UMB Data Classification Policy
X-99.06(A) | Information Technology | Approved April 13, 2015 | Last Reviewed June 1, 2025
Responsible VP/AVP: Peter J. Murray, PhD, CAS, MS
Applies to: Faculty, Staff
Revision History
Approved April 13, 2015.
Policy Statement
Data and information are important assets of the University and must be protected from loss of integrity, confidentiality, or availability in compliance with University policy and guidelines, Board of Regents policy, and state and federal laws and regulations.
Policy
All University Data must be classified according to the UMB Classification Schema and protected according to UMB Data Security Standards. This policy applies to data in all formats or media.
Data Classification Schema
Data and information assets are classified according to the risks associated with data being stored or processed. Data with the highest risk need the greatest level of protection to prevent compromise; data with lower risk require proportionately less protection. Three levels of data classification will be used to classify University Data based on how the data are used, its sensitivity to unauthorized disclosure, and requirements imposed by external agencies.
Data are typically stored in aggregate form in databases, tables, or files. In most data collections, highly sensitive data elements are not segregated from less sensitive data elements. For example, a student information system will contain a student's directory information as well as their social security number. Consequently, the classification of the most sensitive element in a data collection will determine the data classification of the entire collection.
UMB Data Classifications:
Level 0 – Public - Non-critical data (i.e., public directory information). Data explicitly or implicitly approved for distribution to the public where there is little institutional risk associated with this system due to security.
Level 1 – Internal - Data intended for internal University use. Applications or services that support academic instruction, research data or general communications that do not contain sensitive information. By default, all UMB data not explicitly classified as Public or Confidential, will be classified as Internal.
Level 2 – Confidential - Critical data, systems, applications or services related to or supporting the commitment or management of UMB financials, student data, research, and those systems containing sensitive information (i.e. PII, Education Records, Medical Records, Research, Financial Information, Databases, Usernames & Passwords) which if compromised could be used to commit identity theft.