1 minute read
Report any and all issues to the IRB as soon as they happen
Data Classifications @ KU
The KU Data Classification & Handling Policy details three levels of data and the security protections required for the handling of data at each level. All KU employees are responsible for classifying and handling data according to the policy. Below is an excerpt from the policy describing three data classification levels:
Advertisement
Level III – Public Information Protection: Proceed with Awareness
Low requirement for confidentiality (information is public) and/or low or insignificant risk of financial loss, legal liability, public distrust or harm if this data is disclosed. Examples include: university directory information, as defined by the Student Records Policy; blogs; web pages; course offerings; annual reports
Level II – Sensitive Information Protection: Be Very Cautious
Moderate requirement for confidentiality and/or moderate or limited risk of financial loss, legal liability or public distrust or harm if this data is disclosed. Examples include: audit reports; email addresses that are not a public record; other grants and contracts (not included above); competitive business information; system security information such as firewall rules and hardening procedures; security incident information
Level I – Confidential Information Protection – Stop! Special care is required
Examples include (not an all-inclusive list):
1. Data protected by HIPAA (health information) 8. Personally Identifiable Information (“PII”) 2. Data protected by FERPA (student information 9. Personnel data including grades, exams, rosters, official 10. Individually identifiable information created and correspondence, financial aid, scholarship collected by research projects records, etc. 11. Certain research data with National Security 3. Data protected by GLB (financial information) implications 4. Data subject to PCI (credit or payment card 12. Data subject to protection pursuant to nonindustry) standards disclosure agreements 5. Data subject to other Federal or state 13. Audit working papers confidentiality laws 14. Data protected by attorney/client privilege 6. Donor or prospect information 15. Email covering topics listed above 7. Passwords and PINs
