STANFORD UNIVERSITY

SECURE COMPUTING

Classification of Data

Use these criteria to determine which data classification is appropriate for a particular information or infrastructure system. A positive response to the highest category in any row is sufficient to place that system into that Classification.

NOTE: In case of a suspected Information Security Incident as described in the Information Security Incident Response Policy, AGM #67, involving any of the following items, the University’s Information Security Office (security@stanford.edu) must be contacted immediately:

  • Social Security Numbers
  • Credit Card Numbers
  • Bank Account Numbers
  • Driver’s License Numbers

All new information systems that store or process Restricted Data, should be assessed by the Information Security Office.

  Restricted Data
(highest, most sensitive)		 Sensitive Data
(moderate level of sensitivity)		 Public Data
(low level of sensitivity)
Legal requirements Protection of data is required by law (e.g., see list of specific HIPAA and FERPA data elements) Stanford has a contractual obligation to protect the data Protection of data is at the discretion of the owner or custodian
Reputation risk High Medium Low
Other Institutional Risks Information which provides access to resources, physical or virtual Smaller subsets of protected data from a school or department General university information
Access Only those individuals designated with approved access and signed non-disclosure agreements Stanford employees and non-employees who have a business need to know Stanford affiliates and general public with a need to know
Examples
  • Medical
  • Students
  • Prospective students
  • Personnel
  • Donor or prospect
  • Financial
  • Contracts
  • Physical plant detail
  • Credit card numbers
  • Certain management information
  • See below for more specific examples
  • Information resources with access to restricted data
  • Research detail or results that are not restricted data
  • Library transactions (e.g., catalog, circulation, acquisitions)
  • Financial transactions which do not include restricted data (e.g., telephone billing)
  • Information covered by non-disclosure agreements
  • Campus maps
  • Business contact data (e.g., directory information)
  • Email

More specific examples of Restricted Data

HIPAA - Protected Health Information

  • Patient Names
  • Street address, city, county, zip code
  • Dates (except year) for dates related to an individual
  • Telephone/Facsimile numbers
  • E-mail, URLs, & IP #'s
  • Social security numbers
  • Account/Medical record #'s
  • Health plan beneficiary numbers
  • Certificate/license #'s
  • Vehicle identification's & serial #'s
  • Device identification's & serial #'s
  • Biometric identifiers
  • Full face images
  • Any other unique identifying number, characteristic, or code
  • Payment Guarantor's information

For more information, see Stanford's HIPAA web page.

FERPA - Student Records

  • Grades / Transcripts
  • Class lists or enrollment information
  • Student Financial Services information
  • Athletics or deparment recruiting information
  • Credit Card Numbers
  • Bank Account Numbers
  • Wire Transfer information
  • Payment History
  • Financial Aid / Grant information / Loans
  • Student Tuition Bills

Note that the following data may ordinarily be revealed by the University without student consent unless the student designates otherwise.

  • Name
  • Date of birth
  • Place of birth
  • Directory address and phone number
  • Electronic mail address
  • Mailing address
  • Campus office address (for graduate students)
  • Secondary mailing or permanent address
  • Residence assignment and room or apartment number
  • Specific quarters or semesters of registration at Stanford
  • Stanford degree(s) awarded and date(s)
  • Major(s), minor(s), and field(s)
  • University degree honors
  • Institution attended immediately prior to Stanford
  • ID card photographs for University classroom use

For more information, see Stanford's FERPA web page.

Donor Information

  • Name
  • Graduating Class & Degree(s)
  • Credit Card Numbers
  • Bank Account Numbers
  • Social Security Numbers
  • Amount/what donated
  • Telephone/Facsimile numbers
  • E-Mail, URLs
  • Employment information
  • Family information (spouse(s) / children / grandchildren)
  • Medical History (alumni/family who have major medical procedures performed at Stanford Hospital / LPCH)

Faculty/Staff Housing

  • Name / Spouse
  • Credit rating / history
  • Income levels and sources, etc.
  • Loan application data

Research Information

  • Private funding information
  • Human subject information
  • Lab animal care information

General Information

  • Confidential legal information

Employee Information

  • Performance reviews
  • Worker's compensation or disability claims
  • Name in association with:
    • Social Security Number
    • Salary or payroll information
    • Bank account number
    • Date of birth
    • Home address or personal contact information
    • Driver's license number
    • Benefits information

Business data

  • Credit card numbers with/without expiration dates
  • Bank or brokerage account numbers
  • Purchasing card (P-card) numbers
  • Social Security or other Taxpayer ID numbers [Stanford's Federal Employer ID number is not considered Restricted Data]
  • Priveleged contract information

Management data

  • Detailed annual budget information
  • Faculty Annual Conflict of Interest Disclosures
  • University's investment information
  • Non-anonymous faculty course evaluations
Last modified Tuesday, 06-Nov-2007 03:44:08 PM

Stanford University Home Page