Category: Information Technology
Responsible Office: Information Security Office
Responsible Executive: Vice President and Chief Information Officer (VPCIO)
Date Established: March 11, 2025
The University at Buffalo, (UB, university) classifies data into three risk-based categories to regulate access to, use of, and necessary precautions required to the protect university data. This guidance provides an at-a-glance view of the data classification of the most requested types of data. This document supports the Data Risk Classification Policy, the Protection of University Data policy and the UBIT Standards for Protecting University Data.
The University at Buffalo (UB, university) has legal and ethical obligations to ensure that all forms of university data are adequately secured to minimize the risk of unauthorized use or disclosure. The University at Buffalo is committed to protecting the data of individuals affiliated with the university and its services throughout all stages of the data lifecycle.
The classifications outlined below are a general assumption of data categorization and not a definitive classification. Every instance should be evaluated in accordance with UB’s Data Risk Classification policy.
| Category 1 | Category 2 | Category 3 | |
|---|---|---|---|
| Administrative process data | x | ||
| Attorney - Client Privileged Information | x | ||
| Collective Bargaining Negotiation Data, Contract Negotiation Data | x | ||
| Controlled Unclassified Information (CUI) | x | ||
| Data collected or developed for use in University research | x | ||
| Data About Decisions That Affect the Public | x | ||
| Donor Contact and Gift Information | x | ||
| Export Control Data | x | ||
| Exam questions or answers | x | ||
| Family Educational Rights and Privacy Act (FERPA) Data | x | ||
| Final course grades | x | ||
| Bank or Financial Account Information | x | ||
| General access data, such as that on unauthenticated portions of the institution's website | x | ||
| Gramm-Leach-Bliley Act (GLBA) Data | x | ||
| HIPAA Protected Health Information (PHI) | x | ||
| HR employment data | x | ||
| Inter- or intra-agency data which are not: statistical or factual tabulations; instructions to staff that affect the public; final agency policy or determination; external audit data | x | ||
| IT Infrastructure Data | x | ||
| Law enforcement investigation data, judicial proceedings data; includes student disciplinary or judicial action information | x | ||
| Meeting Minutes | x | ||
| NIST Controlled Unclassified Information (CUI) | x | ||
| Personally Identifiable Information (PII) | x | ||
| Protected Health Information (PHI) | x | ||
| Public Safety information | x | ||
| Trade Secret Data | x | ||
| UB IT Authentication Credentials | x | ||
| UB Person Number | x | ||
| University financial data or business records available to the public | x | ||
| University Intellectual Property | x | ||
| University Proprietary Data | x |
Office of the Vice President and Chief Information Officer
Phone: 716-645-7979
Email: vpcio@buffalo.edu
Information Security Office
Phone: 716-645-6997
Email: sec-office@buffalo.edu
Records Management Officer
Phone: 716-645-1786