Penn Data Risk Classification

image of books to reflect Data Risk Classification

The University of Pennsylvania data is classified into three categories based on the level of data sensitivity, government regulations, and the University policies. 

  1. Low
  2. Moderate
  3. High

High

Classification

  1. Protection of the data is required by law/regulation and Penn is required to report to the government and/or provide notice to the individual if the data is inappropriately accessed; or
  2. The loss of confidentiality, integrity, or availability of the data or system could have a significant adverse impact on the University's mission, safety, finances, or reputation or the loss would have a significant adverse impact on any individual. 

Examples

  • Health Information, including Protected Health Information (PHI)
  • Mental health records
  • Biometric data (e.g. DNA, fingerprint)
  • Criminal record or background check
  • PennKey password and other system credentials
  • Health Insurance policy ID numbers
  • Social Security Numbers
  • Credit card numbers
  • Financial account numbers
  • Location data that actively tracks an individual 
  • Export controlled information under U.S. laws
  • Driver's license numbers or other government-issued ID numbers
  • Passport or visa numbers
  • Student, faculty, or staff disciplinary records
  • Certain HR records (salary, performance)
  • Donor contact information and non-public gift information
  • K-12 student records and any data related to minors
  • Information concerning the types, locations, and security of potentially hazardous materials and equipment

Moderate

Classification

  1. The data is not generally available to the public; or
  2. The loss of confidentiality, integrity, or availability of the data or system could have a mildly adverse impact on the University's mission, safety, finances, or reputation or the loss would have a mildly adverse impact on any individual. 

Examples

  • Student education records and admission applications (excluding K-12 student records)
  • Non-public Penn policies and policy manuals
  • Non-public contracts that do not relate to a sensitive matter
  • Penn internal memos and email, non-public reports, budgets, plans, financial information that do not contain High-Risk data
  • Engineering, design, and operational information regarding Penn infrastructure
  • University directory information that has been designated for Penn view or otherwise restricted
  • Unpublished research data (at data owner's discretion), subject to any IRB restrictions

Low

Classification

  1. The data is intended for public disclosure; or 
  2. The loss of confidentiality, integrity, or availability of the data or system would have no adverse impact on the University's mission, safety, finances, or reputation and the loss would have no adverse impact on any individual. 

Examples

  • PennKey username 
  • PennID
  • Information authorized to be available on or through Penn's website without PennKey authentication
  • Policy and procedure manuals designated by the owner as public 
  • Job postings
  • University directory information that has been designated for public view
  • Publicly available campus maps 
  • Research data (at data owner's discretion), subject to any IRB restrictions

Resources