The university collects and maintains a variety of information, including information about students, faculty, staff and others. This information is collected in order to conduct university business. Information is classified as private or public based on federal and state law.
Private information can only be released to the subject of the information and to those within the university who have a legitimate need to know the information, outside entities with the subject's written permission and others as allowed by law. Some private information, like protected health information (PHI) and electronic PHI, is protected by law. Click here for an extensive list of private information items.
Public information is available to anyone who requests it, except in the case of student data, when the student has requested that no public information about him/her be released without express written permission. Click here for an extensive list of examples of public information.
The university has classified information into four categories:
High-Risk – Data that could be used to steal an individual's identity or cause harm to the individual, and for which there are legal requirements or industry standards prohibiting or imposing financial penalties for unauthorized disclosure. Data covered by Gramm-Leach Bliley Act (GLBA) and Payment Card Industry (PCI) are in this class.
Restricted – Information assets for which there are legal requirements prohibiting or imposing financial penalties for unauthorized disclosure. Data covered by federal and state legislation, such as Family Educational Rights and Privacy Act (FERPA), Health Insurance Portability and Accountability Act (HIPAA), Government Records Access and Management Act (GRAMA), or the Data Protection Act, are in this class.
Confidential – Data that the University has determined should be protected because it may expose the University to loss if disclosed, but is not protected by federal or state legislation. For example a user ID in combination with a password is considered to be confidential.
Public – Although there are no restrictions on disclosure to protect public data (because the data are provided for broad viewing access), sufficient protection must be applied to prevent unauthorized modification of such data.