Purpose
The Sensitive Data Categorization indicates a data element, grouping of data elements, or types of data that are considered sensitive. The defined list of sensitive data is recommended to and, where appropriate, approved by the Data Governance Committee. Organizational Data and Information Systems that contain sensitive data require minimum levels of protection as required and outlined in Cyber Security’s Data Protection Safeguards, Minimum End-point Security Standard, and Protected Data Practices. Additional protection requirements above the minimum may be required if the Organizational Data or Information System is also regulated (see Data Regulation Categorization)
Go to Procedures
Go to Resources
Definitions
Capitalized terms not otherwise defined herein shall have the same meaning as set forth in the Data Governance and Management Policy
Audience
| Responsible | Associate Data Trustee Data Steward System Owner |
|---|---|
| Accountable | Data Governance Committee |
| Support | Associate Data Steward Technical Manager |
| Consulted | Data Governance Team |
| Informed | Data Domain & Technology Subcommittees Data Administrator Data User |
Procedures
Impacts to the Sensitive Data Categorization
- A Data Steward must know what data within their Data Sub-Domain carries the Sensitive Data Categorization and the protections required by Cyber Security.
- An Associate Data Trustee must know what data within their Data Domain carries the Sensitive Data Categorization and the protections required by Cyber Security.
- A System Owner, Technical Manager, and Data Administrator must know what data within their Information System carries the Sensitive Data Categorization and the protections required by Cyber Security.
- A Data User must know what data they handle carries the Sensitive Data Categorization and the protections required by Cyber Security.
Modifications to the approved Sensitive Data Categorization list
- An individual must submit a request to add a new, change an existing, or deprecate an existing data element, group of data elements, or type of data to the approved list of sensitive data. This request must be made to the Data Governance Officer who will review the request and present it for consideration before the Data Governance Committee.
- The Data Governance Committee will review the request and determine if further discussion is required with the requestor, Data Stewards, or others associated with the data.
- If approved, the Data Governance Officer will notify the requestor and publish the change to the official list of approved Sensitive Data Categorization. Inventories that rely upon Sensitive Data Categorization will be updated.
- If not approved, the Data Governance Officer will articulate the rejection and send it back to the requestor.
Resources
Organizational Data attributed with the Sensitive Data Categorization
Core Person Examples Government Identification Social Security Number
Passport Number
Genetic Information Biometric Information (i.e., information that can be used to uniquely identify a person) (Name or ID) + Date of Birth (Name or ID) + (Race or Ethnic Origin) (Name or ID) + (Legal Sex or Gender or Sexual Orientation Information) (Name or ID) + Religious Information (Name or ID) + Citizenship Information (Name or ID) + Birth Country (Name or ID) + Visa Information (Name or ID) + Military Information (Name or ID) + Security Clearance Information (Name or ID) + IP Address Information About a Minor (under the age of 14) Emergency Contact(s) Information, details Passwords ID Photographs Recommendation Letters Employee Examples Performance Evaluations, Performance Management Information Benefits Elections and related Information Dependent/Beneficiary Information Garnishment Information Faculty Educational Records Information (includes transcripts and education details) Faculty Promotion and Tenure Information (Name or ID) + Termination and Retirement Information Academic/Learner Recruit or Applicant Examples [none identified at this time] Student Examples (Name or ID) + (Grade or GPA) 20+ (Names or ID) + Non-Sensitive Student Information (e.g., major, course, etc.) Student Financial Examples Student Financial Aid and Scholarship Information Student Life Examples Incident Reports and Supporting Information Student Judicial Information Registered Student Organization Affiliation Information Campus Services Examples [none identified at this time] Financial Examples Banking Information Credit Card Information Research Examples Proprietary information obtained by Georgia Tech under Nondisclosure Agreement Intellectual property owned by Georgia Tech Proprietary information obtained by Georgia Tech from DOD or Military Research Library Examples [none identified at this time] Examples Examples Donor Contact Information Donor Financial Information Donor Financial Information Examples Examples Cybersecurity Information Network Diagrams Legal Examples Confidential Information Ethics Information Investigations Information Attorney-Client Privileged Information Work Product Information Information held under a Non-Disclosure Agreement or other restricted use categories Electronic Conflict of Interest Controlled Unclassified Information (CUI) For Official Use Only (FOUO) Information For Official Use Only (FOUO) Information Publication and restrictions foreign national access Health Examples Health Information, all Mental Health Information, all Disability Information, all Family Medical Leave Act (FMLA) Information VOICE Advocate Data Safety, Policy, and Emergency Examples Security Camera Recordings Building Blueprints for Secured Spaces Secure Research Facility Chemical Tracking Safety Plans Incident Reports and Supporting Information Investigations Information Body Camera Footage Other Examples [none identified at this time]
What are the protections required for Organizational Data attributed with the Sensitive Data Categorization?
Please see Cyber Security’s Data Protection Safeguards, Minimum End-point Security Standard (coming soon), and Protected Data Practices.
What are the protections required for Organizational Data not attributed with the Sensitive Data Categorization?
Please see Cyber Security’s Data Protection Safeguards, Minimum End-point Security Standard (coming soon), and Protected Data Practices.
What if Organizational Data is also regulated?
All Organizational Data will have a Data Regulation Categorization which informs which regulations (if any) apply to the data. Please see Cyber Security’s Data Protection Safeguards, Minimum End-point Security Standard (coming soon), and Protected Data Practices.
What if Organizational Data has more than one control?
When multiple controls exist, the strictest control will take precedent.
| Revision Date | Author | Description |
| 2023-08-17 | Zachary Hayes, Data Governance | New |