The University of Nebraska is committed to protecting the privacy of its students, alumni, faculty and staff, as well as protecting the confidentiality, integrity and availability of information important to the University's mission. With the adoption of Executive Memorandum No. 42, Policy on Risk Classification and Minimum Security Standards, data classifications have been established and are now in effect for University of Nebraska data and systems. All data can be classified as one of the following: High Risk, Medium Risk, Low Risk, or Research. This page is intended to be a summary or quick reference for those seeking guidance about Executive Memorandum No. 42 and storing and/or processing data.
High Risk Data
Institutional data that is highly confidential and covered by international, state, or federal privacy laws; data where the loss of confidentiality, integrity, or availability of the data or system could have a SEVERE adverse impact on our mission, safety, finances, or reputation; or is subject to international, federal, or state privacy or breach reporting laws.
Data is considered high risk if:
- The data is highly confidential, and protection of the data is required by law/regulation; or,
- The University is required to self-report to the government and/or provide notice to the individual if the data is inappropriately accessed; or,
- The loss of confidentiality, integrity, or availability of the data or system could have a significant adverse impact on our mission, safety, finances, or reputation.
Medium Risk Data
Institutional data is data requiring high levels of protection due to the following circumstances:
- Protection of the data is required by law/regulation; or,
- Data received or collected is subject to contractual confidentiality provisions; or,
- The data carries a security classification established by an authorized agency of the federal government; or,
- The loss of confidentiality, integrity, or availability of the data or system could have a negative impact on our mission, finances, or reputation.
Low Risk Data
Institutional data routinely used in conducting business not covered by international, state, or federal privacy and security laws. Generally, this is information that can be made available to the public without risk of harm to the University or any entities with an affiliation to the University.
Data and systems are classified as Low Risk if they are not considered to be Moderate or High Risk, and:
- The data is intended for public disclosure; or
- The loss of confidentiality, integrity, or availability of the data or system would have no adverse impact on our mission, safety, finances, or reputation.
Research Data
Institutional research data that is highly confidential and covered by international, state, or federal privacy laws. Data where the loss of confidentiality, integrity, or availability of the data or system could have a SEVERE adverse impact on our mission, safety, finances, or reputation, or is subject to international, federal, or state privacy or breach reporting laws.