Restricted Data

What is Restricted Data?

UW-Madison classifies data into one of four risk-based categories: Public, Internal, Sensitive, and Restricted. Data is classified as Restricted when the unauthorized disclosure, alteration, loss or destruction of that data could cause a significant level of risk to the University, affiliates or research projects. Data is classified as Restricted if protection of the data is required by law or regulation or if UW-Madison is required to self-report to the government and/or provide notice to the individual if the data is inappropriately accessed.

Can I share Restricted Data with others?

Restricted data may not be shared without verification that those receiving the data are specifically authorized to access the data.

When can I access and use Restricted Data?

Restricted Data may be accessed and used only for legitimate business purposes, which include:

  • Meeting regulatory or compliance requirements that require handling of the data.
  • Management or operational processes (business or academic) that require handling of the data.
  • System development, administration, or maintenance that requires handling of the data.
  • Other legitimate required or properly approved use that improves instructional practice, educational outcomes, or student experience for students at UW–Madison that requires handling of the data.

An individual authorized to access Restricted Data must do so only to fulfill the job duties for which the authorization was granted. An individual authorized to access Restricted Data may not access Restricted Data for personal use.

What are my responsibilities for protecting Restricted Data?

Restricted Data must be protected by passwords or strong authentication, such as smart cards or certificates, or physically stored under lock and key. Restricted Data must not be left unattended.

Restricted Data may be modified only by the information owner or other parties authorized by the owner.

Restricted Data will be deleted or destroyed once the associated task is completed or when the legitimate business use of the data no longer exists.

Skip to content