Introduction
This article provides guidance on how to determine the appropriate data security classification for an application, based on Minnesota State’s Operating Instruction 5.23.2.1. The classification process helps ensure that institutional data is handled according to its sensitivity and legal requirements. Users will learn how to identify whether data should be classified as Highly Restricted, Restricted, or Low.
How to Identify the Data Classification for an Application
To determine the appropriate data classification for an application, begin by reviewing the types of data it collects, stores, or processes. Using the definitions in https://www.minnstate.edu/board/procedure/5-23p2g1.pdf, match each data type to one of three classification levels: Highly Restricted, Restricted, or Low.
If any data element falls under the Highly Restricted category, the entire application must be classified at that level. If no data is highly restricted but some is restricted, then the application should be classified as Restricted. Only if all data is public should the application be classified as Low.
Data Classification Reference
Below is a list of data elements defined in the operating instruction, grouped by classification level.
Highly Restricted Data Elements (Exhaustive List)
- Social Security numbers
- Credit/payment card numbers and related information
- Financial account numbers (e.g., banking or investment accounts)
- Security or access codes or passwords used to access highly restricted data
- Personal health/medical information (including insurance policy ID numbers and HIPAA-covered data)
- Non-public investigation data (as determined by legal counsel)
- Credentials for IT systems that manage highly restricted data
- Biometric information
- Trade secrets or intellectual property protected by a non-disclosure agreement
Restricted Data Elements (Not Exhaustive)
- Student records (applications, transcripts, test scores, grades, discipline, schedules, financial aid, loan records)
- Suppressed student directory information
- Student class lists
- Faculty or institutional trade secrets or intellectual property
- Library use information
- Individual demographics (age, race, ethnicity, gender, citizenship, visa status, veteran/disability status, home address/phone, dependent info)
- Employment applications, personnel files, benefits info, birth date, personal contact info
- Donor contact info and non-public gift amounts
- Attorney-client privileged communications
- Internal memos, emails, reports, and financial data marked as non-public
- Driver’s license numbers
- Student ID numbers (if not directory data) and passwords
- Employee performance and private personnel data
- Parking lease information
- RFP vendor responses and scoring (prior to contract award)
- Credentials for systems managing restricted data or systems classified as Low
- Partial Social Security numbers
- Business continuity and disaster recovery plans
- Security information as defined by Minn. Stat. § 13.37
Low Data Elements (Not Exhaustive)
- Public employee information (name, job title, work location, salary, etc.)
- Unsuppressed student directory information
- Financial data on publicly funded projects
- Course offerings
- Invoices and purchase orders
- Budgets
- Summary or statistical data that does not identify individuals
- Public website content (not requiring StarID login)
- Published research data
- Campus maps
- Job postings
- Information in the public domain
- SCSU Directory Data, including:
- Name
- Hometown
- Most recent previous educational institution
- Enrollment status
- Class level (freshman, sophomore, etc.)
- Major and minor field of study
- Dates of attendance
- Degrees and dates awarded
- Non-financial honors/awards and dates awarded
- Weight and height of athletic team members
- Participation in officially recognized activities and sports, and participation dates
Resources