Policy

Data Classification Table


General Information

The Data Classification Table is meant to describe the confidentiality of the data in question, and does not factor in the integrity or availability requirements in its rating. Note that if a piece of data fits into more than one category it is considered to be the highest of those classes.

This Data Classification Table was created by the NYU IT Office of Information Security (OIS) and adopted by the Data Protection Risk Analysis Project Team. For questions, including from global locations, regarding its contents, please contact security@nyu.edu. Local privacy laws and regulations may vary at NYU's global locations; please check with OIS to determine that you are safeguarding the data appropriately.

Click here to download the Data Classification Table as a PDF.

Data
Classification
Institutional
Risk from
Disclosure
 
Description Examples
Restricted High

Data whose unauthorized

access or loss could

seriously or adversely

affect NYU, a partner, or

the public.

  • Social Security Number
  • Driver's License Number
  • Bank/Financial Account
    Number
  • Credit/Debit Card Number
  • Electronic Protected
    Health Information
  • Central Authentication
    Credentials*
  • University Financial Data on
    Central Systems*
Protected Medium

Data with a less high level

of importance, but that

should be protected from

general access.

  • University Intellectual
    Property*
  • University Proprietary Data*
  • Passport Number
  • Final Course Grades
  • FERPA*
  • External Steward Data*
  • Human Resources Data*
  • Protected Data Related
    to Research*
Confidential Low

All other non-public data

not included in the

Restricted or Protected

classes

  • NetID
  • University Identification
    Number
  • Licensed Software
  • Other University Owned
    Non-Public Data*
Public None

All public data

  • General access data, such as
    that on unauthenticated
    portions of www.nyu.edu

Further Clarification

Examples to illustrate Items marked with an * above.

  • Central authentication credentials - NYU NetID and password combinations. Does not include local password stores on desktops, laptops, handheld devices, departmental servers, etc.
  • University Financial Data on Central Systems - Financial data at the system of record, where modification of that data would impact University processes. Does not include representation of that data elsewhere, such as in a report.
  • Protected Data Related to Research - Research data which is strictly guided by federal regulation. Depending on the subject matter, there may be more stringent requirements for your grant, from the OSP or the IRB. This does not include most grant-based research including projects based on NSF-grants.
  • Public Safety Information - Includes data containing and/or related to confidential investigation records.
  • University Intellectual Property - Includes data which the University may patent or gain from financially.  Does not include copyrighted materials which are publicly available, e.g. torch logo, etc.
  • University Proprietary Data - Includes data which the University may stand to suffer financial and/or reputational loss as a result of a breach but that is neither Restricted nor Confidential data, e.g. general donor information, etc.
  • FERPA - (Family Educational Rights and Privacy Act) This includes non-directory FERPA information not already listed in Restricted or Confidential. Note this is an exception to the standard policy of data being classified at its highest level.
  • External Steward Data - Data for which the University is a gatekeeper, such as movies or media that we are not directly licensed for but are offering to our community via an external partnership
  • Human Resources Data - Includes salary, benefits information, medical information not covered under Restricted.
  • Other University-owned non-public data - Anything not already listed in the chart that should not be considered public.  Every piece of data at NYU defaults to this category until it is further classified or permission is granted to make the data public.

Contact

For all questions pertaining to the data classification table, please contact the NYU IT Office of Information Security (OIS) at security@nyu.edu.


Notes
top
  1. Dates of official enactment and amendments: Not Available
  2. History: Last Review/Revision: October 3, 2016
  3. Cross References: N/A