There are three elements to classifying Yale IT Systems:
- Data Classification
- Availability Requirement
- External Obligations
This questionnaire can help determine data classification and external obligations. To help determine availability requirement, please visit the Availability Requirement Guideline.
We classify our data and IT Systems to protect them based on the risk they carry. We don’t want high risk data, like patient files, posted to the public. We also don’t want to spend time, money, and resources protecting pictures of your dog you post on Facebook. Some things are meant to be shared. Others are not.
Data Classification is how sensitive or confidential your data is. External obligations determine if the data is subject to any outside requirements. These can include legal, regulatory, or contractual requirements. This questionnaire can help determine data classification and external obligations. This ensures we protect your data based on the risk it carries.
What is the data classification questionnaire?
This questionnaire is a set of questions to help you:
• Align the sensitivity of your data with a risk level of high, moderate, or low.
• Determine if your data is subject to any common external obligations used at Yale.
These questions are categorized by risk classification. We provide a set of questions to determine high and moderate risk data. To use this questionnaire correctly, you need to consider all the data you work with. These questions apply to any data that you will access, create, store, transmit, and or receive. This includes:
- Any data you interact with during your research, business, or academic process.
- Any data accessed, created, stored, transmitted, and/or received by the IT System you use to complete your work.
If you answer all these questions "no", you are working with low-risk data. The one exception is if the risk level is otherwise stated by a contract (see question 9).
How do I use the data classification questionnaire?
Treat each question on the questionnaire individually. The questions are not intended to be combined or added up for a “score”. Let's use question 2 for an example. If you answer "yes" to question 2, the data classification is High Risk and is subject to HIPAA. This is indicated by the chart at the end of each question. You know now, no matter what, your data is High Risk. Continue reviewing the questionnaire for any additional external obligations. The rest of the questions can determine if you are working with any other protected data types (e.g. SSNs, PCI, FERPA). This includes contractual agreements. For contracts, the terms of the contract will determine the data classification and external obligations.
Reminder: If you answer all these questions "no", you are working with low-risk data.
If you need help classifying your data beyond this survey, try these resources:
The highest data classification identified in the results of this questionnaire = the overall data classification. Data classification is one of the three elements of risk classification.
High Risk Data Questions
The questions below help you determine if your Data Classification is High Risk. It will also determine if you are subject to any external obligations tied to High Risk Data. These questions apply to any data that you will access, create, store, transmit, and/or receive. By answering "yes" to any of these questions, the data classification is High Risk. Any applicable external obligations are listed in the external obligations column of the table.
1) Could the unauthorized disclosure or modification of the data greatly impact an individual? The University?
Explanation of this question:
This is part of Yale's definition of High Risk Data. For more details, see Yale's Data Classification Policy
| Data Classification: | High Risk Data |
|---|---|
| External Obligations: | Not Applicable |
2) This is a three-part question to determine if your data is subject to HIPAA.
If you answer yes to all three of these questions, your data is high risk and subject to HIPAA.
2a) Does the data include 1 or more of the following 18 identifiers?
- Names
- Street address
- City
- County
- Precinct
- Zipcodes/equivalent geocodes
- Telephone/fax numbers
- Email addresses
- Social Security Numbers (SSNs)
- Medical Record Numbers (MRNs)
- Health Plan Beneficiary numbers
- Account numbers
- Birth dates
- Admission and/or discharge dates
- Date of death
- All ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of ate 90 or older
- Certificate/license numbers
- Vehicle identifiers and serial numbers, including license plate numbers
- Device identifiers and serial numbers
- Web Universal Resource Locators (URLs)
- Internet Protocol (IP) address numbers
- Biometric identifiers, including finger and voice prints
- Full face photographic images and comparable images
- Any other unique identifying numbers, characteristics or codes
2b) Are the identifiers being collected in relation to patients or research subject? (Yes/No)
2c) Is the data being used within or on behalf of the covered entity? (Yes/No)
Explanation of this question:
When any of these 18 identifiers are used in relation to patients or research subjects within the covered entity, the data is subject to HIPAA. For more information, see our External Obligations Guideline. Reminder that you must answer yes to 2a, 2b, and 2c for HIPAA to apply.
| Data Classification: | High Risk Data |
|---|---|
| External Obligations: | HIPAA |
3) Does your data include any of the following data types?
