Body
Overview
This article explains how NEOMED classifies University Data, why classification matters, and what responsibilities Data Users, Data Stewards, and others have when handling data.
Why Data Classification Matters
To protect the security, integrity, and availability of University Data, and to comply with applicable state and federal laws and regulations, all University Data must be appropriately classified.
Data classification ensures that:
- Sensitive data is protected from unauthorized access or disclosure
- Legal, regulatory, and contractual obligations are met
- Data is handled using security controls proportional to its risk
- NEOMED’s mission, reputation, operations, and financial well‑being are protected
Improper use or disclosure of University Data can cause serious harm, including identity theft and institutional risk.
Who May Access University Data
Access to non-Public University Data is granted only for legitimate university purposes.
Authorization is based on:
- A person's role and job responsibilities
- Compliance with university policies and procedures
- Applicable legal, regulatory, and contractual requirements
All Users are required to comply with:
- State and federal laws and regulations
- University policies, standards, and procedures
- Contractual and grant-based requirements
University Data Classification Levels (L1–L4)
All University Data is assigned a classification level based on:
- Legal and regulatory requirements
- Sensitivity and criticalality
- Operational use
- Risk to individuals and the institution
There are four classification levels, listed below from least to most restrictive.
Public (L1)
Definition
University Data intended for public use with no access or management restrictions.
Key Characteristics
- Approved for public release
- Minimal to no risk if disclosed
- No special security controls required beyond standard protections
Examples
- Public website content
- Published reports and press releases
Internal (L2)
Definition
University Data used to conduct university business that is not intended for public consumption, but could be shared with authorized parties as appropriate.
Key Characteristics
- Default classification for email unless otherwise specified
- Limited access to university personnel and authorized parties
- Loss would not cause significant personal or institutional harm
Examples
- Internal emails
- Routine operational documents
- Non-public meeting notes
Restricted (L3)
Definition
University Data requiring protection due to legal, regulatory, administrative, contractual, ethical, intellectual property, or strategic considerations.
Key Characteristics
- Access limited to individuals with a legitimate need to know
- Unauthorized disclosure could cause moderate harm
- Requires additional security controls beyond Internal data
Examples
- Intellectual property
- Certain research data
- FERPA data
- Contractually restricted information
Highly Restricted (L4)
Definition
University Data requiring the highest level of protection due to stringent legal, regulatory, policy, or contractual requirements.
Key Characteristics
- Extremely sensitive
- Disclosure could cause significant personal or institutional harm (i.e. identity theft)
- Strict access controls and enhanced security measures required
Examples
- Data protected by certain law or regulation (i.e. GLBA, PCI).
- Highly sensitive personal or clinical information
- Information requiring elevated safeguards by contract
Handling Mixed Data Classifications
If a dataset or system contains multiple classification levels, the entire set must be handled at the most restrictive level present.
Example: If a system includes both Internal (L2) and Restricted (L3) data, it must be managed as Restricted (L3).
Data may also be classified at a more restrictive level than required if additional protection is warranted. In these cases, the higher classification’s minimum security controls must be applied.
Roles and Responsibilities
Data Stewards
- Assign and maintain the appropriate classification for University Data
- Ensure classifications meet legal, regulatory, contractual, and security requirements
- Work with Data Custodians to communicate classifications to affected users
Data Custodians
- Implement and maintain required security controls
- Support secure storage, access, and transmission of data
- Help ensure users understand classification requirements
Data Users
- Handle data in accordance with its classification
- Follow all applicable university policies and legal requirements
- Access data only as authorized for legitimate university purposes
Changing a Data Classification
Requests to modify the classification of University Data elements must:
- Be formally submitted
- Be reviewed and approved by the Data Governance Council or its designee.
Unauthorized reclassification is not permitted.
Summary
- All University Data must be classified (L1–L4).
- Higher classifications require stronger security controls.
- Access is role-based and purpose-driven.
- Classification changes require formal approval.
If you are unsure how to classify data or how a classification affects your work, contact your Data Steward or itsecurity@neomed.edu for guidance.