ºÚÁÏÃÅ

×

Data Classification Policy

Scope

This policy covers all data produced, collected or used by ºÚÁÏÃÅUniversity Chicago, its employees, student workers, consultants or agents while conducting University business.

Purpose

The purpose of this policy is to identify the different types of data, to provide guidelines and examples for each type of data, and to establish the default classification for data.

Policy

Data Classification Types

All data covered by the Scope of this policy will be classified as ºÚÁÏÃÅProtected data, ºÚÁÏÃÅSensitive data, or ºÚÁÏÃÅPublic data.

ºÚÁÏÃÅProtected data

ºÚÁÏÃÅProtected data is any data that contains personally identifiable information concerning any individual and is regulated by local, state, or Federal privacy regulations, or by any voluntary industry standards or best practices concerning protection of personally identifiable information that ºÚÁÏÃÅchooses to follow.

These regulations may include, but are not limited to:

  • Family Educational Rights and Privacy Act (FERPA)
  • Gramm-Leach-Bliley Act (GLBA)
  • Health Insurance Portability and Accountability Act (HIPAA)
  • Illinois Personal Information Protection Act (IPIPA)
  • Payment Card Industry Data Security Standards (PCI-DSS)
  • Federal Tax Information (FTI)
  • Controlled Unclassified Information (CUI)
  • General Data Protection Regulation (GDPR)

Examples of some of the types of data that are regulated are listed in the appendix.

ºÚÁÏÃÅSensitive data

ºÚÁÏÃÅSensitive data is any data that is not classified as ºÚÁÏÃÅProtected data, but which is information that ºÚÁÏÃÅwould not distribute to the general public. This classification is made by the department originating the data. Examples of the types of data included are: budgets, salary and raise information, LOCUS ID, LAWSON ID and possible properties for ºÚÁÏÃÅto purchase.

ºÚÁÏÃÅPublic data

ºÚÁÏÃÅPublic data is any data that ºÚÁÏÃÅis comfortable distributing to the general public.  For department-specific data, this classification comes from the department.  If data is created jointly by more than one department, the involved departments should jointly classify the data. If they are unable to come to a consensus, then the data must be classified as ºÚÁÏÃÅSensitive Data.  For University-wide data, this classification can only come from the Office of the President, the Office of Registration and Records, the Division of Academic Affairs, or Institutional Research.  Examples of the types of data included are: department faculty lists, department addresses, press releases, and the ºÚÁÏÃÅweb site. Any ºÚÁÏÃÅdata that does not contain personally identifiable information concerning any individual, and that is not ºÚÁÏÃÅProtected data or ºÚÁÏÃÅSensitive data, must be classified as ºÚÁÏÃÅPublic data.

Default classification of data

Any data that contains personally identifiable information concerning any individual or that is covered by local, state, or Federal regulations, or by any voluntary industry standards concerning protection of personally identifiable information that ºÚÁÏÃÅchooses to follow, is automatically classified as ºÚÁÏÃÅProtected Data.  All other data is classified as ºÚÁÏÃÅSensitive Data by default. Online resources will be available to assist individuals in properly classifying data.

Questions about this policy

If you have questions about this policy, please contact the Information Security team at DataSecurity@luc.edu.

Appendix

ºÚÁÏÃÅProtected Data

Listed below are examples of types of personally identifiable information that are generally protected by local, state, or Federal privacy regulations. These examples are not an exhaustive list of all possible types of information that are protected by local, state, or Federal privacy regulations.

Examples

  • Social security numbers
  • Credit card and debit card numbers
  • Bank account numbers and routing information
  • Driver’s license numbers and state identification card numbers
  • Student education records
  • Bursar's Office: Student account files and Perkins loan information
  • Departments and Colleges: Academic advising records, admission files, including ACT, SAT and TOEFL scores, and high school and college transcripts and other scholastic records
  • Financial Assistance: Federal Tax Information, financial assistance application files, student federal work-study information, scholarships and Stafford loan information
  • Intercollegiate Athletics: Injury reports, scholarship contacts, performance records, height and weight information
  • Registration and Records: Permanent record of academic performance (grades, transcript, including supporting documents), course schedules
  • Residence Life: Residential life and housing services files
  • Student Life: Student activity files, student disciplinary files, multi-cultural programs and services files, and intramural sports files
  • Student Services: Career planning files, including placement information and employers' files, international programs and services files
  • Undergraduate Admission and other admission offices: Admission files on prospective students
  • University Library: Circulation records
  • Personal health records
  • Patient information: Any information classified under the 18 HIPAA identifiers including but not limited to; addresses, dates, telephone/fax numbers, social security numbers, medical records numbers, patient account numbers, insurance plan numbers, vehicle information, license numbers, medical equipment numbers, photographs, fingerprints, e-mail and Internet addresses
  • Note: Personal health records stored in education records are subject to FEPRA and are excluded from HIPAA.

