The University at Buffalo is committed to protecting the confidentiality, integrity, and availability of university data. All university data must be classified into one of three data classification categories:

Category 1 – Restricted Data

Protection of Category 1 – Restricted Data is required by law or regulation. The loss of confidentiality, integrity, or availability of the data or system could have a significant adverse impact on our mission, safety, finances, or reputation.

Restricted data includes the definition of private information in the New York State (NYS) Security Breach and Notification Act as a foundation: bank account, credit card, debit card numbers; social security numbers; state-issued driver license numbers; and state-issued non-driver identification numbers. To this list, university policy adds protected health information (PHI), computer passwords, other computer access protection data, passport numbers, as well as research data which requires the use of PHI and personally identifiable information (PII).

Individuals who access, process, store, or in any other way handle Category 1 – Restricted Data must implement controls and security measures as required by relevant laws, regulations, university policies, and supporting standards. In instances where laws and/or regulations conflict with university policy, the more restrictive policy, law, or regulation governs.

Category 2 – Private Data

Category 2 – Private Data includes university data which is not identified as Category 1 – Restricted Data, but which is protected by state and federal regulations. This includes Family Educational Rights and Privacy Act (FERPA) – protected student records and electronic records that are specifically exempt from disclosure by the New York State (NYS) Freedom of Information Law (FOIL), as well as Research Foundation (RF) proprietary data, and all University at Buffalo research data.

Category 2 - Private Data must be protected to ensure that they are not disclosed in a FOIL request. Category 2 - Private Data must be protected to ensure that they are only disclosed as required by law. Decisions about disclosure must be made by the Records Management Officer.

Category 3 – Public Data

Category 3 – Public Data includes all other university data which is not included in Category 1 – Restricted Data or Category 2 – Private Data. Category 3 – Public Data includes any data that is releasable in accordance with FOIL. This category also includes general access data, such as that available on unauthenticated portions of UB’s website. Public data has no requirements for confidentiality; however, systems housing the data should take reasonable measures to protect its accuracy

The policy was updated to:

• Remove the data classification examples (chart format)
• Revise the Compliance, Background, and Applicability sections
• Include position definitions in the Responsibility section
• Add definitions for Data Administration, Senior Leader, Third Party, and University Data
• Update responsibilities for the Data Manager, Data Steward, Data Trustee, Data User, and VPCIO
• Add responsibilities for the Data Owner, ISO, and ISPAC

This policy applies to all data or information created, collected, stored, or processed by the university, whether in electronic or non-electronic formats. Data that is personal to the operator of a system and stored on a university information technology resource as a result of incidental personal use is not considered university data. 

For guidance and questions related to this policy contact the Information Security Office at 716-645-6997 or sec-office@buffalo.edu.