- Personally identifiable information (PII)
- Driver’s License or Passport numbers
- Export controlled information under U.S.. laws
- Confidential information about Yale donors
- Databases used for payroll, tax, health care or other critical functions
- Information pertaining to animal research protocols or researchers
- Bank account numbers
Explanation of this question:
These data types are classified as High Risk per Yale's Data Classification Policy.
| Data Classification: | High Risk Data |
|---|---|
| External Obligations: | Not Applicable |
4) Does your data include Social Security Numbers (SSNs)?
Explanation of this question:
Social Security Numbers (SSNs) are classified as High Risk Data per Yale's Data Classification Policy.
| Data Classification: | High Risk Data |
|---|---|
| External Obligations: | SSNs |
5) Does your data include credit card information?
Explanation of this question:
Credit Card information is classified as High Risk Data per Yale's Data Classification Policy. Credit Card Numbers are also subject to the Payment Card Industry Data Security Standards. This is commonly referred to as PCI DSS or PCI. For more information, see our External Obligations Guideline.
| Data Classification: | High Risk Data |
|---|---|
| External Obligations: | PCI |
Moderate Risk Data Questions
The questions below help you determine if your Data Classification is Moderate Risk. It will also determine if you are subject to any external obligations tied to Moderate Risk Data. These questions apply to any data that you will access, create, store, transmit, and/or receive. By answering "yes" to any of these questions, the data classification is Moderate Risk. Any applicable external obligations are listed in the external obligations column of the table.
1) Could the unauthorized disclosure or modification of the data cause a limited impact to an individual? The University?
Explanation of this question:
This is part of Yale's definition of Moderate Risk Data. For more details, see Yale's Data Classification Policy.
| Data Classification: | Moderate Risk Data |
|---|---|
| External Obligations: | Not Applicable |
2) Does your data include any of the following data types?
- Employment applications and personnel files
- Non-public contracts
- Internal memos and email, non-public reports, budgets, plans and financial information
- Engineering, design and operational information regarding Yale infrastructure
Explanation of this question:
These data types are classified as Moderate Risk per Yale's Data Classification Policy.
| Data Classification: | Moderate Risk Data |
|---|---|
| External Obligations: | Not Applicable |
3) Does your data include student or applicant data, including but not limited to, the following data types:
- Student names
- Student dates of attendance
- School or residential college affiliation
- Local and other addresses
- Local telephone number
- Email address
- Date and place of birth
- Major field of study
- Enrollment status
- Student job assignments and locations
- Participation in a University-sponsored activity or sport
- Height and weight of members of athletic teams
- Degrees, honors, and awards received
- previous educational institution(s) attended
- name and address of parent or guardian
- Picture and video
- University person identifier (UPI)
Explanation of this question:
Student and applicant data are classified as Moderate Risk per Yale's Data Classification Policy. Student and applicant data types are also subject to FERPA. FERPA is the Family Educational Rights and Privacy Act. For more information, see our External Obligations Guideline.
| Data Classification: | Moderate Risk Data |
|---|---|
| External Obligations: | FERPA |
Contractual Obligations
Are there any contractual obligations in effect that specify security protections?
These security protections can be for the data or the IT System used to host the data. The contracts may also require Yale to take specific action in the event of a security incident.
Examples of contractual agreements include Data Use Agreements (DUAs) and Data Management Plans. Here at Yale, these types of contracts are often seen in our research space. See our External Obligations Guideline for more details.
The terms of the contract will determine the data classification and external obligations. You may be able to align the risk level of the data with high, moderate, or low risk. Any extra security requirements for the IT System should be outlined in the contract. You can work with your user support provider or email information.security@yale.edu for help.
Need Help?
For questions or feedback regarding this questionnaire, email information.security@yale.edu. We can also help you classify your data if you are still unsure based on these questions.