Additional Information about referenced regulations

FERPA

FERPA is a Federal law that protects the privacy of student education records. This law applies to all schools that receive funds under an applicable program of the U.S. Department of Education. FERPA provides students with the right to inspect and review certain education records maintained by the school and to request corrections if the records are inaccurate or misleading. It requires that schools obtain written permission before releasing information from a student’s education record.  It also allows schools to publish certain “directory” information about students, unless the student has requested that the school not do so.

  • Directory Information upon student request
    • Name
    • Address(es) and telephone number
    • University e-mail address
    • Photograph
    • Major and minor field(s) of study, including the college, division, department, institute or program in which the student is enrolled
    • Dates of attendance
    • Grade level (such as freshman, sophomore, junior, senior or graduate level)
    • Enrollment status (undergraduate or graduate, full-time or part-time)
    • Date of graduation
    • Degree(s) received
    • Honors or awards received, including selection to a dean's list or honorary organization Name
    • Participation in officially recognized activities or sports
    • Weight and height of members of athletic teams

The penalty for failing to comply with FERPA may result in the loss of all federal funding, including grants and financial aid.

Additional information can be found at and at .

GLBA

GLBA protects consumers’ personal financial information held by financial institutions. It requires that financial institutions provide customers with a privacy notice explaining what information is collected, how it is used, and how it is protected.

The penalty for failing to comply with GLBA is a fine of up to $100,000 for the institution and of up to $10,000 for the officers and directors of the institution.

Additional information can be found at: .

HIPAA

HIPAA protects the privacy of Protected Health Information (PHI). It establishes regulations for the use and disclosure of PHI, including a patient’s health status, provision of health care, medical records or payment history.

Penalties for wrongfully disclosing PHI range from a $50,000 to a $250,000 fine and a one year to a ten-year prison term, depending on the circumstances. These fines are for the individual, not the institution. Additional information can be found at .

Illinois Personal Information Protection Act

This law protects the personal information of Illinois residents. It requires that an institution which houses social security numbers, driver’s license numbers, state ID numbers, bank account numbers and/or credit card numbers provide consumers with notice of any security breaches that compromise that information.

A violation of this act is a violation of the Illinois Consumer Fraud and Deceptive Practices Act and could result in civil money penalties.

Additional information can be found at: .

Payment Card Industry Data Security Standards (PCI-DSS)

PCI DSS is an industry standard which protects credit card customer account data. It requires specific control objectives be met by any organization that accepts credit cards for payment.  These control objectives include secure network, server, and desktop standards, as well as procedures to ensure that credit card data is properly protected during the transaction.

Failing to comply with PCI DSS can result in significant fines.  Credit card providers can fine merchants up to $500,000 per compromise when the merchant was not compliant at the time of the compromise. Merchants may also be banned from accepting certain types of credit cards. Additional information can be found at .

Federal Tax Information (FTI)

Safeguarding FTI is critically important to continuously protect taxpayer confidentiality as required by IRC § 6103. FTI consists of federal tax returns and return information (and information derived from it) that is in the agency’s possession or control that is covered by the confidentiality protections of the IRC and subject to the IRC § 6103(p)(4) safeguarding requirements including IRS oversight. FTI is categorized as Sensitive But Unclassified (SBU) information and may contain personally identifiable information (PII).

According to the IRS, "It shall be unlawful for any  to whom any return or return information (as defined in ) is disclosed in a manner unauthorized by this title thereafter willfully to print or publish in any manner not provided by law any such return or return information. Any violation of this paragraph shall be a felony punishable by a fine in any amount not exceeding $5,000, or imprisonment of not more than 5 years, or both, together with the costs of prosecution."

