I. Policy Statement

Data classification is a process used to categorize and organize data based on its sensitivity and the potential risk to the university if the data were to be disclosed to an unintended party, altered without authorization, or become inaccessible due to loss or destruction. As a critical asset of the university, data must be safeguarded and protected to maintain the safety, mission, finances, and reputation of the university. 

Data classification applies to information in any form, such as paper or electronic records.

II. Coverage

This policy applies to any person or entity who has access to Institutional Data. This includes, but is not limited to, university faculty, faculty emeriti, staff, students, officers, trustees, volunteers, guests, vendors, consultants, and service providers.

III. Definitions and Abbreviations

"Institutional Data" is information in any form that the university or a representative of the university creates, collects, maintains, transmits, or records to conduct its operations. 

“Data Owner,” “Data Steward,” “Data Manager,” and “Data User” are defined at https://www.pugetsound.edu/data-governance-terms-definitions

IV. Policy Application and Requirements

A. Roles and Responsibilities

Members of the President’s Cabinet will designate appropriate Data Owner(s) within their respective area(s) of responsibility.

Data roles and responsibilities are defined at https://www.pugetsound.edu/data-governance-terms-definitions

Any person or entity accessing Institutional Data that has a data classification of Confidential or Controlled (see below) has the following responsibilities as detailed in the Data Protection Procedures:

  1. Obtain access to and use the data only as it pertains to one’s roles, responsibilities, and/or job duties with the university;
  2. Access and use only the minimum amount of information needed for one's purpose;
  3. Utilize proper methods to access, store, share, transmit, and destroy the data;
  4. Take reasonable precautions to prevent the inappropriate disclosure of the data to which one has access;
  5. Not maliciously or unreasonably tamper, alter, remove, or destroy Institutional Data;
  6. Promptly report unauthorized disclosure of data; and
  7. Comply with all applicable university policies and international, federal, state, and local laws and regulations.

For additional details about the above responsibilities, please refer to the Data Protection Procedures.

B. Data Classification

The purpose of data classification is to assist in making appropriate judgments in knowing what security controls are necessary when using, storing, or transmitting data. Puget Sound has classified its Institutional Data into risk-based categories for the purpose of determining who is allowed to access the data and what administrative, physical, and technical safeguards must be taken to protect it against unauthorized access. 

Data Class Risk of Adverse Impact Definition
Confidential High

Institutional Data is classified as Confidential/High Risk if:

  1. Protection of the data is required by law or regulation;
  2. Puget Sound is required to self-report to the government and/or provide notice to the individual if the data are inappropriately accessed; or
  3. The loss of confidentiality, integrity, or availability of the data could have a significant adverse impact on our mission, safety, finances, or reputation.

IMPORTANT NOTE - High Risk Data is further classified as either:

  • Confidential-Not Regulated Data
  • Confidential-Regulated Data
Controlled Moderate

Institutional Data is classified as Controlled/Moderate Risk if it is not considered to be Confidential/High Risk, and:

  1. The data is not generally available to the public, or
  2. The loss of confidentiality, integrity, or availability of the data or system could have a mildly adverse impact on our mission, safety, finances, or reputation.
Unrestricted Low

Institutional Data is classified as Unrestricted/Low Risk if is not considered to be Confidential/High Risk or Controlled/Moderate Risk, and:

  1. The data is intended for public disclosure, or
  2. The loss of confidentiality, integrity, or availability of the data or system would have minimal adverse impact on our mission, safety, finances, or reputation.

Please refer to the university’s Data Classification Workflow and data classification examples in the university’s Data Protection Procedures. When a data set falls into multiple risk categories, use the highest risk classification across the entire data set. 

V. Effective Date

This policy is effective as of June 3, 2026.

VI. Related Statutes, Regulations, and Policies

 

Policy Owner: Chief Information Officer, Division of Finance & Administration
Policy Contact: datagovernance-chairs@pugetsound.edu; servicedesk@pugetsound.edu
Date Adopted: June 3, 2026
Date Last Reviewed: June 3, 2026
Date Last Revised: June 3, 2026