Data Classification Standard

The following Berkeley Data Classification Standard is issued under the authority vested in the UC Berkeley Chief Information Officer by the UC Business and Finance Bulletin IS-3 Electronic Information Security:  "All campuses shall establish an Information Security Program (Program) in conformance with the provisions in this bulletin.  In order to achieve a secure information technology environment, the campus Program shall comprise a comprehensive set of strategies that include a range of related technical and non-technical measures."

Issue Date:    July 16, 2012 (Administrative revision: April 22, 2013)
Effective Date:    July 16, 2013

Responsible Executive:    Associate Vice Chancellor for Information Technology and Chief Information Officer
Responsible Office:    IT Policy Office
Contact:    IT Policy Manager, itpolicy@berkeley.edu

[Data Classification 2 page pdf diagram]

Purpose

The Berkeley Data Classification Standard is a framework for assessing data sensitivity, measured by the adverse business impact a breach of the data would have upon the campus. This standard provides the foundation for establishing protection profile requirements for each class of data.


Contact Information

For assistance with this standard, contact: itpolicy@berkeley.edu.


Scope

The Berkeley Data Classification Standard covers Berkeley campus data.  Berkeley campus data is information prepared, managed, used, or retained by an operating unit or employee of UC Berkeley relating to the activities or operations of the University.  Berkeley campus data does not include individually-owned data, which is defined as an individual’s personal information that is not related to University business.

This classification does not cover evaluation of data availability requirements. Refer to business continuity plans for guidance regarding data availability requirements.

Data classification does not alter public information access requirements. California Public Records Act or federal Freedom of Information Act requests and other legal obligations may require disclosure or release of information from any category.


Business Impact

Considerations for evaluating potential adverse business impact to the campus due to loss of data confidentiality or integrity include:

  • Loss of critical campus operations
  • Negative financial impact (money lost, lost opportunities, value of the data)
  • Damage to the reputation of the campus
  • Potential for regulatory or legal action
  • Requirement for corrective actions or repairs
  • Violation of University or campus mission, policy, or principles


Data Classification Table

Data ClassAdverse Business Impact*Sample Data (not an exhaustive list)

Protection
Level 3

Extreme

Data that creates extensive "shared-fate" risk between multiple sensitive systems, e.g., enterprise credential stores, backup data systems, and central system management consoles.

Protection
 Level 2

High
Data elements with a statutory requirement for notification to affected parties in case of a confidentiality breach:
  • Social security number
  • Driver's license number, California identification number
  • Financial account numbers, credit or debit card numbers and
    financial account security codes, access codes, or passwords
  • Personal medical information
  • Personal health insurance information
Protection
Level 1
Moderate

Information intended for release only on a need-to-know basis, including personal information not otherwise classified as Level 0, 2 or 3, and data protected or restricted by contract, grant, or other agreement terms and conditions, e.g.,:

  • FERPA student records (including Student ID)
  • Staff and academic personnel records (including Employee ID)
  • Licensed software/software license keys
  • Library paid subscription electronic resources
Protection
Level 0
Limited or none

Information intended for public access, e.g.,:


Additional Information

(see also: Data Classification Guideline)


Shared-Fate

If a data compromise would cause further and extensive data compromise from multiple (even unrelated) sensitive systems, the data creating this "shared-fate" warrants an elevated data protection level.


Statutory Requirement for Notification

California State Law S.B. 1386 and other legal statues, such as the Health Information Portability and Accountability Act (HIPAA), require notification to individuals in the event of a security breach of certain personal information. The Berkeley campus refers to this data as "notice triggering" information:

  • Social security number
  • Driver's license number, California identification number
  • Financial account numbers, credit or debit card numbers, and
    financial account security codes, access codes, or passwords
  • Personal medical information
  • Personal health insurance information

Note the following registration and approval requirements applicable to notice-triggering information:


FERPA Student Records

Protection level 1 student records include, but are not limited to:

  • Transcripts (grades)
  • Exam papers
  • Test scores
  • Evaluations
  • Financial aid records
  • Loan collection records
  • Directory information for students who have requested that information about them not be released as public information

See the Statutory Requirement for Notification section above for the list of protection level 2 data, which also applies to student data. See the Student Directory Data section under Public Directory Information below for the list of protection level 0 student data.


Personnel Records

Protection level 1 Academic Personnel Records include, but are not limited to: confidential academic review records, non-confidential academic review records and "personal" information (as defined in Section 160 of the Academic Personnel Manual [PDF]).

Protection level 1 Staff Personnel Records (listed in Section 80 of the Personnel Policies for Staff Members) include, but are not limited to:

  • Home telephone number and home address
  • Spouse's or other relatives' names
  • Birth date
  • Citizenship
  • Income tax withholdings
  • Information relating to evaluation of performance

See the Statutory Requirement for Notification section above for the list of protection level 2 data, which also applies to personnel records. See the Public Directory Information section below for lists of protection level 0 academic and staff records.


Public Directory Information

“Non-Personal” Academic Personnel Information as defined by APM-160 

  • Name
  • Date of hire or separation
  • Current position title
  • Current rate of pay
  • Organizational unit assignment including office address and 
telephone number
  • Full-time, part-time, or other employment status

Staff personnel records designated as "public information" in Section 80 of the Personnel Policies for Staff Members

  • Name
  • Date of hire
  • Current position title
  • Current salary
  • Organizational unit assignment
  • Date of separation
  • Office address and office telephone number
  • Current job description
  • Full-time or part-time, and appointment type

Student Directory Data (unless the student has requested that information about them not be released as public information)

  • Name of student
  • Telephone, e-mail
  • Dates of attendance
  • Number of course units in which enrolled
  • Class level
  • Major field of study
  • Last school attended
  • Degrees and honors received
  • Participation in official student activities
  • Name/weight/height (intercollegiate athletic team members only)