General Data Protection Regulation (GDPR)

The EU’s General Data Protection Regulation (GDPR) defines personal data as any information that can identify a natural person, directly or indirectly, by reference to an identifier that includes any of the following:

  • First name, last name/surname, maiden name
  • Email address
  • Home address (street, zip, postal code, city)
  • Phone number
  • Photo
  • Date of birth
  • Bank account number
  • Credit card number
  • National Identification Number, (Social) Insurance Number, Social Security Number
  • Taxpayer Identification Number, Tax File Number, Permanent Account Number
  • Passport number, national ID number, driver's license number
  • Vehicle registration plate number
  • Employee number
  • IP address
  • Cookie ID
  • Location data
  • Handwriting
  • Login
  • Password
  • Social media profile IDs/links
  • Mobile device IDs
  • Employment history, job title
  • Education history
  • Special Personal Data
  • Sex/Gender
  • Race/Ethnicity
  • Place/city/country of birth
  • Spouse name
  • Health details
  • Medical records

Any personal data that is collected from individuals in European Economic Area (EEA) countries is subject to GDPR. Additional information can be found at: /gdpr/ .

Additional US State Laws

If you work for ºÚÁÏÃÅinside the United States but outside of Illinois, please send an email containing the state in which you work to DataSecurity@luc.edu. The Information Security team will respond to you with any data privacy laws that also apply to you.

References

History

  • March 4, 2008: V 1.0, Initial Policy
  • June 22, 2015: V 1.0, Annual Review for PCI Compliance
  • April 15, 2016: V 1.1, Updated examples and directory information statement, annual review for PCI Compliance
  • June 5, 2016: V 1.1, Annual Review for PCI Compliance
  • July 20, 2017 V 1.2, Updated HIPAA information, Annual Review for PCI Compliance
  • June 7, 2018 V 1.3, Added GDPR statement, Annual review for PCI Compliance
  • June 13, 2019 V 1.4 Modification of GDPR section, annual review for PCI Compliance
  • July 8, 2019: V 1.4, Annual Review for PCI Compliance
  • May 28, 2020: V 1.4 Annual Review for PCI Compliance
  • February 20, 2024: V 1.5 Added FTI information
  • January 24, 2025: Broken links fixed

Scope

This policy covers all data produced, collected or used by ºÚÁÏÃÅUniversity Chicago, its employees, student workers, consultants or agents while conducting University business.

Purpose

The purpose of this policy is to identify the different types of data, to provide guidelines and examples for each type of data, and to establish the default classification for data.

Policy

Data Classification Types

All data covered by the Scope of this policy will be classified as ºÚÁÏÃÅProtected data, ºÚÁÏÃÅSensitive data, or ºÚÁÏÃÅPublic data.

ºÚÁÏÃÅProtected data

ºÚÁÏÃÅProtected data is any data that contains personally identifiable information concerning any individual and is regulated by local, state, or Federal privacy regulations, or by any voluntary industry standards or best practices concerning protection of personally identifiable information that ºÚÁÏÃÅchooses to follow.

These regulations may include, but are not limited to:

  • Family Educational Rights and Privacy Act (FERPA)
  • Gramm-Leach-Bliley Act (GLBA)
  • Health Insurance Portability and Accountability Act (HIPAA)
  • Illinois Personal Information Protection Act (IPIPA)
  • Payment Card Industry Data Security Standards (PCI-DSS)
  • Federal Tax Information (FTI)
  • Controlled Unclassified Information (CUI)
  • General Data Protection Regulation (GDPR)

Examples of some of the types of data that are regulated are listed in the appendix.

ºÚÁÏÃÅSensitive data

ºÚÁÏÃÅSensitive data is any data that is not classified as ºÚÁÏÃÅProtected data, but which is information that ºÚÁÏÃÅwould not distribute to the general public. This classification is made by the department originating the data. Examples of the types of data included are: budgets, salary and raise information, LOCUS ID, LAWSON ID and possible properties for ºÚÁÏÃÅto purchase.

