Skip to main content

Privacy Points

IntegrityStar, November 2025 edition

Understanding UCF Policy 4-008.2 Data Classification and Protection

 

 

Data is one of UCF’s most valuable assets and protecting it is everyone’s responsibility. Whether we’re storing grades, managing research data, or sending an email, every member of the UCF community plays a role in safeguarding information. How we use, store, and share different types of data determines its level of risk and protection needs. By understanding data classifications and handling each type appropriately, we help maintain privacy, compliance, and the integrity of university operations.

UCF’s Data Classification and Protection Policy (Policy 4-008) outlines how data should be handled to ensure it remains secure and accessible only to those authorized to use it. The policy applies to all members of the university community, including faculty, staff, students, contractors, and volunteers.

How UCF Classifies and Protects Data

UCF classifies data into three levels to ensure the right protection is applied based on sensitivity and potential impact if compromised. This classification applies to university, state, and federal data.

  • Highly Restricted Data – is any data that is strictly controlled and protected by laws, regulations, contracts, or university policies. It requires the highest level of access control and security protection both in storage and in transit. The loss of confidentiality, integrity, or availability of Highly Restricted Data could have a significant adverse impact on the university’s mission, safety, finances, or reputation. This data must be encrypted, stored only on authorized systems, and never transmitted through unencrypted email or messaging platforms. Examples include Social Security numbers, protected health information (PHI), financial account details, and government-issued identification numbers.
  • Restricted Data – is data protected by state or federal regulations, such as FERPA, and must be safeguarded to prevent unauthorized disclosure. This data should be shared only with authorized users and within UCF-managed systems (e.g., Outlook, Teams, or OneDrive). Restricted Data must not be released in response to public records requests unless required by law and should only be disclosed to authorized individuals. While unauthorized access or disclosure of some Restricted Data may not always require notification of affected parties, breaches involving data protected by law or regulation may require notification of the appropriate governmental agency. Examples include FERPA-protected education records, student identification numbers, grades, and business-sensitive information.
  • Unrestricted Data – is data that is not protected by law, regulation, or contract, and whose disclosure is not reasonably expected to cause harm to the university or any individual. This data may be shared publicly without adverse impact and does not require special security controls. Examples include employee names, office phone numbers, student directory information, and published research that poses no risk if disclosed.

How to Protect University Data

No matter the classification, all data should be stored, transmitted, and shared securely. Key takeaways:

  • Use UCF-managed devices and cloud systems (e.g., OneDrive) for university work.
  • Encrypt emails or files that contain Restricted or Highly Restricted data.
  • Maintain a clean desk and secure workspace when handling sensitive information. Lock drawers, log off workstations, and shred confidential papers when no longer needed.
  • Report any suspected data incidents immediately to the Security Incident Response Team (SIRT) at SIRT@ucf.edu.

Why It Matters

Unauthorized disclosure or mishandling of data can lead to financial loss, reputational damage, and regulatory penalties. Failure to follow this policy may result in loss of access privileges or other corrective actions consistent with UCF regulations.

By following UCF’s Data Classification and Protection Policy, we protect our data and strengthen the university’s ongoing commitment to privacy, compliance, and accountability.

Learn more: For a full understanding of UCF’s requirements, review the complete policy here: Policy 4-008.2 Data Classification and Protection