Safe Computing

Data Classification Levels

Data is everywhere. We deal with it every day. It comes in all shapes and sizes, from the post-it note on the side of our computer monitors; student records in PeopleSoft; an email from a manager - to the complex data set we use for our research.  It is important to realize that the data we deal with on a daily basis can be classified by its content and the audience it can be shared with.  It is important to understand these classifications when deciding where to store the data and who it is shared with.

S&T IT uses the Data Classification System as defined by UM System to determine how to classify data. There are four levels of classification: Public, Sensitive, Restricted, and Highly Restricted.

The infographic defines the name of the four data classification levels and their examples.

The first level, DCL1 (Public), is data that is created for the public.  Information in the eConnection or on the IT website is public data and does not harm anyone or anything associated with it. You can store DCL1 data anywhere and share it with anyone because it is intended for a public audience.

The second level, DCL2 (Sensitive), is data that is not public and could be considered harmful if it was disclosed.  There is no policy on the disclosure of DCL2 information. For example, there is no policy against the release of staff home phone numbers, but people would be very unhappy to find such a list available online. DCL2 data can be stored anywhere that is not publicly accessible, for example in cloud storage or saved on your computers.  You can share DCL2 data in email.

The third level, DCL3 (Restricted), is data where disclosure is restricted by regulations and policies.  For example, FERPA protected data is DCL3 data, and accidental disclosure of this information can have very serious consequences for you and the University.  DCL3 data can be stored on-campus network storage, which you will hear referred to as the S&T S: and Y: drives.  IT Security recommends against storing DCL3 data on campus computers and discourages storing DCL3 on a laptop or unencrypted USB drive.  Laptops and unencrypted USB drives can easily get lost or stolen, and control of what happens to the data stored on them is also lost.

The fourth level, DCL4 (Highly Restricted), like DCL3 data, is also restricted by regulations and policies that define unauthorized disclosure.  Disclosing DCL4 data results in more severe consequences.  An example of DCL4 data is Controlled Unclassified Information (CUI).  CUI pertains to data that is a part of government-funded research, and in the future will also include student financial aid information.  You should only store DCL4 data on approved cloud storage, or on encrypted hard drives.   IT Security recommends using Microsoft Teams or an encrypted email through Outlook 365 online to share the data.

It is important to note that you can store and share DCL3, DCL2, and DCL1 data on any storage or sharing method approved for DCL4.  When in doubt, use DCL4 approved storage and sharing methods for any data. However, if you do use the same storage method for different data classification levels, make sure not to combine them.  Do not put DCL1 and DCL 4 data in the same folders. Put them in different folders to avoid accidentally sharing the more restrictive data.

The graph shows examples of S&T's data classifications of two tools, sharing tools and storage tools

If you have further questions about your data’s classification level or how to safely store and share it, feel free to contact IT Security at