Sensitivity
Public
The effect on confidentiality of the Data is negligible. Data that would fit into this classification includes, but is not limited to:
- Data that which by law is available to the public without request.
- Data on public-facing informational websites
- Public directory information
- Job postings
- Published research papers
- Press releases
- Campus maps
- Course information
- Advertising
Internal Use Only
The effect on confidentiality of the Data is minimal to minor and does not include compliance issues. Internal Use Only Data must be protected by need-to-know. Data that would fit into this classification includes, but is not limited to:
- Routine non-public business records or reports
- Budget information
- Purchase requisitions
- University insurance records
- Routine email or internal communications not containing Private or Restricted information
- Calendar information not containing Private or Restricted information
- Meeting notes not containing Private or Restricted information
- Draft or unpublished research papers using publicly available data
- Non-public policies and procedures
- Fundraising data
- Opinion polls or questionnaires
Private
Private data is classified as private due to legal, regulatory, administrative, or contractual requirements; intellectual property or ethical considerations; strategic or proprietary value; and/or other special governance of such data. Access to, and management of, private data requires authorization and is only granted to those data users as permitted under applicable law, regulation, contract, rule, policy, and/or role. The effect on confidentiality of Private Data is moderate. Data that would fit into this classification includes, but is not limited to:
- Trade secret or Intellectual Property protected by a non-disclosure agreement
- Tennessee Unique ID
- Employee/Faculty/Staff performance reviews
- Building floor plans showing egress routes and shelter areas
- Faculty tenure recommendations
- Data flow and IT Network infrastructure diagrams
- Security camera recordings
- Donor contact information and non-public donation amounts
- Non-public law enforcement information
- Family Educational Rights and Privacy Act (FERPA)
Restricted
Restricted data is data that requires the highest level of protection due to legal, regulatory, administrative, contractual, rule, or policy requirements. Access to, and management of, restricted data is strictly limited as unauthorized use or disclosure could substantially or materially impact the university’s mission, operations, reputation, finances, or result in potential identity theft. The effect on confidentiality of Restricted Data is severe. Data that would fit into this classification includes:
- Personally Identifiable Information (PII)
- Sensitive Identifiable Human Subject Research Information (Human Subject)
- Government issued ID numbers (Social Security Number, Driver’s License Number, VISA, etc.)
- General Data Protection Regulation (GDPR)
- Personal Information Protection Law of the People’s Republic of China (PIPL)
- Payment Card Industry (PCI) Data
- Financial account numbers such as banking or investment account numbers
- Protected Health Information (PHI) per the Health Insurance Portability and Accountability Act (HIPAA)
- Biometric information
- Gramm–Leach–Bliley Act (GLBA) Title IV loan Data
- Passwords, passphrases, PIN numbers, security codes, and access codes
- Controlled Unclassified Information (CUI)
- Export-Controlled Information (ITAR, EAR)
Criticality
- Business Impact Nominal – Data is unavailable over 2 weeks with minimal to no impact on organizational operations, organizational Assets, or individuals.
- Business Impact Low – Data is unavailable for 72 hours to 2 weeks and it could be expected to have an adverse effect on organizational operations, organizational Assets, or individuals.
- Business Impact High – Data is unavailable for 72 hours or less and it could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational Assets, or individuals.
- Business Impact Critical – Data is related to control Systems that support the University, but if subverted, could be life-threatening to University Employees, students, and others using University facilities (e.g., attending athletic events).