Sensitive Data Categorization

DG Sensitive Data Categorization

Purpose

The Sensitive Data Categorization indicates a data element, grouping of data elements, or types of data that are considered sensitive. The defined list of sensitive data is recommended to and, where appropriate, approved by the Data Governance Committee. Organizational Data and Information Systems that contain sensitive data require minimum levels of protection as required and outlined in Cyber Security’s Data Protection Safeguards, Minimum End-point Security Standard, and Protected Data Practices. Additional protection requirements above the minimum may be required if the Organizational Data or Information System is also regulated (see Data Regulation Categorization)

 

Go to Procedures
Go to Resources

 

Related Policies

Data Governance and Management Policy

Related Guidelines, Procedures, and Resources

Definitions

Capitalized terms not otherwise defined herein shall have the same meaning as set forth in the Data Governance and Management Policy

Audience

Responsible Associate Data Trustee
Data Steward
System Owner
Accountable Data Governance Committee
Support Associate Data Steward
Technical Manager
Consulted Data Governance team
Informed Data Domain & Technology Sub-Committees
Data Administrator
Data User

Procedures

Impacts to the Sensitive Data Categorization
  • A Data Steward must know what data within their Data Sub-Domain carries the Sensitive Data Categorization and the protections required by Cyber Security.
  • An Associate Data Trustee must know what data within their Data Domain carries the Sensitive Data Categorization and the protections required by Cyber Security.
  • A System Owner, Technical Manager, and Data Administrator must know what data within their Information System carries the Sensitive Data Categorization and the protections required by Cyber Security.
  • A Data User must know what data they handle carries the Sensitive Data Categorization and the protections required by Cyber Security.
Modifications to the approved Sensitive Data Categorization list
  1. An individual must submit a request to add a new, change an existing, or deprecate an existing data element, group of data elements, or type of data to the approved list of sensitive data. This request must be made to the Data Governance Officer who will review the request and present it for consideration before the Data Governance Committee.
  2. The Data Governance Committee will review the request and determine if further discussion is required with the requestor, Data Stewards, or others associated with the data.
  3. If approved, the Data Governance Officer will notify the requestor and publish the change to the official list of approved Sensitive Data Categorization. Inventories that rely upon Sensitive Data Categorization will be updated.
  4. If not approved, the Data Governance Officer will articulate the rejection and send it back to the requestor.

 

Resources

Organizational Data attributed with the Sensitive Data Categorization
Core Person Examples
Government Identification Social Security Number
Passport Number
Genetic Information  
Biometric Information (i.e., information that can be used to uniquely identify a person)  
(Name or ID) + Date of Birth  
(Name or ID) + (Race or Ethnic Origin)  
(Name or ID) + (Legal Sex or Gender or Sexual Orientation Information)  
(Name or ID) + Religious Information  
(Name or ID) + Citizenship Information  
(Name or ID) + Birth Country  
(Name or ID) + Visa Information  
(Name or ID) + Military Information  
(Name or ID) + Security Clearance Information  
(Name or ID) + IP Address  
Information About a Minor (under the age of 14)  
Emergency Contact(s) Information, details  
Passwords  
ID Photographs  
Recommendation Letters  
Employee Examples
Performance Evaluations, Performance Management Information  
Benefits Elections and related Information  
Dependent/Beneficiary Information  
Garnishment Information  
Faculty Educational Records Information (includes transcripts and education details)  
Faculty Promotion and Tenure Information  
(Name or ID) + Termination and Retirement Information  
Academic/Learner Recruit or Applicant Examples
[none identified at this time]  
Student Examples
(Name or ID) + (Grade or GPA)  
20+ (Names or ID) + Non-Sensitive Student Information (e.g., major, course, etc.)  
Student Financial Examples
Student Financial Aid and Scholarship Information  
Student Life Examples
Incident Reports and Supporting Information  
Student Judicial Information  
Registered Student Organization Affiliation Information  
Campus Services Examples
[none identified at this time]  
Financial Examples
Banking Information  
Credit Card Information  
Research Examples
Proprietary information obtained by Georgia Tech under Nondisclosure Agreement  
Intellectual property owned by Georgia Tech  
Proprietary information obtained by Georgia Tech from DOD or Military Research  
Library Examples
[none identified at this time]  
Development Examples
Donor Contact Information  
Donor Financial Information  
Donor Giving Information  
Technology Examples
Cybersecurity Information  
Network Diagrams  
Legal Examples
Confidential Information  
Ethics Information  
Investigations Information  
Attorney-Client Privileged Information  
Work Product Information  
Information held under a Non-Disclosure Agreement or other restricted use categories  
Electronic Conflict of Interest  
Controlled Unclassified Information (CUI)  
For Official Use Only (FOUO) Information  
International Traffic in Arms Regulations (ITAR) controls, U.S. Persons only  
Publication and restrictions foreign national access  
Health Examples
Health Information, all  
Mental Health Information, all  
Disability Information, all  
Family Medical Leave Act (FMLA) Information  
VOICE Advocate Data  
Safety, Policy, and Emergency Examples
Security Camera Recordings  
Building Blueprints for Secured Spaces Secure Research Facility
Chemical Tracking  
Safety Plans  
Incident Reports and Supporting Information  
Investigations Information  
Body Camera Footage  
Other Examples
[none identified at this time]  
What are the protections required for Organizational Data attributed with the Sensitive Data Categorization?
Please see Cyber Security’s Data Protection Safeguards, Minimum End-point Security Standard (coming soon), and Protected Data Practices.
What are the protections required for Organizational Data not attributed with the Sensitive Data Categorization?
Please see Cyber Security’s Data Protection Safeguards, Minimum End-point Security Standard (coming soon), and Protected Data Practices.
What if Organizational Data is also regulated?
All Organizational Data will have a Data Regulation Categorization which informs which regulations (if any) apply to the data. Please see Cyber Security’s Data Protection Safeguards, Minimum End-point Security Standard (coming soon), and Protected Data Practices.
What if Organizational Data has more than one control?
When multiple controls exist, the strictest control will take precedent.

 

Revision Date Author Description
2023-08-17 Zachary Hayes, Data Governance New