Overview

All individuals who access, use, store, or transmit University Data share responsibility for maintaining and safeguarding it.  Data Classification establishes sensitivity levels for University Data and defines the appropriate controls and security measures required to protect it.

Scope

This standard applies to all data owned by Oakland University, or stored on an Information Resource.

Standard

It is the responsibility of the applicable Data Owner, as defined in Policy 860 Information Security,  to evaluate and classify University Data for which they are responsible according to the classification system adopted by the University as described below.  If University Data of more than one level of sensitivity exists in the same System or Endpoint, the System or Endpoint itself must be classified at the highest level of sensitivity.

Data Classification Levels

Confidential Data 

Any information protected by federal, state, or local laws and regulations, or industry standards, such as Health Insurance Portability and Accountability Act (HIPAA), Health Information Technology for Economic and Clinical Health Act (HITECH), Family Educational Rights and Privacy Act (FERPA), Payment Card Industry-Data Security Standard (PCI-DSS).

For the purpose of this Standard, and other Oakland University Policies and Procedures, Confidential Data include, but are not limited to:

• Student Data protected by the Family Educational Rights and Privacy Act (FERPA), including personal identification Data such as Social Security Number, student numbers (e.g., Grizzly ID), and other Data not classified as directory information under FERPA.; FERPA protected Education Records: Cannot be disclosed without written student consent.  Directory Information is classified by OU as Public Data and may be shared in accordance with the guidance provided below;
• Medical Data, such as Electronic Protected Health Information and Data protected by the Health Insurance Portability and Accountability Act (HIPAA);
• Research. Only research data and information within the following broad categories is to be considered Confidential Data:  
  • Classified Research;
  • Activity that is covered by a fully executed non-disclosure agreement (NDA);
  • Information, data, etc., that is proprietary or confidential (whether it belongs to an OU investigator or an outside collaborator), regardless of whether it is subject to an NDA;
  • Information that a sponsor deems to be confidential; 
  • Information or data that is required to be deemed confidential by state or federal law (e.g., personally identifying information about research subjects, HIPAA or FERPA protected information, etc.); and
  • Information related to an allegation or investigation into research misconduct.
  • All other research data and information, including grant applications and proposals, drafts and working papers for patent applications or research publications, and de-identified research Data, shall be considered Internal Data. 
• Information access security, such as login passwords, Multi-Factor Authentication, biometrics, Personal Identification Numbers (PINS), logs with personally identifiable Data, digitized signatures, passkeys, and encryption keys;
• Primary account numbers, cardholder Data, credit card numbers, payment card information, banking information, employer or taxpayer identification number, deposit account number, savings account number, financial transaction device account number, account password, stock or other security certificate or account number (such as Data protected by the Payment Card Industry Data Security Standard); Personnel file, including Social Security Numbers;
• Library records (such as covered by the Michigan Library Privacy Act 455);
• Drivers license numbers, state personal identification card numbers, Social Security Numbers, employee identification numbers (e.g.., Grizzly ID), government passport numbers, and other personal information that is protected from disclosure by state and federal identity theft laws and regulations including without limitation the Michigan Identity Theft Protection Act (MCL 445.61 et. seq.).
• The Information Security Office, and HIPAA Privacy Officer(s) are responsible for determining whether particular information created, received, maintained, processed or transmitted by Oakland University constitutes PHI.  They collaborate with the Office of Legal Affairs for final approval of the definition before publishing it. 

As the classification Confidential is associated with diverse data, many of which have specific regulatory requirements, a System or Endpoint being approved for Confidential data does not automatically indicate it is approved for all variants of confidential data.  It is the responsibility of the Data Owner to consult with the Information Security Office within UTS to obtain specifics when Confidential data are involved. 

Internal Data

Any information that is proprietary or produced only for use by members of the University community who have a legitimate purpose to access such data.

For the purpose of this Standard, and other Oakland University Policies and Procedures,  Internal Data include, but are not limited to:

• Internal operating procedures and operational manuals
• Internal memorandum, emails, reports and other documents
• Technical documents such as system configurations and floor plans

Internal Data may be released or shared under defined, specific procedures for disclosure, such as departmental guidelines, documented procedures or policies.  The Information Security Office within UTS can aid in vetting appropriate information sharing circumstances.  

Public Data

Any information that may or must be made available to the general public, with no legal restrictions on its access or use.
For the purpose of this Standard, and other Oakland University Policies and Procedures, Public Data include, but are not limited to:

• General access data on public facing sites such as www.oakland.edu
• University financial statements and other reports filed with federal or state governments and generally available to the public
• Copyrighted materials that are publicly available
• Directory Information, as defined by FERPA, may be disclosed without prior consent under FERPA and institutional policies, unless the student has restricted disclosure through opt-out procedures. Disclosure is discretionary and subject to institutional review of the request purpose.

Protection of University Data

The protection of University Data is everyone's responsibility.  University Technology Services will ensure the appropriate technical controls are implemented and documented.

Roles and Responsibilities

Chief Information Officer (CIO)

• Approves changes to this standard

Chief Information Security Officer (CISO)

• Administers and enforces this standard

• Oversees annual review and domain compliance efforts

Executive Management, Data Owners, & Users

• Ensure compliance with classification requirements in UTS Policy 860 Information Security, along wi related UTS policies, standards, and procedures.

Individuals and entities granted access to Oakland Information Resources and/or Data

• Comply with the requirements of this standard and any related policies, standards or security guidelines and procedures that may be issued by their departmental IT units and/or owners of the IT Resource(s) and Data they access. 

Definitions

Capitalized terms used herein without definition are defined in the IT Terminology Standard

Last Modified: 1/30/2026
Authority: Approved by University Technology Services (UTS) Chief Information Officer
Category: Security Standards
Status: Approved