ºÚÁÏÃÅPublic data

ºÚÁÏÃÅPublic data is any data that ºÚÁÏÃÅis comfortable distributing to the general public.  For department-specific data, this classification comes from the department.  If data is created jointly by more than one department, the involved departments should jointly classify the data. If they are unable to come to a consensus, then the data must be classified as ºÚÁÏÃÅSensitive Data.  For University-wide data, this classification can only come from the Office of the President, the Office of Registration and Records, the Division of Academic Affairs, or Institutional Research.  Examples of the types of data included are: department faculty lists, department addresses, press releases, and the ºÚÁÏÃÅweb site. Any ºÚÁÏÃÅdata that does not contain personally identifiable information concerning any individual, and that is not ºÚÁÏÃÅProtected data or ºÚÁÏÃÅSensitive data, must be classified as ºÚÁÏÃÅPublic data.

Default classification of data

Any data that contains personally identifiable information concerning any individual or that is covered by local, state, or Federal regulations, or by any voluntary industry standards concerning protection of personally identifiable information that ºÚÁÏÃÅchooses to follow, is automatically classified as ºÚÁÏÃÅProtected Data.  All other data is classified as ºÚÁÏÃÅSensitive Data by default. Online resources will be available to assist individuals in properly classifying data.

Questions about this policy

If you have questions about this policy, please contact the Information Security team at DataSecurity@luc.edu.

Appendix

ºÚÁÏÃÅProtected Data

Listed below are examples of types of personally identifiable information that are generally protected by local, state, or Federal privacy regulations. These examples are not an exhaustive list of all possible types of information that are protected by local, state, or Federal privacy regulations.

Examples

  • Social security numbers
  • Credit card and debit card numbers
  • Bank account numbers and routing information
  • Driver’s license numbers and state identification card numbers
  • Student education records
  • Bursar's Office: Student account files and Perkins loan information
  • Departments and Colleges: Academic advising records, admission files, including ACT, SAT and TOEFL scores, and high school and college transcripts and other scholastic records
  • Financial Assistance: Federal Tax Information, financial assistance application files, student federal work-study information, scholarships and Stafford loan information
  • Intercollegiate Athletics: Injury reports, scholarship contacts, performance records, height and weight information
  • Registration and Records: Permanent record of academic performance (grades, transcript, including supporting documents), course schedules
  • Residence Life: Residential life and housing services files
  • Student Life: Student activity files, student disciplinary files, multi-cultural programs and services files, and intramural sports files
  • Student Services: Career planning files, including placement information and employers' files, international programs and services files
  • Undergraduate Admission and other admission offices: Admission files on prospective students
  • University Library: Circulation records
  • Personal health records
  • Patient information: Any information classified under the 18 HIPAA identifiers including but not limited to; addresses, dates, telephone/fax numbers, social security numbers, medical records numbers, patient account numbers, insurance plan numbers, vehicle information, license numbers, medical equipment numbers, photographs, fingerprints, e-mail and Internet addresses
  • Note: Personal health records stored in education records are subject to FEPRA and are excluded from HIPAA.

Additional Information about referenced regulations

FERPA

FERPA is a Federal law that protects the privacy of student education records. This law applies to all schools that receive funds under an applicable program of the U.S. Department of Education. FERPA provides students with the right to inspect and review certain education records maintained by the school and to request corrections if the records are inaccurate or misleading. It requires that schools obtain written permission before releasing information from a student’s education record.  It also allows schools to publish certain “directory” information about students, unless the student has requested that the school not do so.

  • Directory Information upon student request
    • Name
    • Address(es) and telephone number
    • University e-mail address
    • Photograph
    • Major and minor field(s) of study, including the college, division, department, institute or program in which the student is enrolled
    • Dates of attendance
    • Grade level (such as freshman, sophomore, junior, senior or graduate level)
    • Enrollment status (undergraduate or graduate, full-time or part-time)
    • Date of graduation
    • Degree(s) received
    • Honors or awards received, including selection to a dean's list or honorary organization Name
    • Participation in officially recognized activities or sports
    • Weight and height of members of athletic teams

The penalty for failing to comply with FERPA may result in the loss of all federal funding, including grants and financial aid.

Additional information can be found at and at .

GLBA

GLBA protects consumers’ personal financial information held by financial institutions. It requires that financial institutions provide customers with a privacy notice explaining what information is collected, how it is used, and how it is protected.

The penalty for failing to comply with GLBA is a fine of up to $100,000 for the institution and of up to $10,000 for the officers and directors of the institution.

Additional information can be found at: .

