University of Wisconsin–Madison

Data Classification

Data Stewards are required by UW System Administrative Policy 1031 to classify major data systems based on risk and to review the classifications annually. UW-Madison classifies data as Public, Internal, Sensitive, or Restricted. UW-Madison also uses these classifications for provisioning access to data to individuals. Descriptions of UW-Madison’s four data classification categories are below.

Public

Data should be classified as Public prior to display on web-sites or once published without access restrictions; and when the unauthorized disclosure, alteration or destruction of that data would result in little or no risk to the University and its affiliates.

Internal

Data should be classified as Internal when the unauthorized disclosure, alteration, loss or destruction of that data could result in some risk to the University, affiliates, or research projects. By default, all Institutional Data that is not explicitly classified as Restricted, Sensitive or Public data should be treated as Internal data.

Sensitive

Data should be classified as Sensitive when the unauthorized disclosure, alteration, loss or destruction of that data could cause a moderate level of risk to the University, affiliates or research projects. Data should be classified as Sensitive if the loss of confidentiality, integrity or availability of the data could have a serious adverse effect on university operations, assets or individuals.

Restricted

Data should be classified as Restricted when the unauthorized disclosure, alteration, loss or destruction of that data could cause a significant level of risk to the University, affiliates or research projects. Data should be classified as Restricted if protection of the data is required by law or regulation or UW-Madison is required to self-report to the government and/or provide notice to the individual if the data is inappropriately accessed