OUHSC Information Technology Department

Home  |  Online Help  |  Policies  |  Forms  |  Tier Ones

Data Classification

Supporting documents: Full policyAdobe PDF File

All Information System owners must classify their data based upon the data classification that uses the following categories.

Category A


Category B


Category C


Category D



Data and associated IS that is legally regulated with a requirement to self-report to the government and/or provide notice to the individual if information is inappropriately accessed, such as:

  • PCI
  • PII
  • FERPA 

Information System designated as “High Risk.”

Data and associated IS, used in the conduct of  University business, in which the data is not legally regulated, but which an expectation of privacy or confidentiality exists;

Data that the IS Owner and/or University executive leadership have determined not to publish or make public;

Data protected by contractual obligations;

All public-facing IS (IS exposed to the Internet).

Data and associated IS not generally available to the public, and is not regulated or under contractual obligations for data protection.

Data that the University is under obligation to make available to the public.

Data for which there is no expectation of privacy or confidentiality

Data that the University or its employees have the right to make and have chosen to make available or to publish for the explicit use of the general public;

Common Classification Elements

Social Security Numbers

Credit Card Numbers

Financial Account Numbers, such as checking or investment account numbers

Driver’s License Numbers

Health Insurance Policy ID Numbers

Protected Health Information (ePHI)

Student Records

Export controlled information under U.S. laws

Human Participant Research Data

Passport and visa numbers

Animal Research IACUC Protocol Data

Animal Research Veterinary Record Data

Admissions applications

Donor contact information and non-public gift amounts

Privileged attorney-client communications

Faculty/staff employment applications, personnel files, benefits information, salary

Unpublished Research Data

Non-public OUHSC policies and procedure documentation

OUHSC internal memos and email, and non-public reports, budgets, plans, and financial information

Non-public contracts

University and employee ID numbers

Information authorized on OUHSC websites without authentication

Published Research Data

Campus maps

Job postings

OUHSC directory contact information not designated by the individual as “private”

Use criteria in the Information System and Data Classification table to determine which data category is appropriate for your information. Also Data Classification in the definitions document for more details on data types and classification.