Data Classifications


There are four classification levels of institutional data at the University of Kansas. To ensure proper handling and sharing of data, please use the following classification levels. Data classifications are listed below starting with the most sensitive to least sensitive:

Critical (formerly Level 1) - Inappropriate handling of this data could result in criminal or civil penalties, identity theft, personal financial loss, invasion of privacy, and/or unauthorized access. Access will typically be granted on a case-by-case basis to a very small group of individuals. This data must be encrypted while being stored or transmitted.

  • Protected Health Information (HIPAA) and health insurance policy ID numbers *
  • FERPA - student data including but not limited to grades, exams, rosters, official correspondence, financial aid, scholarship records, enrollment, etc.
  • Data subject to the Children's Online Privacy Protection Act (COPPA) - information collected from children under the age of 13 Student Loan Application Information (GLBA)
  • Financial account numbers (debit/credit, bank account, investment account, P-card, etc)
  • Credit card/E-Commerce data (PCI)
  • Attorney-client privileged information
  • Data subject to Defense Federal Acquisition Regulation Supplement (DFARS) or Federal Acquisition (FAR) requirements Export controlled information--International Traffic in Arms Regulations (ITAR) and Export Administration Regulations (EAR) Passwords/PINs
  • Personally Identifiable Information (PII) including SSN, passport numbers, visa numbers, other national ID numbers, and driver's license numbers
  • Audit working papers
  • Biometric identifiers, including finger and voice prints
  • Other data covered by federal and/or state confidentiality laws
  • Criminal Justice Information (KCJIS)
  • Tax information (W-2, W-4, 1099, etc)
  • Sensitive identifiable human subject research data *

*Under HIPPA (Health Insurance Portability and Accountability Act), PHI is considered individually identifiable if it contains one or more of the following identifiers: 

  • Name
  • Address (all geographic subdivisions smaller than state including street address, city, county, precinct or zip code)
  • All elements of dates (except year) related to an individual including birth date, admissions date, discharge date, date of death and exact age if over 89
  • Telephone numbers
  • Fax numbers
  • Electronic mail addresses
  • Social security numbers
  • Medical record numbers
  • Health plan beneficiary numbers
  • Account numbers
  • Certificate/license numbers
  • Vehicle identifiers and serial numbers, including license plate number Device identifiers and serial numbers
  • Universal Resource Locators (URLs)
  • Internet protocol (IP) addresses
  • Biometric identifiers, including finger and voice prints
  • Full face photographic images and any comparable images
  • Any other unique identifying number, characteristic or code that could identify an individual

PHI is individually identifiable health information that relates to the:

  • Past, present, or future physical or mental health or condition of an individual
  • Provision of health to the individual by a covered entity (for example, hospital or doctor)
  • Past, present, or future payments for the provision of health care to the individual

Restricted (formerly Level 2) - Because of legal, ethical, or other constraints, this data requires authorization to be accessed. Access will typically be granted by job or system access roles. It is recommended that this data is encrypted while being stored or transmitted.

  • Donor/prospect contact information and non-public gift information
  • Audit reports
  • Individually identifiable data on race, color, ethnicity, religion, sex, national origin, age, ancestry, disability, status as a veteran, sexual orientation, marital status, parental status, gender identity, gender expression and genetic information
  • Competitive business information
  • Faculty/staff employment applications, personnel files, benefits, birth date, personal contact information
  • Location data for devices connected to KU wired and wireless networks
  • Data subject to non-disclosure agreements
  • Conflict of Interest disclosures
  • Bulk email addresses

Internal - This data may be accessed by employees of the university for purposes of university business.

  • Salary information, student and employee ID numbers
  • Engineering, design, and operational information regarding KU facilities and infrastructure
  • Non-public policies and policy manuals
  • Unpublished grant proposals
  • Research data
  • Manuscripts and associated correspondence that are not subject to other confidentiality requirements (at data owner's discretion)
  • Summarized data on race, color, ethnicity, religion, sex, national origin, age, ancestry, disability, status as a veteran, sexual orientation, marital status, parental status, gender identity, gender expression and genetic information, budgetary information
  • University planning information
  • Non-public financial and procurement information.

Public (formerly Level 3) - Few restrictions are places on this data and it is generally releasable to a member of the public upon formal request. Employees must consult the "Releasing Information to Third Parties" policy prior to releasing any data to a member of the public. Examples of public data include FERPA directory information, course offerings, annual reports, and more.

  • FERPA Directory Information
  • Information authorized to be available on or through KU websites without KU Online ID authentication
  • Public policies and procedure manuals
  • Course offerings
  • Annual reports
  • Job postings