Category: Information Technology
Responsible Office: Information Security Office
Responsible Executive: Vice President and Chief Information Officer (VPCIO)
Date Established: March 11, 2025
The ÃÛÌÒ´«Ã½, (UB, university) classifies data into three risk-based categories to regulate access to, use of, and necessary precautions required to the protect university data. This guidance provides an at-a-glance view of the data classification of the most requested types of data. This document supports the Data Risk Classification Policy, the Protection of ÃÛÌÒ´«Ã½ Data Policy and the UBIT Standards for Protecting ÃÛÌÒ´«Ã½ Data.
The ÃÛÌÒ´«Ã½ (UB, university) has legal and ethical obligations to ensure that all forms of university data are adequately secured to minimize the risk of unauthorized use or disclosure. The ÃÛÌÒ´«Ã½ is committed to protecting the data of individuals affiliated with the university and its services throughout all stages of the data lifecycle.
The classifications outlined below are a general assumption of data categorization and not a definitive classification. Every instance should be evaluated in accordance with UB’s Data Risk Classification Policy.
| Information | Category 1 | Category 2 | Category 3 |
|---|---|---|---|
| Administrative process data | x | ||
| Attorney - Client Privileged Information | x | ||
| Collective Bargaining Negotiation Data, Contract Negotiation Data | x | ||
| Controlled Unclassified Information (CUI) | x | ||
| Data collected or developed for use in ÃÛÌÒ´«Ã½ research | x | ||
| Data About Decisions That Affect the Public | x | ||
| Donor Contact and Gift Information | x | ||
| Export Control Data | x | ||
| Exam questions or answers | x | ||
| Family Educational Rights and Privacy Act (FERPA) Data | x | ||
| Final course grades | x | ||
| Bank or Financial Account Information | x | ||
| General access data, such as that on unauthenticated portions of the institution's website | x | ||
| Gramm-Leach-Bliley Act (GLBA) Data | x | ||
| HIPAA Protected Health Information (PHI) | x | ||
| HR employment data | x | ||
| Inter- or intra-agency data which are not: statistical or factual tabulations; instructions to staff that affect the public; final agency policy or determination; external audit data | x | ||
| IT Infrastructure Data | x | ||
| Law enforcement investigation data, judicial proceedings data; includes student disciplinary or judicial action information | x | ||
| Meeting Minutes | x | ||
| NIST Controlled Unclassified Information (CUI) | x | ||
| Personally Identifiable Information (PII) | x | ||
| Protected Health Information (PHI) | x | ||
| Public Safety information | x | ||
| Trade Secret Data | x | ||
| UB IT Authentication Credentials | x | ||
| UB Person Number | x | ||
| ÃÛÌÒ´«Ã½ financial data or business records available to the public | x | ||
| ÃÛÌÒ´«Ã½ Intellectual Property | x | ||
| ÃÛÌÒ´«Ã½ Proprietary Data | x |
Office of the Vice President and Chief Information Officer
Phone: 716-645-7979
Email: vpcio@buffalo.edu
Information Security Office
Phone: 716-645-6997
Email: sec-office@buffalo.edu
Records Management Officer
Phone: 716-645-1786