Classify Your Data

Duke’s Data Classification Standard defines three classes of information: Sensitive, Restricted, and Public and provides examples of data types for each classification.

Several types of Sensitive data require additional protections, including:

  • Student data protected by FERPA (such as grades)
  • HIPAA/ePHI data
  • Social Security numbers
  • Credit card data

Should you have to work with any of these data types, please contact your IT support or the security offices ( for guidelines on protections for the data.

Learn more: 

Find Approved Services by Classification

The Duke Services and Data Classification policy contains a chart that outlines which Duke services meet the minimum security requirements for use with Sensitive, Restricted, and Public data.

  • The SecureIt decision tree tool provides information on tools and services to help you secure Duke data based on guidance from the Security Offices.

Learn More:

Data Security Frequently Asked Questions

Find answers to common questions on data security. 

There are no FAQ items to show.

Data Security Roles


Data steward

The individual(s) ultimately responsible for determining the sensitivity of the data, who can access it, and how it should be protected. Examples: Duke's Registrar is the data steward for FERPA (student) data such as grades; a principal investigator is the data steward for his/her research project.

Data manager

Typically an IT administrator responsible for securing the data according to the directives of the data steward. Data managers should have a good working knowledge of how to securely manage systems and applications.

Data users

The individuals who have been approved by the data steward to access the data. They are responsible for their access to the data, including the security of the account and any data they may have access to or be in possession of.


Research data may go through all classifications during the cycle of research. While a study is in progress, the data may be classified as Sensitive, but after the study is closed and the data shared according to NIH or NSF guidelines, it may be Public. Research budgets are always Sensitive, but federally funded research proposals are often Public (as they may be requested from the funding agency with a FOIA request).

Principal Investigator (PI)

The PI is considered the data steward for the data in his or her portfolio.


As a teacher, faculty are responsible for following FERPA regulations. In general, this is accomplished by following the instructions from the Provost about grading and course conduct.


Students involved in research are to follow the research protocols and security requirements and processes. Students involved with Duke Health must follow the HIPAA regulations and treat PHI as Sensitive.

Duke Health workforce

Employees, volunteers, trainees and other persons whose conducts, in the performance of work for a covered entity (e.g., Duke Health System, Private Diagnostic Clinic, School of Medicine), is under the control of such entity, whether or not they are paid by the covered entity.

HIPAA treats all PHI as sensitive.

FERPA applies to Duke trainee interactions.

IT staff

IT staff are not usually Data Stewards, so their responsibilities follow the Data Steward's designation and requirements.


Expected to follow work instructions and staff policies. Applying common sense to unknown situations and asking for guidance can go a long way to a compliant atmosphere. Responsible for the individual security of their Duke account and the data to which they have been granted access.