Data Classifications

Last updated: October 24, 2024

Overview

UW’s Data classification scheme and process are intended to help units clarify and prioritize minimum privacy and information security protections throughout the data lifecycle, from creation or collection to propagation, disclosure, or destruction.

UW units must classify personal data using definitions for Confidential, Restricted, and Public Information (APS 2.2, 2.4). In 2017, a fourth category, Special Categories of Personal Data, was added based on legal reviews and should be used where applicable.

Policy Update

The Office of Information Security is revising APS 2.2, 2.4, and 2.6 to streamline policies. The classification scheme will move to a new Data Classification Standard. The 4-tier scheme aligns with WaTech’s Data Classification Standard SEC-08-01-S and was endorsed by the UW-IT Security and Privacy Board on May 9, 2024.

Feedback Invitation

UW personnel can preview the new scheme and provide feedback until November 26, 2024 (UW NetID required). Revisions will be considered based on feedback.

Data classifications

(Last updated December 16, 2022)

Confidential

University information that is protected by laws or regulations.

Special Categories of Personal Data

Categories of personal data that when alone or combined with other data could adversely impact the University or individuals. Special categories of personal data also may be confidential information in that they are protected by a law or regulation.

Special categories of personal data include but are not limited to data or information regarding:

  • Criminal offenses.
  • Citizenship and/or immigration status.
  • Race or ethnic origin.
  • Political opinions.
  • Religious or philosophical beliefs.
  • Trade union membership.
  • Genetic or biometric data used to identify a natural person.
  • Health.
  • Disability.
  • Protected veteran status.
  • Sex life.
  • Gender.
  • Gender identity.
  • Data on sex, or sexual orientation.
  • Universal identification numbers.
  • Youth under the age of eighteen.

Restricted

Restricted information is University information that is circulated on a need-to-know basis. Restricted Information needs careful management to safeguard its integrity and availability, as well as appropriate access, use, and disclosure. Restricted information is generally not published or released to the public unless specifically requested.

Public

University information that is published for public use or has been approved for public use by the appropriate University authority. Public information may not be exempt from public disclosure but does need careful management to safeguard its integrity and availability.