University of Kansas School of Social Welfare
Research Data Security: 2019
Data Classifications @ KU The KU Data Classification & Handling Policy details three levels of data and the security protections required for the handling of data at each level. All KU employees are responsible for classifying and handling data according to the policy. Below is an excerpt from the policy describing three data classification levels: Level III – Public Information Protection: Proceed with Awareness Low requirement for confidentiality (information is public) and/or low or insignificant risk of financial loss, legal liability, public distrust or harm if this data is disclosed. Examples include: university directory information, as defined by the Student Records Policy; blogs; web pages; course offerings; annual reports Level II – Sensitive Information Protection: Be Very Cautious Moderate requirement for confidentiality and/or moderate or limited risk of financial loss, legal liability or public distrust or harm if this data is disclosed. Examples include: audit reports; email addresses that are not a public record; other grants and contracts (not included above); competitive business information; system security information such as firewall rules and hardening procedures; security incident information Level I – Confidential Information Protection – Stop! Special care is required High risk of significant financial loss, legal liability, public distrust or harm if this data is disclosed. Examples include (not an all-inclusive list): 8. Personally Identifiable Information (“PII”) 1. Data protected by HIPAA (health information) 9. Personnel data 2. Data protected by FERPA (student information 10. Individually identifiable information created and including grades, exams, rosters, official collected by research projects correspondence, financial aid, scholarship 11. Certain research data with National Security records, etc. implications 3. Data protected by GLB (financial information) 12. Data subject to protection pursuant to non4. Data subject to PCI (credit or payment card disclosure agreements industry) standards 13. Audit working papers 5. Data subject to other Federal or state 14. Data protected by attorney/client privilege confidentiality laws 15. Email covering topics listed above 6. Donor or prospect information 7. Passwords and PINs **More on protecting research data can be found in Appendices A-D.
atwoodj | S:\Research\Research Office\7. Data Secuity\Research Data Security FINAL.docx
PG 4
