Policy Steward: Vice President for Administration


  • Purpose
  • Scope
  • Policy
  • .... Data Categories
  • .... Data Categorized by External Originator
  • .... Responsibilities
  • .... Sanctions for Policy Violations
  • .... Categorization Appeal Process
  • Further Information
  • Cross References


    The University takes seriously its commitment to protect the confidentiality of data necessary to the University’s academic, research and administrative missions and to protect personally identifiable information entrusted to its care, consistent with law, policy and industry practice.

    The purpose of this Policy is to establish the categories of sensitivity that apply to data processed, stored or transmitted within the University and its systems. The categories also apply equally to data processed, stored or transmitted on behalf of the University by third party providers.  Contracts with third party providers must reflect categorization requirements as established by this Policy. The categorization system applies equally to electronic and hard copy media.


    This Policy is applicable for all University locations, and applies to all institutional data and the systems that process, store or transmit such data, including personally owned systems.


    Data Categories:

    Three categories of sensitivity shall exist with regard to data used within the University. These are Public, Internal/Controlled and Restricted. The following definitions apply:

    Public:  Public data are intended for distribution to the general public, both internal and external to the University. The release of the data would have no or minimal damage to the institution.

    Internal/Controlled:  Internal/controlled data is intended for distribution within the University only, generally to defined subsets of the user population. The release of the data has the potential to create moderate damage to the institution. (Such damage may be legal, academic [loss or alteration of intellectual property] financial, or intangible [loss of reputation]).

    Restricted:  Restricted data are those which the University has legal, regulatory, policy or contractual obligations to protect. Access to restricted data must be strictly and individually controlled and logged. The release of such data has the potential to create major damage to the institution. (Such damage may be legal, academic [loss or alteration of intellectual property], financial, or intangible [loss of reputation]).

    A list of sample data falling into each of the categories is provided in Guideline ADG07.

    Data Categorized by External Originator:

    There are data whose categorization and handling are mandated by a data originator external to the University. Processes and protections for such data must be in accordance with the specific constraints provided by the originator in permitting the University or unit to use the data in whole or in part. In such cases, the originator's requirements must be followed beyond the categorization requirements given above.


    Deans, Administrative Officers and Budget Executives:

    Where appropriate, the Privacy Office, Risk Management and Purchasing will ensure that third party contracts include data categorization requirements.

    Users will be responsible for identifying the categories of information with which they deal and the systems or physical areas containing such data. Such identification will be in accordance with unit-established processes as managed by the unit liaison. Once identified, users will be responsible for protecting this information, in accordance with the parameters of this policy.

    Sanctions for Policy Violations:

    Any faculty, staff member or student who willfully or negligently releases internal/controlled or restricted information without authorization may be subject to disciplinary action up to and including expulsion for students or termination for employees.

    Any faculty or staff member or student who willfully or negligently fails to categorize assets under his/her control correctly and to apply appropriate safeguards may be subject to disciplinary action up to and including termination.

    Categorization Appeal Process:

    Exceptions to the requirement to categorize data, or to the specific category assigned to a particular data type, must be approved by:


    For questions, additional detail, or to request changes to this policy, please contact Security Operations and Services.


    AD11 - University Policy on Confidentiality of Student Records,

    AD20– Computer and Network Security,

    AD23 - Use of Institutional Data,

    AD53 - Privacy Statement,

    AD35 - University Archives and Records Management,

    ADG01 - Glossary of Computerized Data and System Terminology,

    ADG02 - Computer Security (formerly Computer Facility Security)

    ADG06 - Appropriate Use of Student Data, and

    ADG07 - Data Categorization Examples, and

    HR60 - Access to Personnel Files.

    Effective Date: October 12, 2012
    Date Approved: September 10, 2012
    Date Published: October 12, 2012 (Editorial changes, April 22, 2014)

    Most recent changes:

    Revision History (and effective dates):

    | top of this policy | GURU policy menu | GURU policy search | GURU home | GURU Tech Support | Accessibility Statement | Penn State website |