Data Classification Guideline

NOTE:
This is a new version of the Data Classification Guideline. The archived version can be found here: Data Classification Guideline - Archived

-------------------

The UC Berkeley Data Classification Standard is a framework for assessing the adverse impact that loss of confidentiality, integrity or availability of Institutional Information and IT Resources would have upon the Campus. The Minimum Security Standard for Electronic Information (MSSEI) identifies required security protections based on the Data Classification Standard.

The information below is provided as additional guidance on classifying information and IT Resources under the Data Classification Standard.

Steps for determining Protection Level classification

The following steps provide guidance for the considerations necessary to determine data classification Protection Level. This table addresses the most common questions the Information Security Office (ISO) receives about Protection Level classification; it does not cover all circumstances. For additional assistance determining Protection Level, please contact the ISO at security@berkeley.edu.

Step 1

Identify the specific data elements you’re working with.

Check the Protection Levels table. If you can find them there, use the classifications from the table, and you’re done! Otherwise, continue to Step 2.

Step 2

Are you working with any of the following?

  • research data involving a data use agreement (DUA)
  • confidentiality or nondisclosure agreements with security clauses
  • HIPAA data 
  • federal Controlled Unclassified Information (CUI)

If not, continue to Step 3.

If so, please contact the Information Security Office (ISO) at security@berkeley.edu.

If you are a researcher, please contact Research IT at research-it@berkeley.edu.

Step 3

Does the data include any of the following?

  1. Social Security numbers (SSN)
  2. driver's license, passport, or other government issued ID numbers
  3. financial account numbers
  4. personal medical information
  5. personal health insurance information
  6. credit card numbers
  7. passwords, PINs, passphrases, or security questions and answers
  8. individually identifiable human subject research data containing P4 data elements, or that the Institutional Review Board (IRB) has determined is high risk
  9. human genomic data subject to GDPR or HIPAA (regardless of de-identification status)
  10. biometric data used for authentication purposes, including facial recognition

If not, continue to Step 4.

If so, it’s P4.

Additional Considerations:

  1. Notice-Triggering data components

Individual components of Notice-Triggering Information (other than name) merit Protection Level 4 (P4) classification, regardless of the actual data breach notification requirement. For example, breach notification law requires notice if Social Security number (SSN) AND name are breached. However, UC Berkeley treats SSNs as P4 even if name is not included. Please contact the ISO at security@berkeley.edu if you have questions about this practice. 

  1. Partial SSNs

Partial SSNs in certain contexts are considered Notice-Triggering Information. If you are using partial SSNs, please contact the ISO at security@berkeley.edu to help determine the protection level of your data.

    3. Passwords, PINs, passphrases, and security questions and answers

When properly encrypted or hashed, these elements are not considered P4 data. However, the encryption keys are classified as P4. Systems that manage credentials that provide access to P4 data or resources, and encryption keys, are also P4.

Step 4

Are you dealing with industrial control systems affecting life and safety?

If not, continue to Step 5.

If so, it’s P4.

Step 5

Does the data include personal information of European Union (EU) or European Economic Area (EEA) residents?

If not, continue to Step 6.

If so, the European Union General Data Protection Regulation (GDPR) probably applies. 

Assuming the GDPR applies, does the information fall into any of the special categories of personal data outlined in Article 9 of the GDPR? 

  1. If so, it’s P4
  2. If not, it’s P3

For questions regarding the GDPR, contact the Campus Privacy Office.

Step 6

Does the data include student information protected by FERPA?

If not, continue to Step 7.

If so, it’s probably P3. 

The exception would be Public Directory Information for students who have NOT requested a FERPA block. This would be P2. However, directory information for students who have exercised their right under FERPA to request that information about them not be released as public information is still classified as P3.

Step 7

Does the data include staff and academic Personnel Records (including Employee ID)?

If not, continue to Step 8.

If so, it’s probably P3. 

The exception would be Public Directory Information for faculty and staff. This would be P2.

Step 8

Does the data include individually identifiable human subject research data that contains no P4 data elements and the IRB has not determined is high risk?

If not, continue to Step 9.

If so, it’s probably P3. This includes human genomic data if standard identifiers are not removed; or if the data can be re-identified using publicly available data.

If you're not sure about the risk level, contact the Institutional Review Board (IRB) for assistance.

Step 9

Does the data involve de-identified human subject research or de-identified human genomic data?

If not, continue to Step 10.

If yes,

  1. Is the data entirely de-identified or anonymized, with a negligible re-identification risk, and no Notice-Triggering data elements? De-identified human genomic data must also not be able to be re-identified using publically available data. If so, it's probably P2.

  2. If it is not clear whether the data is fully de-identified/anonymized, consult with the Campus Privacy Office.

Step 10

Is the data public (no sharing restriction)?

If you don’t know, continue to Step 11.

If it’s public, it’s probably P1 unless unauthorized modification of the data would be an issue. Departmental websites are a good example of this: The information is public, but the accuracy (integrity) of the information is important. In situations like this, the need for data integrity drives the Protection Level. 

  1. P1: Public data, and unauthorized modification has a minimal impact
  2. P2: Public data, and unauthorized modification has a low impact
  3. P3: Public data, and unauthorized modification has a moderate impact
  4. P4: Public data, and unauthorized modification has a high impact

Step 11

Are you are still uncertain of the classification?

If the Protection Level is still not clear after completing steps 1-10 and consulting the Protection Levels table, please contact security@berkeley.edu for assistance.

Steps for determining Availability Level classification

The following steps provide guidance for the considerations necessary to determine Availability Level classification.

Step 1

Identify the specific IT Resources and/or data you’re working with.

Check the Availability Levels table. If you can find them there, use the classifications from the table, and you’re done! 

  1. For the Availability Level of Campus services not listed in the table, contact the IT Resource Proprietor of the specific service. 
  2. If neither of the above apply, continue to Step 2.

Step 2

  1. Are the resources/data Critical IT Infrastructure?

-or-

  1. Do the resources/data support life/safety?

If not, continue to Step 3.

If so, it’s A4.

Step 3

Are there contractual service level agreements (SLAs) or regulations requiring high availability of the resource/data?

For example, the following all have varying requirements to be up and running:

  • The emergency 911 system
  • The Campus data center
  • Campus power generation

If not, continue to Step 4.

If so, it’s probably A4.

Step 4

Consider the impact and implications if the resource/data became unavailable. For example, if the data were lost or destroyed, what would be the impact? If there were loss of use or loss of access, what would be the impact? Could you/Campus live without it?

If you don’t know, continue to Step 5.

  • Would there be a risk of harm to individuals? 
  • Would there be a business impact to the Campus, a Campus Unit, and/or essential services? 
  • Would it cause financial losses? 
  • Would it jeopardize critical research?
  • Would it damage the reputation of the Campus or a Campus Unit?

If you answered yes to any of the above, would the impact be:

  1. High? If so, then it’s A4.
  2. Moderate? If so, then it’s A3.
  3. Low? If so, then it’s A2.
  4. Minimal or none? If so, then it’s A1.

Step 5

Are you are still uncertain of the classification?

If the Availability Level is still not clear after completing steps 1-4 and consulting the Availability Levels table, please contact the IT Resource Proprietor or Institutional Information Proprietor for assistance. If it’s not clear who this would be, talk to your Department Head.