Data Classification Definitions

Owned by Christopher Croad
Last updated: Oct 16, 2024 by Christopher Croad
2 min read

In today's digital age, protecting sensitive information is crucial for maintaining the integrity and trust of our university community. At Syracuse University, we categorize our data into three primary classifications: Confidential, Enterprise, and Public. Understanding these classifications is essential for handling and protecting information appropriately.

The lists below should not be considered to be all-inclusive.  Please consult with the Information Security Department if there is any doubt or question as to how to classify data.

Confidential Data

The University defines as Confidential any information that meets at least one of the following criteria: 

  1. The protection of the data is required by law/regulation.
  2. Syracuse University is required to self-report to the government or other external organizations and/or provide notice to the affected individuals if the data is inappropriately accessed.
  3. The loss of confidentiality, integrity, or availability of the data or system could significantly adversely impact our mission, safety, finances, or reputation. 

The examples below are considered Confidential when used to identify a person or persons.

  • Social Security numbers
  • Date of Birth
  • Driver's license numbers
  • Passport and visa numbers
  • Biometric Identifiers
  • Financial information and records (credit card numbers, account numbers, etc.), including non-SU income level and sources
  • Student financials, FAFSA information, credit cards, bank accounts, wire transfers, payment history, financial aid/grants, bills
  • Unencrypted user account passwords 
  • Health Information, including Protected Health Information (PHI) and research health data
  • Health Insurance policy ID numbers
  • Student or employee accommodations or self-identified disability information 

 

The examples below may be considered Confidential Data even when not combined with other personal or identifying information that is linked to a specific individual. 

  • Encryption Keys when used to protect other Confidential Information
  • Export controlled information- Information or technology controlled under International Traffic in Arms Regulations (ITAR) or Export Administration Regulations (EAR), required for the design, development, production, manufacture, assembly, operation, repair, testing, maintenance or modification of a controlled item or product, including blueprints, drawings, photographs, plans, instructions, or documentation.
  • Sensitive research data 

Enterprise Data

Enterprise Data includes information necessary for the University's day-to-day operations that is not publicly accessible. This type of data is integral to the functioning of our institution but does not require the same level of stringent protection as Confidential Data.


Examples of Enterprise data are: 
  • SU Business Data like SU Financial Data, Contracts, 3rd Party information
  • SU Records
  • Internal Email
  • Research data
  • Internal Digital/Physical System information

Public Information

Public Data is typically defined as any data that does not fall under confidential or enterprise data definitions.  Care should be taken when determining what is public to not inadvertently include data that is not public. Please consult with ITS if there is any doubt or question.