NOTE:
This is an old, archived version of the UC Berkeley Data Classification Standard. The current version is available at https://security.berkeley.edu/data-classification-standard
Summary
The Berkeley Data Classification Standard is a framework for assessing data sensitivity, measured by the adverse business impact a breach of the data would have upon the campus. This standard provides the foundation for establishing protection profile requirements for each class of data.
Scope
The Berkeley Data Classification Standard covers Berkeley campus data. Berkeley campus data is information prepared, managed, used, or retained by an operating unit or employee of UC Berkeley relating to the activities or operations of the University. Berkeley campus data does not include individually-owned data, which is defined as an individual’s personal information that is not related to University business.
This classification does not cover the evaluation of data availability requirements. Refer to business continuity plans for guidance regarding data availability requirements.
Data classification does not alter public information access requirements. California Public Records Act or federal Freedom of Information Act requests and other legal obligations may require disclosure or release of information from any category.
Business Impact
Considerations for evaluating potential adverse business impact to the campus due to loss of data confidentiality or integrity include:
- Loss of critical campus operations
- Negative financial impact (money lost, lost opportunities, value of the data)
- Damage to the reputation of the campus
- Potential for regulatory or legal action
- Requirement for corrective actions or repairs
- Violation of University or campus mission, policy, or principles
Data Classification Table
Data Class | Adverse Business Impact | Examples (not an exhaustive list) May be updated in response to changes in UC systemwide policy and UC Berkeley campus-level risk decisions. |
UCB Protection Level 3 |
Extreme |
Data that creates extensive "shared-fate" risk between multiple sensitive systems, e.g., enterprise credential stores, backup data systems, and central system management consoles. |
---|---|---|
UCB Protection Level 2 |
High |
Data elements with a statutory requirement for notification to affected parties in case of a confidentiality breach:
|
UCB Protection Level 1 |
Moderate |
Information intended for release only on a need-to-know basis, including personal information not otherwise classified as UCB Level 0, 2 or 3, and data protected or restricted by contract, grant, or other agreement terms and conditions, e.g.,:
|
UCB Protection Level 0 (UC P1/P2) |
Limited or none |
Information intended for public access, e.g.,:
|
Additional Information
(see also: Data Classification Guideline)
Shared-Fate
If a data compromise would cause further and extensive data compromise from multiple (even unrelated) sensitive systems, the data creating this "shared-fate" warrants an elevated UCB protection level.
Statutory Requirement for Notification
California State Law S.B. 1386 and other legal statues, such as the Health Information Portability and Accountability Act (HIPAA), require notification to individuals in the event of a security breach of certain personal information. The Berkeley campus refers to this data as "notice triggering" information:
- Socialsecuritynumber
- Driver'slicensenumber,Californiaidentification number
- Financialaccountnumbers,creditordebitcard numbers,and
financialaccountsecuritycodes,accesscodes,orpasswords - Personal medicalinformation
- Personal healthinsuranceinformation
Note the following registration and approval requirements applicable to notice-triggering information:
- Campus Credit Card Coordinator approval is required to handle credit card transactions.
- Storage, transmission or use of notice-triggering data requires registration in the campus data registry system
FERPA Student Records
UCB protection level 1 student records include, but are not limited to:
- Transcripts (grades)
- Exam papers
- Test scores
- Evaluations
- Financial aid records
- Loan collection records
- Directory information for students who have requested that information about them not be released as public information
See the Statutory Requirement for Notification section above for the list of UCB protection level 2 data, which also applies to student data. See the Student Directory Data section under Public Directory Information below for the list of UCB protection level 0 student data.
Personnel Records
UCB protection level 1 Academic Personnel Records include, but are not limited to: confidential academic review records, non-confidential academic review records and "personal" information (as defined in Section 160 of the Academic Personnel Manual [PDF]).
UCB protection level 1 Staff Personnel Records (listed in Section 80 of the Personnel Policies for Staff Members) include, but are not limited to:
- Home telephone number and home address
- Spouse's or other relatives' names
- Birth date
- Citizenship
- Income tax withholdings
- Information relating to evaluation of performance
See the Statutory Requirement for Notification section above for the list of UCB protection level 2 data, which also applies to personnel records. See the Public Directory Information section below for lists of UCB protection level 0 academic and staff records.
Public Directory Information
“Non-Personal” Academic Personnel Information as defined by APM-160
- Name
- Date of hire or separation
- Current position title
- Current rate of pay
- Organizational unit assignment including office address and telephone number
- Full-time, part-time, or other employment status
Staff personnel records designated as "public information" in Section 80 of the Personnel Policies for Staff Members
- Name
- Date of hire
- Current position title
- Current salary
- Organizational unit assignment
- Date of separation
- Office address and office telephone number
- Current job description
- Full-time or part-time, and appointment type
Student Directory Data (unless the student hasrequested that information about them not be released as public information)
- Name of student
- Telephone, e-mail
- Dates of attendance
- Number of course units in which enrolled
- Class level
- Major field of study
- Last school attended
- Degrees and honors received
- Participation in official student activities
- Name/weight/height (intercollegiate athletic team members only)
The Berkeley Data Classification Standard is issued under the authority vested in the UC Berkeley Chief Information Officer by the UC Business and Finance Bulletin IS-3 Electronic Information Security: "All campuses shall establish an Information Security Program (Program) in conformance with the provisions in this bulletin. In order to achieve a secure information technology environment, the campus Program shall comprise a comprehensive set of strategies that include a range of related technical and non-technical measures."
Issue Date: July 16, 2012 (Administrative revision: April 22, 2013)
Effective Date: July 16, 2013
Responsible Executive: Associate Vice Chancellor for Information Technology and Chief Information Officer
Responsible Office: IT Policy Office
Contact: IT Policy Manager, security-policy@berkeley.edu