Predefined Data Classifications
1.0 Overview
While the responsibility to classify data rest with the data steward there are some predefined types of sensitive and restricted/PHI institutional data. Based upon state, federal, and contractual requirements that UAB is bound by, the following information assets have been predefined as Restricted or Sensitive data and must be protected.
2.0 Sensitive Data
2.1 Personally Identifiable Education Records-Covered under FERPA
Personally Identifiable Education Records are defined as any education records that contain one or more of the following personal identifiers
- Student Number
- Grades, GPA, Credits Enrolled
- Race/Gender
- A list of personal characteristics or any other information that would make the student’s identity easily traceable
3.0 Restricted Data
3.1 Personally Identifiable Financial Information (PIFI) - Covered under GLBA
For the purpose of meeting security breach notification requirements, PII is defined as a person’s first name or first initial and last name in combination with one or more of the following data elements:
- Social security number
- Government issued driver’s license number
- Date of Birth
- Financial account number in combination with a security code, access code or password that would permit access to the account
3.2 Payment Card Information - Covered under PCI DSS
Payment card information is defined as a credit card number (also referred to as a primary account number or PAN) in combination with one or more of the following data elements:
- Cardholder name
- Service code
- Expiration date
- CVC2, CVV2 or CID value
- PIN or PIN block
- Contents of a credit card’s magnetic stripe
3.3 Protected Health Information (PHI) - Covered under HIPAA
PHI is defined as any “individually identifiable” information that is stored by a Covered Entity, and related to one or more of the following:
- Past, present or future physical or mental health condition of an individual.
- Provision of health care to an individual.
- Past, present or future payment for the provision of health care to an individual.
PHI is considered “individually identifiable” if it contains one or more of the following identifiers:
- Name
- Address (all geographic subdivisions smaller than state including street address, city, county, precinct or zip code)
- All elements of dates (except year) related to an individual including birth date, admissions date, discharge date, date of death and exact age if over 89)
- Telephone/Fax numbers
- Electronic mail addresses
- Social security numbers
- Medical record numbers
- Health plan beneficiary numbers
- Account numbers
- Certificate/license numbers
- Vehicle identifiers and serial numbers, including license plate number
- Device identifiers and serial numbers
- Universal Resource Locators (URLs)
- Internet protocol (IP) addresses
- Biometric identifiers, including finger and voice prints
- Full face photographic images and any comparable images
- Any other unique identifying number or characteristic that could identify an individual
If the health information does not contain one of the above referenced identifiers and there is no reasonable basis to believe that the information can be used to identify an individual, it is not considered “individually identifiable” and; as a result, would not be considered PHI.
4.0 Classifying Research Data
The classification of research data depends on several factors such as type of data, and/or contractual elements and thus may fall into any of the classifications defined herein. Likewise, time of release and collaboration effect the classification of research data. As such, certain unpublished research data may be classified as private or sensitive until such time the research is published.
Likewise, intellectual property that has not been disclosed to or protected by the IIE may need to be classified as sensitive. Additionally, federal laws, rules and regulations (including but not limited to FISMA, HIPAA, FERPA, and Export Controls), sponsor requirements, and UAB policies and guidelines will necessitate a certain classification.
It is incumbent upon the Researcher to know the type of data, the circumstances governing the data, and classify it accordingly. Once classified, the Researcher will need to maintain the data using the appropriate UAB system of record or database with the appropriate access and security controls aligning to the classification standard. For example, not all UAB data storage options are recommended for sensitive data.
Research data shall also be maintained in accordance with UAB’s Record Retention Policy and record retention schedule. For more information about protected research data please refer to the UAB OVPRED or the UAB IT Data Officer.
5.0 Notes
Any information classified differently per regulation or policy will be protected at the highest classification level. For example, social security number as part of a student’s record. The social security number is not classified as Sensitive Data under FERPA. It is classified as Restricted Data as Personally Identifiable Information (PII) and under GLBA.