UNL data security classifications - examples appendix

This appendix provides specific examples supporting the data security guidelines - definitions document.

  1. Appendix - Public data examples
    Data considered “Public” is not legally protected at any stage of its lifecycle; including creation, sharing or deletion. In most cases it is still advisable to set express expectations around how public data should be used. Creative Commons is one resource that can provide helpful tools to set these expectations. Examples include, but are not limited to:

    • newspapers
    • UNL Data Repository (UNL libraries)
    • directory information
      • Student name, local address, permanent address, telephone listings, year at the University (Fr, So, Jr, Sr, etc.), dates of attendance, academic college and major field of study, enrollment status, (e.g. undergraduate or graduate; full-time or part-time), participation in officially recognized activities and sports, degrees, honors and awards received and most recent educational agency or institution attended for students who have not restricted access to this category of information.

  2. Appendix - Non-public data examples
    We look at non-public data as information that is not legally protected, but that we would like to keep private for a variety of reasons. Non-public data must be free of any formal restrictions in terms of creation, sharing and deletion. Examples include, but are not limited to:

    • NUID if combined with name or any other identifying information
    • employment and training program data
    • most research grant data (excluding Confidential information)
    • work in progress
    • occupational licensing data
    • building code violations data
    • personnel data (excluding Confidential  information)
    • expense reports

  3. Appendix - Confidential data examples
    Confidential data includes information that is legally protected and puts the university at risk if it is not kept secure. This data may not be legally destroyed until all applicable data retention requirements have run out. Examples include, but are not limited to:

    • Social Security Numbers
    • Motor vehicle operator’s  license or state identification card number
    • Personal biometric data (fingerprint, voice print, retina or iris image, or other unique physical representation)
    • Financial account number including credit or debit cards when stored in combination with a PIN or security code
    • Unique electronic identification number or routing code in combination with required security code, access code or password
    • FERPA protected information

  4. Appendix - Matrix
    • Data criticality levels:
      The criticality of data should be considered in addition to the type of data when evaluating systems or services. Three levels of criticality are offered below.

      1. Not Critical
        Necessary to the university but short-term interruption or unavailability is acceptable. This data does not play any role in the scheme of health, security or safety of the university community and is not subject to data retention restrictions.
      2. Critical
        Necessary to administer functions within the university system that need to be performed. Business continuity planning allows the university to continue operations in these areas within a certain period of time until the data and systems can be restored. Critical data may be subject to data retention restrictions.
      3. Extremely critical
        Critical to the safety of the university and must be protected by a vital plan that would allow resumption of operations within a very short timeframe. Data and systems also require restoration of the original facilities to be able to resume business. Extremely critical data is subject to data retention restrictions.

 

LEVEL 1 – Not Critical

LEVEL 2 – Critical

LEVEL 3 – Extremely Critical

LEVEL A – Public

Example: university websites open for public viewing

1A

2A

3A

LEVEL B – Non-Public

Examples: most employee data, most research grants, university financial information

1B

2B

3B

LEVEL C – Confidential

Examples: Social Security numbers, credit card numbers, student IDs, grades, library records, and health-related information

1C

2C

3C