Data Classification Guideline

NOTE:
This is a new version of the Data Classification Guideline. The archived version can be found here: Data Classification Guideline - Archived

-------------------

The UC Berkeley Data Classification Standard is a framework for assessing the adverse impact that loss of confidentiality, integrity or availability of Institutional Information and IT Resources would have upon the Campus. The Minimum Security Standard for Electronic Information (MSSEI) identifies required security protections based on the Data Classification Standard.

The information below is provided as additional guidance on classifying information and IT Resources under the Data Classification Standard.

Steps for determining Protection Level classification

The following steps provide guidance for the considerations necessary to determine data classification Protection Level. This table addresses the most common questions the Information Security Office (ISO) receives about Protection Level classification; it does not cover all circumstances. For additional assistance determining Protection Level, please contact the ISO at security@berkeley.edu.

Step 1

Identify the specific data elements you’re working with.

Check the Protection Levels table. If you can find them there, use the classifications from the table, and you’re done! Otherwise, continue to Step 2.

Step 2

Are you working with any of the following?

  • research data involving a data use agreement (DUA)
  • confidentiality or nondisclosure agreements with security clauses
  • HIPAA data 
  • federal Controlled Unclassified Information (CUI)

If not, continue to Step 3.

If so, please contact the Information Security Office (ISO) at security@berkeley.edu.

Step 3

Does the data include any of the following?

  1. Social Security numbers (SSN)
  2. driver's license numbers
  3. financial account numbers
  4. personal medical information
  5. personal health insurance information
  6. credit card numbers
  7. passwords, PINs, passphrases, or security questions and answers
  8. individually identifiable human subject research data or genetic information

If not, continue to Step 4.

If so, it’s P4.

Additional Considerations:

  1. Notice-triggering data components

Individual components of notice-triggering information (other than name) merit Protection Level 4 (P4) classification, regardless of the actual data breach notification requirement. For example, breach notification law requires notice if Social Security number (SSN) AND name are breached. However, UC Berkeley treats SSNs as P4 even if name is not included. Please contact the ISO at security@berkeley.edu if you have questions about this practice. 

  1. Partial SSNs

Partial SSNs in certain contexts are considered notice-triggering information. If you are using partial SSNs, please contact the ISO at security@berkeley.edu to help determine the protection level of your data.

Step 4

Are you dealing with industrial control systems affecting life and safety?

If not, continue to Step 5.

If so, it’s P4.

Step 5

Does the data include personal information of European Union (EU) or European Economic Area (EEA) residents?

If not, continue to Step 6.

If so, the European Union General Data Protection Regulation (GDPR) probably applies. 

Assuming the GDPR applies, does the information fall into any of the special categories of personal data outlined in Article 9 of the GDPR? 

  1. If so, it’s P4
  2. If not, it’s P3

For questions regarding the GDPR, contact the Campus Privacy Office.

Step 6

Does the data include student information protected by FERPA?

If no, continue to Step 7.

If so, it’s probably P3. 

The exception would be Public Directory Information for students who have NOT requested a FERPA block. This would be P2. However, directory information for students who have exercised their right under FERPA to request that information about them not be released as public information is still classified as P3.

Step 7

Does the data include staff and academic Personnel Records (including Employee ID)?

If no, continue to Step 8.

If so, it’s probably P3. 

The exception would be Public Directory Information for faculty and staff. This would be P2.

Step 8

Does the data involve de-identified human subject research?

If no, continue to Step 9.

If yes,

  1. Is the data entirely de-identified or anonymized, with a negligible re-identification risk? If so, it’s P2.
  2. If it is not clear whether the data is fully de-identified/anonymized, consult the Institutional Information Proprietor or the data provider for confirmation. For assistance regarding human subject research data, contact the Institutional Review Board (IRB). For questions regarding the GDPR (see Step 5), contact the Campus Privacy Office.

Step 9

Is the data public (no sharing restriction)?

If you don’t know, continue to Step 10.

If it’s public, it’s probably P1 unless unauthorized modification of the data would be an issue. Departmental websites are a good example of this: The information is public, but the accuracy (integrity) of the information is important. In situations like this, the need for data integrity drives the Protection Level. 

  1. P1: Public data, and unauthorized modification has a minimal impact
  2. P2: Public data, and unauthorized modification has a low impact
  3. P3: Public data, and unauthorized modification has a moderate impact
  4. P4: Public data, and unauthorized modification has a high impact

Step 10

Are you are still uncertain of the classification?

If the Protection Level is still not clear after completing steps 1-9 and consulting the Protection Levels table, please contact security@berkeley.edu for assistance.

Steps for determining Availability Level classification

The following steps provide guidance for the considerations necessary to determine Availability Level classification.

Step 1

Identify the specific IT Resources and/or data you’re working with.

Check the Availability Levels table. If you can find them there, use the classifications from the table, and you’re done! 

  1. For the Availability Level of Campus services not listed in the table, contact the IT Resource Proprietor of the specific service. 
  2. If neither of the above apply, continue to Step 2.

Step 2

  1. Are the resources/data Critical IT Infrastructure?

-or-

  1. Do the resources/data support life/safety?

If not, continue to Step 3.

If so, it’s A4.

Step 3

Are there contractual service level agreements (SLAs) or regulations requiring high availability of the resource/data?

For example, the following all have varying requirements to be up and running:

  • The emergency 911 system
  • The Campus data center
  • Campus power generation

If not, continue to Step 4.

If so, it’s probably A4.

Step 4

Consider the impact and implications if the resource/data became unavailable. For example, if the data were lost or destroyed, what would be the impact? If there were loss of use or loss of access, what would be the impact? Could you/Campus live without it?

If you don’t know, continue to Step 5.

  • Would there be a risk of harm to individuals? 
  • Would there be a business impact to the Campus, a Campus Unit, and/or essential services? 
  • Would it cause financial losses? 
  • Would it jeopardize critical research?
  • Would it damage the reputation of the Campus or a Campus Unit?

If you answered yes to any of the above, would the impact be:

  1. High? If so, then it’s A4.
  2. Moderate? If so, then it’s A3.
  3. Low? If so, then it’s A2.
  4. Minimal or none? If so, then it’s A1.

Step 5

Are you are still uncertain of the classification?

If the Availability Level is still not clear after completing steps 1-4 and consulting the Availability Levels table, please contact the IT Resource Proprietor or Institutional Information Proprietor for assistance. If it’s not clear who this would be, talk to your Department Head.