Page Comparison

Data Risk Classification Category

Category 2 - Private

Minimum Security Standard

 800-53 Moderate

Risk from Disclosure

Definition

• Includesuniversity data not identified as Category 3 Data, but includes data protected by state and federal regulations. This includes FERPA-protected student records and electronic records that are specifically exempted from disclosure by the New York State FOIL. 
• Private data must be protected to ensure that it is not inadvertently or unnecessarily disclosed in a FOIL request. FOIL excludes data that if disclosed would constitute an unwarranted invasion of personal privacy.
• The NIST Special Publication 800-171. Protecting Controlled Unclassified. Information in Non-federal Information Systems and Organizations maps to the Category 2 - Private data risk classification.

Examples

• FERPA-protected data
• Gramm-Leach Bliley data
• Final course grades, exam questions or answers
• HR employment data
• Law enforcement investigation data, judicial proceedings data includes student disciplinary or judicial action information
• Public Safety information
• IT infrastructure data
• Collective bargaining negotiation data, contract negotiation data
• Trade secret data
• Protected data related to research
• University intellectual property
• University proprietary data
• Data protected by external non-disclosure agreements 
• Inter- or intra-agency data which are not: statistical or factual tabulations; instructions to staff that affect the public; final agency policy or determination
• External audit data
• University person number (e.g. Fredonia ID "FID", PDIM)
• Performance Programs and Evaluations
• Travel Authorizations and Reimbursement Forms
• Brass Key Forms and Inventories
• Search Committee Documents
• Licensed software
• Certain nonpublic Intellectual Property