to report to the government and/or provide notice to individuals if the data is breached, or
  2. The unauthorized use, access, or alteration of the data could have a significant adverse impact on USU or an individual community member.

Adverse Impact

  1. With respect to an individual: If the security or privacy of the data pertaining to that individual is compromised, it means that there's a higher likelihood of negative consequences or harm occurring due to this compromise. In simpler terms, the individual's personal data has been put at risk, and there's an increased probability that they might face negative outcomes because of this breach or exposure.
  2. With respect to USU: If the data breach or compromise affects the University as an institution, the "adverse impact" refers to an increased risk in various domains:
    • Financial: Potential financial losses or expenses due to the breach.
    • Legal: Possible legal consequences or liabilities.
    • Operational: Disruptions or inefficiencies in the university's operations or services.
    • Reputational: Damage to the university's public image or standing.
    These risks can range from minor to major, with the possibility of extremely significant negative outcomes for the university.

Note Regarding Student Data
Effective January 1, 2024, Utah Code section 53B-28-505 and UBHE Rule 1011, require all Utah State University (USU) contracts with third-party vendors that collect, use, or share Personally Identifiable Student Data (PISD) to include certain data use and data privacy terms and requirements. The specific terms required apply to Moderate and High-Risk Student Data. These particular terms do not pertain to third-party vendors responsible for handling Personally Identifiable Student Data (PISD) categorized as directory information by Utah State University’s Annual Notification of Rights Under FERPA.

Note Regarding Research Data

Depending on the nature of the research and the type of data involved, there can be stringent requirements on how this data should be managed. These requirements can come from:

  • The research sponsor.
  • The U.S. federal government.
  • Foreign governments, for example, the General Data Protection Regulation (GDPR) from the European Union, which has rules about data privacy.

Given these potential complexities, the person responsible for the data (the data owner) is advised to consult with either:

  • Research Integrity & Compliance Office
  • Office of Sponsored Programs, or
  • The Institutional Review Board, especially if the research involves human subjects.

For more detailed information on the proper ownership, sharing, and retention of Research Data at USU, please review Policy 4107: Research Data.

System Criticality Classification

When a system falls into more than one category, it should be classified in the highest applicable criticality category.

Ex: if an application meets the definition for both Moderate Criticality and High Criticality, it should be classified as High Criticality.

When a system includes more than one resource, the system should be classified based on the highest applicable criticality category.

Ex: if a system includes both Low Criticality and Moderate Criticality applications, it should be classified as a Moderate Criticality system.

Low Criticality

A system is classified as Low Criticality when it meets the following criteria:

  1. Stores, transmits, or provides access to Low-Risk Data only.

Moderate Criticality

A system is classified as Moderate Criticality when it meets either of the following criteria:

  1. Stores, transmits, or provides access to Moderate-Risk Data
  2. Loss of access could have a significant impact on a large number of users or multiple business units and the overall institutional risk from downtime is moderate.

Moderate-Risk Data should only be stored in:

  • USU Box.com system
  • USU OneDrive system
  • other reviewed and approved SaaS locations

Moderate risk data can be stored on local devices (not on network or shared drives) only if the device is configured to USU device management standards.

High Criticality

A system is classified as High Criticality when it meets either of the following criteria:

  1. Stores, transmits, or provides access to High-Risk Data
  2. Loss of access could have a significant impact on USU as a whole (and the overall institution risk from downtime is high).

High-Risk Data should only be stored in:

  • USU Box.com system
  • other reviewed and approved SaaS locations

Personal Health Information (PHI) should only be stored in:

  • USU Box Shield system
  • other reviewed and approved SaaS locations

Appendix A: Special Data Types

  • Credit Card numbers and other cardholder information are subject to specific industry standards and additional controls and, thus, must be handled appropriately. See USU’s Payment Card Industry Compliance website.
  • Other data covered by Export Controls are subject to additional rules on distribution, in particular sharing with non-U.S. persons. See USU’s Export Compliance information.
  • FERPA refers to the Family Educational Rights and Privacy Act of 1974 enacted, among other purposes, to protect the privacy of students' education records. The “education records” are defined as any record maintained by Utah State University that is directly related to the student. An educational record does not include:
    1. a personal record kept by a staff member, if it is kept in the sole possession of the maker of the record and is not accessible to or revealed to any other person, except a temporary substitute for the maker of the record;
    2. records created and maintained by the Utah State University Police Department for law enforcement purposes;
    3. an employment record of an individual whose employment is not contingent on the fact that he or she is a student, provided the record is used only in relation to the individual’s employment;
    4. records made or maintained by a physician, psychiatrist, psychologist, or other recognized professional or paraprofessional, if the records are used only for treatment of a student and made available only to those persons providing the treatment;
    5. alumni records which contain information about a student after he or she is no longer in attendance at the University and which do not relate to the person as a student.
    The form in which the information is maintained by the University does not matter. For example, computerized or electronic files, audio or video tape, photographic images, film, with such information are "education records". This includes communications and documents distributed or received by email, or other similar University systems, which are retained in these systems, either by the sending or receiving party. See USU’s FERPA guidelines.
  • GDPR refers to The EU General Data Protection Regulation (Regulation (EU) 2016/679). See USU’s GDPR Guidelines.
    • Personal Data (GDPR) – This includes any information relating to an identified or identifiable natural (i.e., living) person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number (e.g., tax ID, USU’s A number), location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of such natural person.
    • Sensitive Personal Data (GDPR) – This means the following categories of Personal Data that are subject to heightened protection under GDPR:
      1. revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership;
      2. relating to the inherited or acquired genetic characteristics of a natural person which gives unique information about the physiology or health of such person and which results, in particular, from an analysis of a biological sample from the person in question ("Genetic Data");
      3. resulting from specific technical processing relating to the physical, physiological or behavioral characteristics of a natural person, which allows or confirms the unique identification of such person, such as facial images or fingerprint data ("Biometric Data");
      4. relating to the physical or mental health of a natural person (including the provision of health care services) which reveals information about such person's health status;
      5. concerning a natural person's sex life or sexual orientation;
      6. consisting of or revealing identification numbers or other information specially protected by Applicable Data Protection Requirements (e.g., national identification numbers);
      7. relating to criminal convictions and offences.
  • GLBA refers to the Gramm-Leach-Bliley Act, a short form for the Financial Modernization Act of 1999, an act of Congress. Its main purpose is to promote financial integration and develop a regulatory framework for financial institutions that deal with non-public financial information, such as financial aid, Bursar activities, faculty housing finances, and donations to the university. This financial information can be provided by the consumer, initiated by USU, or received from another financial institution. See USU’s GLBA Information Security Program.
  • HIPAA refers to the Health Insurance Portability and Accountability Act, complex legislation and various Rules signed into law in 1996 and updated over the years requiring safeguarding individual identifiable healthcare information, especially for privacy and security. EPHI is Electronic Protected Health Information that USU creates, receives, maintains, and/or transmits electronically. It can exist outside a computer, such as on clinical equipment, storage media, tapes, DVDs, and many other peripheral devices. See USU’s HIPAA Compliance Website.