Skip to content

Data Classification, Access, Transmittal, and Storage

Stanford takes seriously its commitment to respect and protect the privacy of its students, alumni, faculty and staff, as well as to protect the confidentiality of information important to the University's academic and research mission. For that reason, Stanford has classified its information assets into the categories Unrestricted, Confidential, Restricted, and Prohibited for the purpose of determining who is allowed to access the information and what security precautions must be taken to protect it against unauthorized access.

Please contact the University Privacy Officer with any questions about the appropriate classification of information. Please contact the Chief Information Security Officer with any questions about appropriate protection of information.

Frequently asked questions regarding handling Prohibited and Restricted Data can be found here.

Stanford expects all partners, consultants and vendors to abide by Stanford's information security policies. If non-public information is to be accessed or shared with these third parties, they should be bound by contract to abide by Stanford's information security policies. The required contract language can be found on the ASP Security Requirements page.

All new information systems that store or process Prohibited or Restricted Data, should be assessed by the Information Security Office.

These guidelines are intended to reflect the minimum level of care necessary for Stanford's sensitive data. They do not relieve Stanford or its employees, partners, consultants or vendors of further obligations that may be imposed by law, regulation or contract.

NOTE: In case of a suspected Information Security Incident as described in the Information Security Incident Response Policy, AGM #6.6.1, involving any of the following items, the University's Information Security Office must be contacted immediately via HelpSU or by phone at 650-723-2911:

  • Social Security Numbers
  • Credit Card Numbers
  • Financial Account Numbers
  • Driver's License Numbers
  • Health Insurance Policy ID Numbers

Definitions

  • DGB is Stanford's Data Governance Board.
  • Computing Equipment is any Stanford or non-Stanford desktop or portable device or system.
  • A number is Masked if: (i) a credit card primary account number (PAN) has no more than the first 6 and the last 4 digits intact, and (ii) all other Prohibited or Restricted numbers have only the last 4 intact. See the entire DSS 2.0 Standard (if you are willing to agree to some terms).
  • NIST-Approved Encryption: The National Institute of Standards and Technology (NIST), develops and promotes cryptographic standards that enable U.S. Government agencies and others to select cryptographic security functionality for protecting their data. Encryption which meets NIST-approved standards is suitable for use to protect Stanford's data if the encryption keys are properly managed. In particular, secret cryptographic keys must not be stored or transmitted along with the data they protect. Cryptographic keys have the same data classification as the most sensitive data they protect.
  • Payment Card Industry Data Security Standards are the practices used by the credit card industry to protect cardholder data. The Payment Card Industry Data Security Standards (PCI DSS) comprise an effective and appropriate security program for systems that process, store, or have access to Stanford's Prohibited or Restricted data. The most recent version of the PCI DSS is available here.
  • Protected Health Information (PHI) is all individually identifiable information that relates to the health or health care of an individual and is protected under federal or state law. For questions about whether information is considered to be PHI, contact the University Privacy Officer.
  • A Qualified Machine is a computing device located in a secure Stanford facility and with access control protections that meet the Payment Card Industry Data Security Standards located at https://www.pcisecuritystandards.org/security_standards/index.php
  • Student Records are those that are required to be maintained as non-public by the Family Educational Rights and Privacy Act (FERPA). Student Records include Stanford-held student transcripts (official and unofficial), and Stanford-held records related to (i) academic advising, (ii) health/disability, (iii) academic probation and/or suspension, (iv) conduct (including disciplinary actions), and (v) directory information maintained by the Office of the Registrar and requested to be kept confidential by the student. Applications for student admission are not considered to be Student Records unless and until the student attends Stanford.

Data Classifications

Use these criteria to determine which data classification is appropriate for a particular information or infrastructure system. A positive response to the highest category in any row is sufficient to place that system into that Classification.

  Prohibited Information Restricted Information Confidential Information Unrestricted Information
Information Classification Guideline

Information is classified as "Prohibited" if protection of the information is required by law/regulation or Stanford is required to self-report to the government and/or provide notice to the individual if information is inappropriately accessed

If a file which would otherwise be considered to be Restricted or Confidential contains any element of Prohibited Information, the entire file is considered to be Prohibited Information.

