As a faculty or staff member at the University of Maryland, you likely have heard about the data classification levels. This is something that is spoken about most commonly when someone is dealing with sensitive data, such as a Social Security Number. These data classification levels are also relevant to what systems are being used, such as Google Drive or Box. If you aren’t familiar with the data classification standard here at UMD, then this article is for you.
Let's break things down…
We use data classification levels to assess the potential risk of harm to an individual, groups, projects, or the university if the data/system were subject to unauthorized access, use, alteration, or disclosure. Harm refers to psychological, reputational, financial, personal safety, legal consequences for individuals and/or the university.
We have 4 levels of risk defined, sorted from highest to lowest:
🔴 Level 4 Data (Restricted)
- Level 4 data is protected by laws, regulations, or contracts.
- The unauthorized access or use of this data will have significant legal consequences.
- If you are working with level 4 data, you WILL know. This data comes with very strict requirements for handling and securing it.
🟠 Level 3 Data (High Risk)
- The unauthorized access or use of this data is likely to have significant adverse effects for individuals, groups, or the university.
- You can think of this information as the kind that you don’t want publicly accessible. If this data was to be made public, it is likely that it could harm you. Some examples of this would be your Social Security Number, notes from your therapy sessions, or your financial information–if these became public, it is likely that you will face adverse effects whether that is psychologically, socially, or legally.
🟡 Level 2 Data (Moderate Risk)
- The unauthorized access or use of this data may have adverse effects on individuals, groups, or the university.
- This is the type of information that you likely work with every day. Some examples of this would be your University ID # (UID), student course grades, and class attendance records. Its release may cause some harm, but the potential harm is not as severe as when sensitive health information or Social Security Numbers are revealed.
🟢 Level 1 Data (Low Risk)
- The unauthorized access or use of this data is unlikely to have any adverse effects on individuals, groups, or the university.
- This data is typically public, so access and use of it has likely already been determined as harmless. Some examples of this are YouTube videos you publicly post as a part of a class assignment, or the published salary data of university employees.
Now for examples!
Below are a list of examples (that are relevant to the university) for each of the data classification levels.
Level 4 (Restricted) - THIS CANNOT BE ACCESSED OR USED BY UNAUTHORIZED PERSONS/GROUPS
- HIPAA Data (Protected Health Information - PHI)
- Payment Card Industry Data Security Standard
- (PCI-DSS) Data
- Export-Controlled Research Data
- Controlled Unclassified Information (CUI)
Level 3 (High Risk) - If this data is accessed or used by unauthorized persons/groups, it is likely to impact you significantly. You do not want this information disclosed about yourself!
- Social Security Numbers
- Credit/Debit Card Numbers
- Bank Account Information
- Drivers License Numbers
- Passport Numbers
- Counseling Records
- Student Loan Information
- Conduct/Disciplinary Investigative Records
Level 2 (Moderate Risk) - If this data is accessed or used by unauthorized persons/groups, it will potentially have adverse effects.
- University ID Numbers
- Home Addresses
- Birth Date
- Course Grades
- Class Attendance Records
- Basic HR Information (Resumes, Cover Letters, Deliberations for Potential Employees, etc.)
Level 1 (Low Risk) - This data is highly unlikely to harm you if publicized, particularly because it is likely already publicly available!
- Public Course Catalogs
- Published Research
- Public Campus Maps
- Published Faculty/Staff Directory Information (names, email addresses, office locations, current job position)
- Published Salary Information
Understanding UMD’s data classification levels isn’t just about compliance, it’s about protecting yourself, your colleagues, your community, and the university from unnecessary risk. Knowing what type of data you’re working with and handling it appropriately will help safeguard our community’s privacy, reputation, and security. So next time you save a file, share information, or choose a platform, remember that the right protection starts with knowing your data and how to handle it.
Related Resources