Duke's Data Classification Standard requires data owners to assign a level of protection to Duke data - sensitive, restricted or public.
Sensitive data is the most restrictive data classification category and is reserved for data that Duke is either required by law to protect, or which Duke protects to mitigate institutional risk. Explicit institutional approval is needed in order to receive access to Sensitive data. Social Security numbers, contract data, financial data, and physical plant details are examples of Sensitive data at Duke.
Restricted information is the default data classification category. Restricted data is data that is not necessarily for public consumption, but also does not fit into the Sensitive category. Duke may have a proprietary obligation to protect Restricted data, but disclosure would not significantly harm the university. Access to Restricted data elements is determined by business process needs. Research details, library transactions, and data that should only be accessed by certain groups are examples of Restricted data at Duke.
All other data is Public, which can be accessible to the general public. This includes information that has been approved for publication, such as a press release or information published on www.duke.edu. (This does not include information that has been disclosed accidentally.) Access includes Duke University affiliates and general public. Public-facing websites, campus maps, and some directory information are Public information at Duke.
The Duke standards published by the University IT Security Office (servers, workstations, laptops, and logs) outline the technical controls required to protect each type of data. There are technical controls which must be implemented to protect each type of data, regardless of who manages the system which stores or processes the data. Alternatively, the data can be destroyed or moved to a secure network managed by Duke OIT. Sensitive and restricted information owned by Duke University must be collected, processed, and stored in compliance with the University IT Security Office's current published standards, regardless of the data's physical location. Sensitive and restricted data hosted by a third-party vendor must meet these standards and the contract with the host must be approved by the Office of University Counsel.
See Other Related Content on this page for Frequently Asked Questions(FAQ), Duke's Data Security Policy, and a chart that outlines which Duke services are appropriate for use with sensitive, restricted and public data.
Please contact the University IT Security Office (firstname.lastname@example.org) with any questions about data classification or data security.