The Berkeley Data Classification Standard is a framework for assessing data sensitivity, measured by the adverse business impact a breach of the data would have upon the campus. This standard provides the foundation for establishing protection profile requirements for each class of data.
The Berkeley Data Classification Standard covers Berkeley campus data. Berkeley campus data is information prepared, managed, used, or retained by an operating unit or employee of UC Berkeley relating to the activities or operations of the University. Berkeley campus data does not include individually-owned data, which is defined as an individual’s personal information that is not related to University business.
This classification does not cover the evaluation of data availability requirements. Refer to business continuity plans for guidance regarding data availability requirements.
Data classification does not alter public information access requirements. California Public Records Act or federal Freedom of Information Act requests and other legal obligations may require disclosure or release of information from any category.
Considerations for evaluating potential adverse business impact to the campus due to loss of data confidentiality or integrity include:
- Loss of critical campus operations
- Negative financial impact (money lost, lost opportunities, value of the data)
- Damage to the reputation of the campus
- Potential for regulatory or legal action
- Requirement for corrective actions or repairs
- Violation of University or campus mission, policy, or principles
|Data Class||Adverse Business Impact*||Sample Data (not an exhaustive list)|
Data that creates extensive "shared-fate" risk between multiple sensitive systems, e.g., enterprise credential stores, backup data systems, and central system management consoles.
Data elements with a statutory requirement for notification to affected parties in case of a confidentiality breach:
Information intended for release only on a need-to-know basis, including personal information not otherwise classified as Level 0, 2 or 3, and data protected or restricted by contract, grant, or other agreement terms and conditions, e.g.,:
|Limited or none||
Information intended for public access, e.g.,:
(see also: Data Classification Guideline)
If a data compromise would cause further and extensive data compromise from multiple (even unrelated) sensitive systems, the data creating this "shared-fate" warrants an elevated data protection level.
California State Law S.B. 1386 and other legal statues, such as the Health Information Portability and Accountability Act (HIPAA), require notification to individuals in the event of a security breach of certain personal information. The Berkeley campus refers to this data as "notice triggering" information:
- Social security number
- Driver's license number, California identification number
- Financial account numbers, credit or debit card numbers, and
financial account security codes, access codes, or passwords
- Personal medical information
- Personal health insurance information
Note the following registration and approval requirements applicable to notice-triggering information:
Protection level 1 student records include, but are not limited to:
- Transcripts (grades)
- Exam papers
- Test scores
- Financial aid records
- Loan collection records
- Directory information for students who have requested that information about them not be released as public information
See the Statutory Requirement for Notification section above for the list of protection level 2 data, which also applies to student data. See the Student Directory Data section under Public Directory Information below for the list of protection level 0 student data.
Protection level 1 Academic Personnel Records include, but are not limited to: confidential academic review records, non-confidential academic review records and "personal" information (as defined in Section 160 of the Academic Personnel Manual [PDF]).
Protection level 1 Staff Personnel Records (listed in Section 80 of the Personnel Policies for Staff Members) include, but are not limited to:
- Home telephone number and home address
- Spouse's or other relatives' names
- Birth date
- Income tax withholdings
- Information relating to evaluation of performance
See the Statutory Requirement for Notification section above for the list of protection level 2 data, which also applies to personnel records. See the Public Directory Information section below for lists of protection level 0 academic and staff records.
- Date of hire or separation
- Current position title
- Current rate of pay
- Organizational unit assignment including office address and telephone number
- Full-time, part-time, or other employment status
Staff personnel records designated as "public information" in Section 80 of the Personnel Policies for Staff Members
- Date of hire
- Current position title
- Current salary
- Organizational unit assignment
- Date of separation
- Office address and office telephone number
- Current job description
- Full-time or part-time, and appointment type
Student Directory Data (unless the student has requested that information about them not be released as public information)
- Name of student
- Telephone, e-mail
- Dates of attendance
- Number of course units in which enrolled
- Class level
- Major field of study
- Last school attended
- Degrees and honors received
- Participation in official student activities
- Name/weight/height (intercollegiate athletic team members only)
The Berkeley Data Classification Standard is issued under the authority vested in the UC Berkeley Chief Information Officer by the UC Business and Finance Bulletin IS-3 Electronic Information Security: "All campuses shall establish an Information Security Program (Program) in conformance with the provisions in this bulletin. In order to achieve a secure information technology environment, the campus Program shall comprise a comprehensive set of strategies that include a range of related technical and non-technical measures."
Issue Date: July 16, 2012 (Administrative revision: April 22, 2013)
Effective Date: July 16, 2013
Responsible Executive: Associate Vice Chancellor for Information Technology and Chief Information Officer
Responsible Office: IT Policy Office
Contact: IT Policy Manager, firstname.lastname@example.org