Data Classification Standard - Archived

NOTE: 
This is an old, archived version of the UC Berkeley Data Classification Standard. The current version is available at https://security.berkeley.edu/data-classification-standard

Summary

The Berkeley Data Classification Standard is a framework for assessing data sensitivity, measured by the adverse business impact a breach of the data would have upon the campus. This standard provides the foundation for establishing protection profile requirements for each class of data.

Scope

The Berkeley Data Classification Standard covers Berkeley campus data.  Berkeley campus data is information prepared, managed, used, or retained by an operating unit or employee of UC Berkeley relating to the activities or operations of the University.  Berkeley campus data does not include individually-owned data, which is defined as an individual’s personal information that is not related to University business.

This classification does not cover the evaluation of data availability requirements. Refer to business continuity plans for guidance regarding data availability requirements.

Data classification does not alter public information access requirements. California Public Records Act or federal Freedom of Information Act requests and other legal obligations may require disclosure or release of information from any category.


Business Impact

Considerations for evaluating potential adverse business impact to the campus due to loss of data confidentiality or integrity include:

  • Loss of critical campus operations
  • Negative financial impact (money lost, lost opportunities, value of the data)
  • Damage to the reputation of the campus
  • Potential for regulatory or legal action
  • Requirement for corrective actions or repairs
  • Violation of University or campus mission, policy, or principles


Data Classification Table

Data Class Adverse Business Impact Examples (not an exhaustive list) 
May be updated in response to changes in UC systemwide 
policy and UC Berkeley campus-level risk decisions.

UCB Protection Level 3
(UC P4)

 Extreme

Data that creates extensive "shared-fate" risk between multiple sensitive systems, e.g., enterprise credential stores, backup data systems, and central system management consoles.

UCB Protection Level 2
(UC P4)

 High
Data elements with a statutory requirement for notification to affected parties in case of a confidentiality breach:
  • Social security number
  • Driver's license number, California identification number
  • Financial account numbers, credit or debit card numbers and
    financial account security codes, access codes, or passwords
  • Personal medical information
  • Personal health insurance information

UCB Protection Level 1
(UC P2/P3) 

 Moderate

Information intended for release only on a need-to-know basis, including personal information not otherwise classified as UCB Level 0, 2 or 3, and data protected or restricted by contract, grant, or other agreement terms and conditions, e.g.,:

  • FERPA student records (including Student ID)
  • Staff and academic personnel records (including Employee ID)
  • Licensed software/software license keys
  • Library paid subscription electronic resources
UCB Protection Level 0 
(UC P1/P2)     		 Limited or none

Information intended for public access, e.g.,:


Additional Information

(see also: Data Classification Guideline)


Shared-Fate

If a data compromise would cause further and extensive data compromise from multiple (even unrelated) sensitive systems, the data creating this "shared-fate" warrants an elevated UCB protection level.


Statutory Requirement for Notification

California State Law S.B. 1386 and other legal statues, such as the Health Information Portability and Accountability Act (HIPAA), require notification to individuals in the event of a security breach of certain personal information. The Berkeley campus refers to this data as "notice triggering" information:

  • Socialsecuritynumber
  • Driver'slicensenumber,Californiaidentification number
  • Financialaccountnumbers,creditordebitcard numbers,and
    financialaccountsecuritycodes,accesscodes,orpasswords
  • Personal medicalinformation
  • Personal healthinsuranceinformation

Note the following registration and approval requirements applicable to notice-triggering information:


FERPA Student Records

UCB protection level 1 student records include, but are not limited to:

  • Transcripts (grades)
  • Exam papers
  • Test scores
  • Evaluations
  • Financial aid records
  • Loan collection records
  • Directory information for students who have requested that information about them not be released as public information

See the Statutory Requirement for Notification section above for the list of UCB protection level 2 data, which also applies to student data. See the Student Directory Data section under Public Directory Information below for the list of UCB protection level 0 student data.


Personnel Records

UCB protection level 1 Academic Personnel Records include, but are not limited to: confidential academic review records, non-confidential academic review records and "personal" information (as defined in Section 160 of the Academic Personnel Manual [PDF]).

UCB protection level 1 Staff Personnel Records (listed in Section 80 of the Personnel Policies for Staff Members) include, but are not limited to:

  • Home telephone number and home address
  • Spouse's or other relatives' names
  • Birth date
  • Citizenship
  • Income tax withholdings
  • Information relating to evaluation of performance

See the Statutory Requirement for Notification section above for the list of UCB protection level 2 data, which also applies to personnel records. See the Public Directory Information section below for lists of UCB protection level 0 academic and staff records.


Public Directory Information

“Non-Personal” Academic Personnel Information as defined by APM-160 

  • Name
  • Date of hire or separation
  • Current position title
  • Current rate of pay
  • Organizational unit assignment including office address and 
telephone number
  • Full-time, part-time, or other employment status

Staff personnel records designated as "public information" in Section 80 of the Personnel Policies for Staff Members

  • Name
  • Date of hire
  • Current position title
  • Current salary
  • Organizational unit assignment
  • Date of separation
  • Office address and office telephone number
  • Current job description
  • Full-time or part-time, and appointment type

Student Directory Data (unless the student hasrequested that information about them not be released as public information)

  • Name of student
  • Telephone, e-mail
  • Dates of attendance
  • Number of course units in which enrolled
  • Class level
  • Major field of study
  • Last school attended
  • Degrees and honors received
  • Participation in official student activities
  • Name/weight/height (intercollegiate athletic team members only)

The Berkeley Data Classification Standard is issued under the authority vested in the UC Berkeley Chief Information Officer by the UC Business and Finance Bulletin IS-3 Electronic Information Security:  "All campuses shall establish an Information Security Program (Program) in conformance with the provisions in this bulletin.  In order to achieve a secure information technology environment, the campus Program shall comprise a comprehensive set of strategies that include a range of related technical and non-technical measures."

Issue Date:    July 16, 2012 (Administrative revision: April 22, 2013)
Effective Date:    July 16, 2013

Responsible Executive:    Associate Vice Chancellor for Information Technology and Chief Information Officer
Responsible Office:    IT Policy Office
Contact:    IT Policy Manager, security-policy@berkeley.edu

[Data Classification 2 page pdf diagram]

2020 Archive

On This Page