Data Risk Classification Policy

The University at Buffalo (UB, university) is committed to protecting the confidentiality, integrity, and availability of data important to the university’s mission. All university data must be classified based on risk category and protected using the appropriate security measures consistent with the minimum standards for the classification category. The standard for protecting the data becomes more stringent as the risk from disclosure increases.

The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule provides federal protections for personal health information held by covered entities and gives patients an array of rights with respect to that information. At the same time, the HIPAA Privacy Rule is balanced so that it permits the disclosure of personal health information needed for patient care and other important purposes. Information regulated by HIPAA may be used, maintained, or disclosed within or outside of the university only as specifically permitted by the HIPAA regulations.

Failure to adhere to these policies and procedures may result in corrective measures. Corrective measures will be administered to a degree commensurate with the violation and in compliance with applicable collective bargaining agreements and/or applicable laws, regulations, and policies.

University academic and administrative data are valuable assets and often contain detailed information about the university, as well as personal information about faculty, staff, students, and other third parties affiliated with the university. Protecting the information is driven by important considerations including legal, academic, financial, reputation, and other business requirements. This policy provides a framework for classifying university data based in its level of sensitivity, value, and criticality. Classifying data helps determine baseline security controls to protect the data.

This policy applies to all university data and to all user-developed data sets and systems that may access these data regardless of the environment where the data reside (e.g., cloud systems, servers, personal computers, mobile devices). The policy applies regardless of the media on which data reside (e.g., electronic, printouts, CD, microfiche) or the form they may take (e.g., text, graphics, video, voice).

Data that is personal to the operator of a system and stored on a university information technology (IT) resource as a result of incidental personal use is not considered university data. University data stored on non-university IT resources must still be verifiably protected according to the respective university minimum security standards.

Category 1 – Restricted Data

Protection of the data is required by law or regulation. The loss of confidentiality, integrity, or availability of the data or system could have a significant adverse impact on our mission, safety, finances, or reputation.

Restricted data includes the definition of private information in the New York State (NYS) Security and Breach Notification Act as a foundation: bank account, credit card, debit card numbers; social security numbers; state-issued driver license numbers; and state-issued non-driver identification numbers. To this list, university policy adds protected health information (PHI), computer passwords, other computer access protection data, and passport numbers.

Category 1 – Restricted Data are exempt from disclosure or release under the NYS Freedom of Information Law (FOIL). The NYS Information Security Breach and Notification Act requires the university to disclose any breach of the data to New York residents. (State entities must also notify non-residents; see the NYS Information Security Policy.)

Individuals who access, process, store, or in any other way handle Category 1 – Restricted Data must implement controls and security measures as required by relevant laws, regulations, university policies, and supporting standards. In instances where laws and/or regulations conflict with university policy, the more restrictive policy, law, or regulation governs.

Category 2 – Private Data

Includes university data not identified as Category 1 – Restricted Data, and data protected by state and federal regulations. This includes Family Educational Rights and Privacy Act (FERPA)-protected student records and electronic records that are specifically exempt from disclosure by the NYS FOIL.

Category 2 – Private Data must be protected to ensure that they are not disclosed in a FOIL request. Private data must be protected in order to ensure that they are only disclosed as required by law, including FOIL. Decisions about disclosure must be made by the Records Management Officer.  

The NIST Special Publication 800-171 Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations maps to the Category 2 – Private Data risk classification.

Category 3 – Public Data

Includes university data not included in Category 1 – Restricted Data and Category 2 – Private Data, and the data is intended for public disclosure, or the loss of confidentiality of the data or system would have no adverse impact on our mission, safety, finances, or reputation.

Public data includes any data that is releasable in accordance with FOIL. This category also includes general access data, such as that available on unauthenticated portions of institution's website. Public data has no requirements for confidentiality; however, systems housing the data should take reasonable measures to protect its accuracy.

Data Managers

University officials and their staff who have operational-level responsibility for information management activities related to the capture, maintenance, and dissemination of data.

Data Owner

The University at Buffalo is considered the data owner of all university data; individual units or departments may have stewardship responsibility for portions of the data.

Data Steward

University official who has planning and policy-level responsibilities for data in their functional areas.

Data Trustee

Senior leader of the university (i.e., vice president, vice provost, dean) who has responsibility for areas that have systems of record.

Data User

Individual who needs and uses university data as part of their assigned duties or to fulfill their role in the university community.

• Oversee implementation of this policy.

• Administer activities delegated by data stewards.
• Maintain physical and system security and safeguards appropriate to the classification level of the data in their custody.

• Manage defined elements of institutional data.
• Implement and apply safeguards that meet or exceed the minimum safeguards for each data classification. Safeguards are determined by the individual unit, but guidance may be provided by the Information Security Office with respect to minimum expectations.  

• Ensure that data stewards in their area are compliant with data governance principles.

• Maintain the confidentiality, integrity, and availability of university data.
• Implement appropriate safeguards to protect data.
• Follow all university policies, procedures, and standards related to data security classification and security level, including applicable federal and state laws.

• Make decisions about records disclosure of information.