HIPAA

HIPAA protects the privacy of Protected Health Information (PHI). It establishes regulations for the use and disclosure of PHI, including a patient’s health status, provision of health care, medical records or payment history.

Penalties for wrongfully disclosing PHI range from a $50,000 to a $250,000 fine and a one year to a ten-year prison term, depending on the circumstances. These fines are for the individual, not the institution. Additional information can be found at .

Illinois Personal Information Protection Act

This law protects the personal information of Illinois residents. It requires that an institution which houses social security numbers, driver’s license numbers, state ID numbers, bank account numbers and/or credit card numbers provide consumers with notice of any security breaches that compromise that information.

A violation of this act is a violation of the Illinois Consumer Fraud and Deceptive Practices Act and could result in civil money penalties.

Additional information can be found at: .

Payment Card Industry Data Security Standards (PCI-DSS)

PCI DSS is an industry standard which protects credit card customer account data. It requires specific control objectives be met by any organization that accepts credit cards for payment.  These control objectives include secure network, server, and desktop standards, as well as procedures to ensure that credit card data is properly protected during the transaction.

Failing to comply with PCI DSS can result in significant fines.  Credit card providers can fine merchants up to $500,000 per compromise when the merchant was not compliant at the time of the compromise. Merchants may also be banned from accepting certain types of credit cards. Additional information can be found at .

Federal Tax Information (FTI)

Safeguarding FTI is critically important to continuously protect taxpayer confidentiality as required by IRC § 6103. FTI consists of federal tax returns and return information (and information derived from it) that is in the agency’s possession or control that is covered by the confidentiality protections of the IRC and subject to the IRC § 6103(p)(4) safeguarding requirements including IRS oversight. FTI is categorized as Sensitive But Unclassified (SBU) information and may contain personally identifiable information (PII).

According to the IRS, "It shall be unlawful for any  to whom any return or return information (as defined in ) is disclosed in a manner unauthorized by this title thereafter willfully to print or publish in any manner not provided by law any such return or return information. Any violation of this paragraph shall be a felony punishable by a fine in any amount not exceeding $5,000, or imprisonment of not more than 5 years, or both, together with the costs of prosecution."

General Data Protection Regulation (GDPR)

The EU’s General Data Protection Regulation (GDPR) defines personal data as any information that can identify a natural person, directly or indirectly, by reference to an identifier that includes any of the following:

  • First name, last name/surname, maiden name
  • Email address
  • Home address (street, zip, postal code, city)
  • Phone number
  • Photo
  • Date of birth
  • Bank account number
  • Credit card number
  • National Identification Number, (Social) Insurance Number, Social Security Number
  • Taxpayer Identification Number, Tax File Number, Permanent Account Number
  • Passport number, national ID number, driver's license number
  • Vehicle registration plate number
  • Employee number
  • IP address
  • Cookie ID
  • Location data
  • Handwriting
  • Login
  • Password
  • Social media profile IDs/links
  • Mobile device IDs
  • Employment history, job title
  • Education history
  • Special Personal Data
  • Sex/Gender
  • Race/Ethnicity
  • Place/city/country of birth
  • Spouse name
  • Health details
  • Medical records

Any personal data that is collected from individuals in European Economic Area (EEA) countries is subject to GDPR. Additional information can be found at: /gdpr/ .

Additional US State Laws

If you work for ºÚÁÏÃÅinside the United States but outside of Illinois, please send an email containing the state in which you work to DataSecurity@luc.edu. The Information Security team will respond to you with any data privacy laws that also apply to you.

References

History

  • March 4, 2008: V 1.0, Initial Policy
  • June 22, 2015: V 1.0, Annual Review for PCI Compliance
  • April 15, 2016: V 1.1, Updated examples and directory information statement, annual review for PCI Compliance
  • June 5, 2016: V 1.1, Annual Review for PCI Compliance
  • July 20, 2017 V 1.2, Updated HIPAA information, Annual Review for PCI Compliance
  • June 7, 2018 V 1.3, Added GDPR statement, Annual review for PCI Compliance
  • June 13, 2019 V 1.4 Modification of GDPR section, annual review for PCI Compliance
  • July 8, 2019: V 1.4, Annual Review for PCI Compliance
  • May 28, 2020: V 1.4 Annual Review for PCI Compliance
  • February 20, 2024: V 1.5 Added FTI information
  • January 24, 2025: Broken links fixed