Data Classification Levels

Low-risk data refers to information that poses a minor risk of harm or small impact if exposed or accessed by unauthorized individuals. This type of data typically is not specifically protected by statute, regulations, or other contractual obligations and does not contain sensitive, confidential, or personally identifiable information (PII), nor does it involve financial, medical, or proprietary details. Examples of low-risk data include: general administrative data, publicly available information, or de-identified datasets.

• General institutional and business information
• Patent Applications and work papers
• Drafts of unrestricted/unclassified research papers
• Building Plans
• Research data that has been de-identified in accordance with applicable rules.
• Published research data (barring other publication restrictions); published information about the University; research awards, research proposals
• Directory information about students who have not requested a FERPA block
• Faculty and staff directory information
• Course catalogs
• University IDs not associated with names

Moderate-risk data includes information that, if exposed or accessed by unauthorized individuals, could cause moderate harm to affected individuals or disruption to university systems but is not as sensitive as high-risk data. This type of data may be restricted by statute, regulation, contractual obligation, or university policy and can include personally identifiable information (PII) without sensitive attributes (such as names or email addresses), proprietary information, or data that requires protection but does not have legal or regulatory restrictions. Moderate-risk data could also include internal business processes, research data that is not public, or non-sensitive financial records.

• Information protected by the Family Educational Rights and Privacy Act (FERPA); including non-directory student information and directory information about students who have requested a FERPA block
• University IDs when associated with names or any other information that could identify individuals
• Drexel personnel records
• Drexel institutional financial records
• Individual donor information
• Immigration documents (such as visas)
• Other personal information protected under state, federal, and foreign privacy laws and not classified in Tier 3 or 4.
• Intellectual or other proprietary property
• Emergency planning information; public safety and security information
• IT service management information
• Telecommunications system
• Contracts with third-party entities.
• Drexel nonpublic financial information Coursework

Restricted-risk data is the highest classification of sensitive information, where unauthorized access, disclosure, or misuse could result in significant legal, financial, operational, or reputational damage to individuals or the institution. This category often includes data that is subject to stringent regulatory and compliance requirements, such as classified information, national security data, sensitive legal documents, or any other information specifically designated as restricted by law or organizational policies.

• Individually identifiable financial or medical information; credit card numbers, student financial information, Protected Health Information (PHI)
• Information commonly used to establish identity that is protected by state, federal, or foreign privacy laws and regulations, such as Pennsylvania law protecting personal information, and not classified in Tier 4; Social security numbers (SSN)
• Individually identifiable genetic information that is not Tier 4.
• National security information (subject to specific government requirements)
• Passwords and PINS that can be used to access confidential information
• Human Research Data
• Attorney-client privileged information
• Controlled Unclassified Information (CUI)
• Export controlled information (ITAR, EAR)
• IT security information (ie privileged credentials, incident information)
• Student loan application information (GLBA)

Restricted-risk data is the highest classification of sensitive information, where unauthorized access, disclosure, or misuse could result in significant legal, financial, operational, or reputational damage to individuals or the institution. This category often includes data that is subject to stringent regulatory and compliance requirements, such as classified information, national security data, sensitive legal documents, or any other information specifically designated as restricted by law or organizational policies.

• Information covered by a regulation or agreement that requires that data be stored or processed in a high security environment and on a computer not connected to the Drexel data networks
• Information required to be handled in the same manner as the University’s most sensitive data
• Certain individually identifiable records (criminal, sensitive, medical) and identifiable genetic information categorized as extremely sensitive.