Understanding data classifications at USC

Overview
Why data classifications matter
Data classifications at USC
Additional resources

Overview

This guide explains the different data classifications at USC and provides resources for further reading.

Why data classifications matter

At USC, data is classified into one of the following levels, from least to most sensitive:

Public
Internal Use Only
Confidential

It's important to know the classification level of data that you're working with because this determines the necessary approach for safely creating, using, storing, transmitting, and archiving that data.

For example, HIPAA- and FERPA-protected documents are classified as confidential. This means that you can store HIPAA- and FERPA-protected documents in software that's been approved for storing confidential information (e.g. Microsoft OneDrive) but not in software that's only approved for storing public and internal use only data (e.g. Google Drive).

A note about the Data Security Addendum

If you are trying to procure cloud-based software for business use, DTS may ask you to complete a questionnaire from the Office of the Chief Information Security Officer (OCISO) to confirm the classification level of the data you plan to store or process with the requested software. Depending on the data classification level, a Data Security Addendum (DSA) may be required between USC and the supplier.

Per the Data Classification Standard from the OCISO, a DSA is a "legal document used during the procurement process that is designed to protect and limit the unauthorized disclosure and use of personal information and proprietary technical data between a vendor and USC."

Data classifications at USC

Data classification Definition provided by the USC Information Security Policies Terms and Glossary Examples provided by the Data Protection Policy Public Data that is not regulated and is generally made available through public interfaces and requires no protection mechanisms.

USC community memos
Marketing and promotional materials
Academic calendars
Course catalogs
Advertising material
Public web content and media
Press releases
Public announcements
Public relations documents
Campaigns and outreach
Job postings

Internal Use Only Data that includes all information used to conduct USC business, unless categorized as “Confidential” or “Public.”

Non-regulated Personally Identifiable Information
In-process contracts and agreements
Employee performance evaluation information
Audit reports
Network diagrams
Non-public USC policies
Information involving USC strategy and implementation plans
Internal USC memos and emails
USC and employee ID numbers

Confidential Data that typically includes regulated data requiring compliance efforts if exposed to unauthorized parties, or would cause legal, financial, reputational, operational harm if disclosed.

All information protected by HIPAA, GLBA, PCI DSS, FERPA, and CFIPA
Nonpublic Personal Information (NPI)
Regulated Personally Identifiable Information (PII)
Special communications indicated as Attorney-Client Privilege
Trade Secrets
USC Business Financials and Business Strategy and other data and information may be classified as Confidential if in USC's best interest

Confidential-Controlled Data that is a sub-category of Confidential and is to be used only for Covered Defense Information, which includes Controlled Technical Information (CTI), Controlled Unclassified Information (CUI), or any other information that has military or space application where the data provider (e.g. research sponsor) has imposed safeguarding or dissemination controls for reasons of national security. NA

A note about research data

Research data is defined in the Data Classification Standard as:

[D]ata that is developed as part of USC's research programs and is protected under contractual agreements with public and private entities. Research information may have explicit restrictions on how data can be accessed, transported and shared and this data may be regulated under additional laws.

Since research data covers such a broad range, it can fall into any of USC's data classification levels. For instance, research data that includes personally identifiable information (PII) such as individuals' names, biometric data, and other identifying information would be considered confidential data, while research that has been approved for release to the public would not be.

Additional resources

Refer to the following policies for a more complete understanding of working with data at USC:

As well as the following resources: