The Ohio State University classifies its institutional data into three categories based on the level of sensitivity and risk associated with the exposure, misuse, or alteration of that data. The data classification determines which precautions must be taken when handling the information.
Information that is intended for broad distribution or freely available to any person or organization. This information has no existing access restrictions.
Example: Course Catalog
Limited Access Data
Data available without restriction but whose integrity must be maintained.
Example: Date of Birth, Ethnicity
Data protected or regulated by law or critical to university operations including sensitive personal information such as Social Security Numbers and personal health information.
Example: Bank Account Number, Student Academic Record
Restricted Data Elements
Restricted Data is data protected or regulated by law or critical to university operations. The following data elements have been identified as "Restricted Data" in advance of the formal data classification process due to the risk associated with unauthorized disclosure of these elements:
- SSN and Other Personally Identifiable Information
- Name (First name or initial and Last name)*
- Social Security Number
- Driver’s license number
- State identification card number
- Financial account numbers such as credit, debit, or bank account information (see below for more information)
* Name is not restricted unless it is stored or displayed with one or more of the other listed data elements.
- Credit Card Information
- Primary Account Number
- Cardholder Name
- Service Code
- Expiration Date
- Bank Account Information
- Bank Account Number
- Bank Account Routing Numbers
- Bank Account PINS or Passwords
- Bank Account Owner Name
- Student Educational Records
- Class Enrollment Information
- Student Financial Aid, Grants, and Loans
- Financial account and payment information including billing statements, bank account and credit card information
- Admissions and recruiting information including test scores, high school grade point average, high school class rank, etc.
Note: The Ohio State University, in accordance with the Act, has designated the following information about students as public (directory) information:
- Address (local, home and e-mail)
- Telephone (local and home)
- Program of Study (including college of enrollment,major and campus)
- Enrollment Status
- Dates of Attendance
- Honors awarded
- Previous educational agencies or institutions attended
- Participation in officially recognized activities and sports
- Weight and height of members of intercollegiate athletic teams
- Personal Health Information
- Patient’s past present or future physical or mental health or condition
- Provision of or payment for health care
- Information that identifies the individual, or could reasonably be used to identify the individual, including but not limited to: name, address, medical record number, telephone number, birthday, or admission/discharge date
Limiting exposure to Restricted Data
Fisher College of Business provides software and processes to help limit unintended exposure of restricted data:
Identity Finder lets users find sensitive information on their computers by searching files, e-mails, and other system areas. Identity Finder can run on desktops, servers, databases, websites, and other remote machines. After identifying confidential data, Identity Finder presents these matches to users and lets them clean the data by securely shredding, redacting, encrypting, or using a number of other remediation features.
PGP Whole Disk Encryption
PGP software provides enterprises with comprehensive, nonstop disk encryption for Microsoft and Apple Mac OS X, enabling quick, cost-effective protection for data on desktops, laptops, and removable media. The encrypted data is continuously safeguarded from unauthorized access, providing strong security for intellectual property, customer and partner data, and corporate brand equity.