Information classification: Confidentiality
Information classification and protection requirements
All members of the University community have a responsibility to protect University information. University information is classified into one of three levels based on its sensitivity: confidential, official use only and public.
Information is typically aggregated in databases, tables, or files for storage. Typically, highly sensitive data elements are aggregated with less sensitive data elements. For example, a student information system will contain a student's directory information as well as their social security number. Consequently, the classification of the most sensitive element in a data collection will determine the data classification of the entire collection.
It is incumbent upon each University department to inventory the University information in its custody, assess its confidentiality/sensitivity, and protect it according to these guidelines.
Confidential information is highly sensitive, and requires strong privacy and security safeguards due to federal or state laws and regulations or University contracts. Confidential information should not be collected or used unless required for business function.
Confidential information is intended for limited, legitimate use to support specific business purposes. The risk of unauthorized access and disclosure is high because of legal, contractual, privacy, or other constraints. Confidential information must be protected when in use and when stored to prevent loss, theft, unauthorized access and/or unauthorized disclosure. Generally, unauthorized access and disclosure could have a serious adverse impact on the privacy of individuals, the business or research functions of the University or affiliates. In most cases, the affected individuals or entities need to be notified of the breach.
Examples of confidential personally identifiable information (PII):
- First name or first initial and last name in combination with any one or more of:
- Social Security number
- Driver’s license number
- Bank account number, or credit or debit card number in combination with any required security code, access code or password that would permit access to a financial account.
- Certain health information (diagnosis, treatment, certain care settings)
- Certain education records (grades, student conduct incidents, academic materials)
- Certain personnel records (salary, disciplinary actions, performance evaluations)
- Certain development records (giving, contact information)
Examples of other confidential information:
- Sensitive proprietary information, or research data that by contract or law, must be treated as confidential
- Information subject to legal, regulatory, contractual or funding agency requirements such as:
- FERPA (Family Educational Rights and Privacy Act) – privacy of education record
- HIPAA (Health Insurance Portability and Accountability Act) – medical insurance information privacy and security
- PCIDSS (Payment Card Industry Data Security Standard) – credit card security
- GLBA (Gramm-Leach-Bliley Act) – privacy of financial account information
- Other data identified by government law, regulation, contract or court order to be treated as confidential and/or requires notification of affected individuals if inappropriately taken or disclosed
Confidential information must meet the minimum protection requirements of official use only (OUO) information, in addition to the following:
- UDel passwords are highly confidential and should never be used for any cloud/Web-based service, application, or Web site.
- When not stored on a UD IT administered system like PeopleSoft (e.g., departmental systems, cloud hosted applications, or personally owned devices), confidential information—including backups—must be encrypted and protected by strong passwords.
- Confidential information must be encrypted when transmitted over any communication network. It should never be sent in email or other clear-text messages. UD Dropbox is recommended.
- If logging in to a server directly (vs. web access), access must be via a secure connection from the UD Network or UD VPN SSL (encrypted tunnel) if from outside the University network.
- Daily backups of information must be stored in a secure off-site location.
- Access via mobile devices is strongly discouraged.
- Confidential information must not be disclosed to external parties without explicit management authorization.
- Unauthorized disclosure or loss of confidential information must be reported to UD Information Security (email@example.com) or the IT Support Center (firstname.lastname@example.org) to activate the incident response process.
- In addition to immediately removing access when no longer needed, reasonable and prudent precautions must be taken to prevent and/or detect theft, destruction or unauthorized transfers.
- Avoid faxing or printing confidential information. When sent via fax, information must only be sent to recipient numbers that have been confirmed or previously used and have been verified as being in a secured location. Include a cover sheet stating fax is “confidential” and to be read only by the named recipient. When printed, label copies as “confidential” and store in a secure location.
- Remote access for technical support should be limited to authenticated, temporary, access using secure protocols.
- Audit logs of read and update access should be regularly reviewed.
- Optionally, employees can be asked to sign a confidentiality agreement.
- All digital confidential information should be securely erased and destroyed after use.
OUO information has low to moderate sensitivity due to proprietary, ethical, or privacy considerations, and requires strong privacy and security safeguards. OUO information is information that is intended for internal University business use only, with access restricted to members of the University community and University business partners who have a legitimate purpose and approval for accessing such information.
Unauthorized access and disclosure would create a low to moderate risk of adversely affecting individuals or the University. Unauthorized access, while serious, generally does not require formal incident response or notification of affected individuals.
Examples of OUO information include:
- Moderately sensitive education records
- Departmental business processes and records
- Employment records
- Education, health and business records not considered confidential
- PII that is not highly sensitive
- Employment data
- University partner or sponsor information where no more restrictive confidentiality agreement exists
- Internal telephone books and directories
- Internal operating procedures (e.g., operational manuals)
- Internal documents (e.g., memorandum, reports, emails, etc.)
- Technical documents (e.g., system configurations, floor plans, etc.)
OUO information must meet the minimum protection requirements of Public information, in addition to the following:
- Information must not be posted on any public website.
- Viewing and modification should be restricted to authorized individuals as needed (least privilege required) for business-related roles.
- Authentication and authorization must be required for access.
- Daily backups are highly encouraged in case of accidental loss of information loss.
- Access must be immediately removed from any person that no longer requires access as part of their job function.
- Audit logs of change should be kept.
- Follow OS-specific best practices for system management and security.
- Report the loss of OUO data to director-level. Director will consult with UD Information Security to determine the requirements, if any, for further reporting.
- Information must be stored only in a locked drawer, room or an area where access is controlled, or that otherwise has sufficient physical access control measures to afford adequate protection and prevent unauthorized access by any persons without a need-to-know.
- Must be destroyed when no longer needed subject to the University’s Records Retention Program. Destruction methods:
Public information is information that has a low risk of unauthorized access and disclosure with no legal, regulatory, contractual or funding agency restrictions on access or usage.
While subject to University disclosure rules, public data may be information that is explicitly or implicitly approved for distribution to all members of the University community and to all individuals and entities external to the University community without potential harm to the University, affiliates, or individuals.
Examples of public information include:
- Press releases
- class schedules
- Course descriptions
- De-identified or aggregated information—to prevent it from ever becoming PII
- Information already publicly available
- Information free from legal, regulatory, contractual or funding agency access restrictions
- Other non-PII aggregated data
Minimum protection requirements for public information
- Modification requires data steward or designee authorization.
- Electronic devices used to store public information should meet minimum security best practices:
Next step: Legal, regulatory, contractual or funding agency requirements
If you have comments or suggestions about
this Web page or see any errors, contact the IT