High Risk and Moderate Risk Data or Information

High Risk
What it is: Data are classified as High Risk when protection of such data is required by law or regulation, protection is necessary in order for the University or its affiliates to meet compliance obligations, or the unauthorized disclosure, access, alteration, loss or destruction of those data could have a material impact on the University or its affiliates’ mission, assets, operations, finances, or reputation, or could pose material harm to individuals.

Examples may include:

  • Personally Identifiable Information (PII)
  • Protected Health Information (PHI)
  • Payment Card Information (PCI)
  • Employee Background Investigations
  • Employee Immunization Information
  • Student Information Protected by FERPA
  • Data the University receives that are contractually restricted, including research data
Moderate Risk
What it is: Much information necessary for people to perform their work at the University is properly available to others at the University but is not appropriate to be known by the general public. Data should be classified as Moderate Risk where the unauthorized disclosure, access, alteration, loss or destruction of those data would be expected to have an adverse but not material impact on the University and its affiliates’ mission, assets, operations, finances, or reputation, or only limited harm to individuals. This information is made available to members of the University community with a business need and is not restricted by local, state, national, or international statute regarding disclosure or use.

Examples may include:

  • Budgets
  • Strategic or Unit Business Plans
  • Grant related documents
  • Financial records
  • Hire and appointment letters
  • Salary information
  • Performance reviews
  • Warning and disciplinary documents
  • Experimental data generated under grants (NIH, CDC, NSF, etc.) which does not contain regulated data elements (PHI, etc.) but is not ready for public release

Low Risk Data or Information

What it is: Data should be classified as Low Risk where the unauthorized disclosure, access, alteration, loss or destruction of that data would not be expected to have any effect on the University and its affiliates’ mission, assets, operations, finances, or reputation, would not be expected to pose any harm to individuals, or where such data are intended for public disclosure.

Examples may include:

  • The University’s audited financial statements
  • Schedule of classes
  • Approved census facts
  • Information on the public University website
  • De-identified or non-human research data

Use & Handling

 

(Please See Full Policy for Details)

Access & Use

High Risk Moderate Risk Low Risk
  • Users must have documented business case
  • May require special training, data use agreements, or other
    documentation
  • Protection is the responsibility of everyone who is granted access or uses such data
  • Unauthorized disclosure must be reported promptly
  • May be granted without requiring an explicit data use agreement but with appropriate documentation
  • Not intended for public dissemination but may be released to external parties subject to appropriate review and controls
  • Certain subsets of Moderate Risk data may require training in the appropriate use and handling of the data.
  • Available to all members of the University community and may be released to the general public.
  • University reserves the right to control Content, format, and documentation of access and use

Storage & Protection

High Risk Moderate Risk Low Risk
  • Paper form must be stored in locked or otherwise secured areas when not in active use
  • Electronic form must use encryption or similar protection
  • Should be protected behind electronic firewalls or in private paper files in secured offices
  • Should not accessible by the public or the University community at large without appropriate review and documentation

Transmission

High Risk Moderate Risk Low Risk
  • Reports and communications should not include High Risk Information unless essential
  • Transmissions must be encrypted or otherwise adequately protected
  • Transmission outside of the University of Rochester must have proper approval and follow documented procedures
  • Can be freely shared with appropriate parties within the University environment
  • Automatic forwarding of data to external email or document storage sites is prohibited without explicit permission
  • Transmission outside of the University of Rochester must have a documented business case and appropriate protection and usage guidelines must be followed

Labeling

High Risk Moderate Risk Low Risk
  • Information must be labeled as high risk
  • Internal use and distribution does not require labelling
  • External use requires explicit discussion of handling requirements with the external recipient prior to transmission

Destruction

High Risk Moderate Risk Low Risk
  • Must be disposed of in a manner that makes the High Risk data no longer readable or recoverable
  • Adhere to Record Retention policies and archival best practices