This image shows data displayed on a computer and mobile device. The computer and mobile device need to be secured to protect that data, based on its classification.

Data Classification Guideline (1604 GD.01)

Guide

Data Classification Guideline (1604 GD.01)

Knowing how to work securely starts with knowing the risk of the data you work with. Data classification is the first part of classifying Yale IT Systems.

Yale's Data Classification Policy groups Yale data into three risk levels. We classify data as high, moderate, or low risk. This depends on the data's importance, sensitivity, and potential for misuse.

Yale's data risk classification definitions

Low Risk Data Moderate Risk Data High Risk Data
Yale data are classified as Low Risk if they are not Moderate or High Risk and:
  • Yale chooses or is required to disclose them to the public.
  • The loss of their confidentiality, integrity or availability would cause no harm to Yale’s mission, safety, finances, or reputation.

Yale data are classified as Moderate Risk if they are not High Risk and:

  • They are not available to the public.
  • The loss of the confidentiality, integrity, or availability could cause limited harm to Yale’s mission, safety, finances, or reputation.

Yale Data are classified as High Risk if:

  • They could be exploited for criminal or other wrongful purposes
  • Yale is contractually obligated to keep them confidential.
  • They identify an individual and would customarily be shared only with the individual’s family, doctor, lawyer, or accountant.
  • They are critical to Yale’s ability to perform one of its essential academic, health care, or business functions and cannot be replaced easily with backup copies.

Yale's data risk classification examples

Below are examples of common data types that fall under each classification. These lists of examples are not definitive. If any data set contains attributes defined as High Risk, you must treat the data set as High Risk.

Low Risk Data Moderate Risk Data High Risk Data
Yale classifies data types as Low Risk if they are not considered to be Moderate or High Risk, and:
  • Information that Yale has made available to the public on its website.
  • Policy and procedure manuals designated by Yale as public.
  • Job postings.
  • Yale directory information not designated by the individual as “private.”
  • Information in the public domain.
  • Publicly available campus maps.
  • Research data (barring any publication restrictions and at data owner’s discretion).

Yale classifies data types as Moderate Risk if they are not considered to be High Risk, and:

  • Non-public, University-owned research data not considered High Risk.
  • Student and applicant data.
  • Employment applications and personnel files.
  • Non-public contracts.
  • Internal memos and email, non-public reports, budgets, plans, and financial information.
  • Engineering, design, and operational information regarding Yale infrastructure.

 

 Yale classifies data types as High Risk if:
  • Personally identifiable patient and human subject information.
  • Social security, driver’s license, state identification card, and passport numbers.
  • Credit card and bank account numbers.
  • Export controlled information under U.S. laws.
  • Confidential information about Yale donors.
  • Databases used for payroll, tax, health care, and other critical functions.
  • Information pertaining to animal research protocols and researchers.
  • A user name (e.g., Yale NetID) or email address in combination with a password or security question and answer that would permit access to an online account.

How to determine your data classification:

Know all the data types involved.

  • This could mean all the data types in your data set.
  • If you are looking to classify your data to choose a secure IT System, know all the data types involved. This means any data you access, create, store, transmit, or receive using the IT System. See the Risk Classification Guideline for more details.

Yale's Data Classification Questionnaire

Choosing a secure system for your data

Users of Yale data are responsible for securing that data. To secure data, you must use a Yale IT System that matches your risk classification. For example, if you need to store high risk data, you must use a Yale IT System for storing data classified as high risk. The risk classification of a Yale IT System cannot be lower than the data classification.

Data Classification is one element of the risk classification of a Yale IT System. See the Risk Classification Guideline to learn about all three elements. This will help you determine the overall risk associated with the work you do on behalf of Yale's mission.

The Service Classification page indicates the risk classifications allowed on commonly used Yale IT Services. See the Service Classification Table for services that secure your data classification.

What do I do if the IT System I want to use is not on the Service Classification Table?

If the Yale IT System you want to use is not listed, it is not secured for specific risk classifications. All Yale IT Systems must have a risk classification. All Yale IT Systems must meet the Minimum Security Standards for their classification. See the Risk Classification Guideline or Yale's Minimum Security Standards for more details.

Need help?

Email us for questions on classifying your data.