Overview
The University of Pittsburgh takes seriously its commitment to protecting the privacy of its students, alumni, faculty, and staff and protecting the confidentiality, integrity, and availability of information essential to the University's academic and research mission. For that reason, we classify our information assets into risk categories to determine who may access the information and what minimum security precautions must be taken to protect it against unauthorized access.
Note: The Pitt IT Security team must assess all systems that transmit, process, or store data classified as Restricted. Please contact the Technology Help Desk with questions about the appropriate protection of information.
Detail
Data Risk Classification
|
Risk
|
Restricted Data
High Risk
|
Private Data
Moderate Risk
|
Public Data
Low Risk
|
|
Description
|
Protection of the data is required by law/regulation.
The loss of confidentiality, integrity, or availability of the data or system could have a severe adverse impact on our mission, safety, finances, or reputation.
|
The data is not generally available to the public.
The loss of confidentiality, integrity, or availability of the data or system could have an adverse impact on our mission, safety, finances, or reputation.
|
The data is intended for public disclosure.
The loss of confidentiality, integrity, or availability of the data or system would have little to no adverse impact on our mission, safety, finances, or reputation.
|
|
Data Examples
|
Social Security Number
Date of Birth
Driver's License/State ID number
Bank/Financial account number
Credit/Debit card number
Visa/Passport number
Electronic Protected Health Information (ePHI)
Export controlled information under U.S. laws
Donor contact information and non-public gift information
Mental health counseling information
Other information protected by contractual agreements
High risk University Intellectual property
|
Student records and admission applications
Employment applications, personnel files, benefits, salary, personal contact information
Non-public policies, manuals, and contracts
Internal correspondence, non-public reports, budgets, plans, financial info
University and employee ID numbers
Engineering, design, and operational information regarding infrastructure
Moderate risk University Intellectual property
|
Directory information
Policy and procedure manuals designated by the owner as public
Job postings
Information in the public domain
Low risk University Intellectual property
|
|
Human Subject Research Data Examples*
|
Identifiable sensitive human subject data
|
Identifiable non-sensitive human subject data
De-identified sensitive human subject data
|
Anonymous human subject data
De-identified non-sensitive human subject data
|
|
Storage, Transmission, and Collaboration
|
Storage is prohibited on computing equipment unless registered with and approved by Pitt IT.
Encryption in transit and at rest is required.
Legal, ethical, or other constraints prevent access without specific authorization.
|
Data may be stored on departmental, Pitt IT hosted or approved cloud-based systems.
Encryption in transit is required.
May be accessed by Pitt affiliates and non-employees with authorization.
|
Data may be stored on departmental, Pitt IT hosted or approved cloud-based systems.
Encryption in transit is not required but is recommended.
No specific access restrictions.
|
*Human Subject Research Data is considered sensitive when the disclosure of information could have adverse consequences for subjects or others, place them at risk for criminal or civil liability, or damage their financial standing, employability, insurability, or reputation.
Data Classification Compliance
Protecting sensitive data is a shared responsibility. Pitt IT provides guidance and resources to store data securely. You are responsible for ensuring that your use of permitted services complies with laws, regulations, and policies where applicable. Entering data into AI tools such as ChatGPT carries the inherent risk of that data being compromised or mishandled, potentially leading to serious consequences such as privacy violations, financial loss, or reputational damage. The use of restricted or private data in these tools is prohibited. Please contact the Technology Help Desk with questions about the appropriate protection of information.
| Data Classification Levels |
| Restricted |
High risk, sensitive data – Disclosure may cause severe harm |
| Private |
Moderate risk, confidential data – Disclosure may cause harm |
| Public |
Low risk internal or public data – Disclosure poses little to no harm |