Information is classified as "Restricted" if (i) it would otherwise qualify as "Prohibited" but it has been determined by the DGB that prohibiting information storage on Computing Equipment would significantly reduce faculty/staff/student effectiveness when acting in support of Stanford's mission and/or (ii) it is listed as Restricted in the "Classification of Common Data Elements" below.

Information is classified as "Confidential" if (i) it is not considered to be Prohibited or Restricted and is not generally available to the public, or (ii) it is listed as Confidential in the "Classification of Common Data Elements".

Information is classified as "Unrestricted" if it is not considered to be Prohibited, Restricted, or Confidential.

Classification of Common Data Elements
  • Social Security Numbers
  • Credit Card Numbers
  • Financial Account Numbers, such as checking or investment account numbers
  • Driver's License Numbers
  • Health Insurance Policy ID Numbers
  • Health Information, including Protected Health Information (PHI)
  • Passport and visa numbers
  • Export controlled information under U.S. laws
  • Student Records
  • Unpublished Research Data
  • Faculty/staff employment applications, personnel files, benefits information, salary, birth date, and personal contact information
  • Admission applications
  • Donor contact information and non-public gift amounts
  • Privileged attorney-client communications
  • Non-public Stanford policies and policy manuals
  • Stanford internal memos and email, and non-public reports, budgets, plans, and financial information
  • Non-public contracts
  • University and employee ID numbers
  • Project, Task, Award (PTA) numbers
  • SUNet IDs
  • Information authorized to be available on or through Stanford's website without SUNet ID authentication
  • Published Research Data
  • Certain policy and procedure manuals designated by the owner as public
  • Campus maps
  • Job postings
  • Certain University contact information not designated by the individual as "private" in StanfordYou
  • Information in the public domain
Access Protocol

Access only with permission from the DGB or the VP for Business Affairs.

Access limited to those permitted under law, regulation and Stanford's policies, and with a need to know.

Access limited to those with a need to know, at the discretion of the data owner or custodian.

Anyone may access Unrestricted information. However, care should always be taken to use all University information appropriately and to respect all applicable laws. Information that is subject to copyright must only be distributed with the permission of the copyright holder.

Transmission

NIST-approved encryption is required when transmitting information through a network. Third party email services are not appropriate for transmitting Prohibited information. Prohibited numbers may be Masked instead of encrypted.

NIST-approved encryption is required when transmitting information through a network. Third party email services are not appropriate for transmitting Restricted information. Restricted numbers may be Masked instead of encrypted.

NIST-approved encryption is strongly recommended when transmitting information through a network. Third party email services are discouraged for transmitting Confidential information.

No encryption is required for Unrestricted information.

Storage

Prohibited on Computing Equipment unless approved by the DGB. If DGB approves, NIST-approved encryption is required on Computing Equipment. Prohibited numbers may be Masked instead of encrypted. NIST-approved encryption is also required if the information is not stored on a Qualified Machine. Third party processing or storage services are not appropriate for receiving or storing Prohibited information unless approved by the DGB.

NIST-approved encryption is required if information is stored on Computing Equipment. Restricted numbers may be Masked instead of encrypted. NIST-approved encryption is also required if the information is not stored on a Qualified Machine. Third party processing or storage services are not appropriate for receiving or storing Restricted information unless approved by the DGB.

Encryption of Confidential information is strongly recommended. Level of required protection of Confidential information is either pursuant to Stanford policy or at the discretion of the owner or custodian of the information. If appropriate level of protection is not known, check with the data owner before storing Confidential information unencrypted. Third party processing or storage services may receive or store Confidential data if Stanford has a valid contract with the vendor that includes the standard clauses specified in the ASP Security Requirements.

No encryption is required for Unrestricted information. Care should still be taken to protect the integrity of Unrestricted information.

