Knowing what data you have and its sensitivity is your first step to ensure that it is adequately protected.
Based on APS 2.2, UW units are required to classify personal data to convey the level of risk and corresponding data protection that must be applied to the data. Definitions are available in APS 2.4 and on the Data Classifications page. The Office of Information Security is in the early stages of updating data classification processes to support UW units and will be engaging the UW-IT Security & Privacy and Data Governance boards.
Request data classification assistance
When a data classification isn’t apparent, escalate the need for a data classification for a specific data element to the Office of Information Security’s privacy team. Upon receiving a request to classify data, the we will:
- Review the purpose and intended use of data with UW colleague who is requesting clarification.
- Consult with subject matter experts and Attorney General’s Office (as needed) to assess the regulatory and contractual requirements associated with the data.
- If the data element is a type of personal data, we will assess whether the data element may present a risk of harm to individuals if disclosed to unintended audiences or unauthorized individuals or whether individuals may have a reasonable expectation of privacy.
- Evaluate if the combination or removal of data elements from a data set may change the data classification.
- Consult with the IT Security & Privacy board (as needed).
- Determine data classification.
- Inform UW colleague, who is requesting clarification, about the outcome and data classification. For more information, contact uwprivacy@uw.edu.