Some information requires special care and handling, especially when inappropriate handling of the information could result in penalties, identity theft, financial loss, invasion of privacy, or unauthorized access by an individual or many individuals. Some information is also subject to regulation by state or federal laws and requires notification in the event of a disclosure.
Data is assigned a level of sensitivity based on who should have access to it and how much harm would be done if it were disclosed. This assignment of sensitivity is called "data classification."
MIT's data classification process must be context sensitive in many cases, and incidents involving data in MIT's custody should be judged on a case-by-case basis.
Sensitivity: Highest, most sensitive
Examples: SSNs, credit card numbers, bank accounts, driver's license, health information, student information, prospective student information, donors.
Requirements: Protection of data is required by law or MIT policy.
Risks and access: High level of harm to reputation with financial costs, access for only those individuals with explicit authorization, or designated for approved access. Information provides access to resources, physical or virtual.
Examples: Research details, library transactions, personnel information, information covered by non-disclosure agreements, financial information, contracts, facilities, management information.
Requirements: Contractual obligation to protect.
Risks and access: Medium level of harm to reputation with financial costs, access for employees and non-employees who have a business need to know, delegated access privileges. Smaller subset of restricted data at a school, department, or unit level.
Examples: Directory information that is not suppressed, campus maps, MIT web pages intended for public use.
Requirements: At the discretion of the data custodian.
Risks and access: Low level risk to privacy and reputation, access for MIT affiliates and general public with a need to know.