Unpublished Research Data

Published research data is of course considered public, and the University is committed to openness in its research. The section "Openness in Research" of the Research Policy Handbook codifies this commitment and also outlines some situations in which unpublished research data may need to be kept private. In those circumstances, unpublished research data is considered Confidential.

For purposes of data classification, a faculty member directing research is the data owner of the results of that research. As such, determining the level of protection necessary for unpublished research data is the prerogative of the faculty, taking into account any agreements such as the information security requirements of external research sponsors.

Stanford Services Quick Reference Guide

If not specified below, contact the Information Security Office for guidance before using a service to store, process, or transmit Prohibited, Restricted, or Confidential data as defined above, noting that Data Governance Board (DGB) approval is needed in advance of handling Prohibited data on anything other than Qualified Machines. Some of the services below require additional components in order to qualify for the specified permitted data classifications. Click on the service link for details.

  Service Prohibited Restricted Confidential Unrestricted
Stanford (Internally Hosted) Services AFS Not Permitted Not Permitted Permitted Permitted
Block Backup Not Permitted Permitted Permitted Permitted
Block Storage Not Permitted Permitted Permitted Permitted
Call Recording Not Permitted Permitted Permitted Permitted
CGI Not Permitted Not Permitted Permitted Permitted
Community Academic Profiles (CAP) Network Not Permitted Permitted Permitted Permitted
Confluence Not Permitted Not Permitted Permitted Permitted
CrashPlan Permitted Permitted Permitted Permitted
Drupal Not Permitted Not Permitted Permitted Permitted
High Performance Computing (HPC) Not Permitted Not Permitted Permitted Permitted
Individual & Group Storage (CIFS) Not Permitted Not Permitted Permitted Permitted
Instant Messaging Not Permitted Not Permitted Permitted Permitted
MediaWiki Not Permitted Not Permitted Permitted Permitted
MedSecureSend (Accellion) Not Permitted Permitted Permitted Permitted
Microsoft Exchange Email and Calendar (provided by ITS) Not Permitted Not Permitted Permitted Permitted
MySQL Database Hosting Not Permitted Not Permitted Permitted Permitted
Network Access Control (SUNAC) Permitted Permitted Permitted Permitted
Online Archive Storage Not Permitted Permitted Permitted Permitted
Secure AFS Permitted Permitted Permitted Permitted
Secure Individual & Group Storage (Secure CIFS) Not Permitted Permitted Permitted Permitted
Secure Email (Zimbra email with "Secure:" in subject line) Permitted Permitted Permitted Permitted
Server Disk Storage Not Permitted Permitted Permitted Permitted
SharePoint Not Permitted Not Permitted Permitted Permitted
Voice Messaging Not Permitted Permitted Permitted Permitted
VPN Permitted Permitted Permitted Permitted
Web Forms Not Permitted Not Permitted Permitted Permitted
Whole Disk Encryption (SWDE) Not Permitted Permitted Permitted Permitted
WordPress Not Permitted Not Permitted Permitted Permitted
Zimbra Email and Calendar (without "Secure:" in subject line) Not Permitted Not Permitted Permitted Permitted
Third-Party (Externally Hosted) Services Vetted by Stanford Stanford instance of Box.com Not Permitted Not Permitted Permitted Permitted
Connected (Autonomy) Permitted Permitted Permitted Permitted
Stanford instance of Google Apps (Calendar, Contacts, Docs, Drive, Email, Sites, and Talk) Not Permitted Not Permitted Permitted Permitted
MozyPro Permitted Permitted Permitted Permitted
Stanford instance of Qualtrics Not Permitted Permitted Permitted Permitted
Stanford instance of WebEx (with recording) Not Permitted Not Permitted Permitted Permitted
Stanford instance of WebEx (without recording) Permitted Permitted Permitted Permitted
End User Devices Stanford Managed iOS Device with MDM Restricted Profile Not Permitted Permitted Permitted Permitted
SWDE Compliant Device Not Permitted Permitted Permitted Permitted
Unmanaged Mobile Device Not Permitted Not Permitted Permitted Permitted

Permitted Permitted     Not Permitted Not Permitted

Last modified: 04/04/2014 09:10:26 AM