Guidelines to Identify High Risk Data


To assist users in complying with Data Classifications and Standards, these guidelines provide examples of data that are known to fall into a given category. For further assistance contact the data steward or ITS Security. All data for a given classification must be protected with technical controls outlined in ITS Standards for Data Classifications.

Examples below are not an exhaustive list. A single document containing multiple types of data, must be classified and protected according to the highest risk data that is present.


High Risk Data

Per APM 30.11, High Risk data is data that: "The potential effect on loss of confidentiality, integrity, or availability could be expected to have a severe or catastrophic adverse effect on university operations, individuals, or assets."

Examples of elements automatically considered High Risk because of Idaho breach law:

  • Social Security Number (SSN) in combination with name or identifier
  • (Bank) account number, or credit or debit card number, in combination with any required security code, access code, or password
  • Driver's license number in combination with name

Examples of High Risk data because of other determinations, including other legal or contractual requirements:

  • Passwords
  • U of I donor information, including individual demographics
  • Data that must be controlled under NIST 800-171
  • HIPAA Personal Health Information (PHI), if in association with the UI employee benefits program
  • Passport numbers
  • Any data managed by UI where encryption at rest is required


Moderate Risk Data

Per APM 30.11, Moderate Risk data is data that: "The potential effect of loss of confidentiality, integrity, or availability could be expected to have a serious adverse effect on university operations, individuals, or assets."

Examples of Moderate Risk data:

  • FERPA-protected information, unless otherwise classified as High Risk, including
    • Personally identifiable information of any student that can identify an individual and their courses, grades
    • Student directory information, if the student has requested confidentiality
    • Student ID number (including V number) in combinationn
    • V number of an employee (if they are also a student)
    • PHI of students, if managed by the university
  • Personally Identifiable Information on any person, including name, address, email address, phone numbers, IP address, biometrics, etc.
  • Any data that we are obligated to protect under the university Privacy Statement 
  • Any data, even if intended to be public, are working documents not yet ready for publishing
  • Employee records, including performance evaluations, disciplinary actions, or related info


Additional Resources

See Also




Article ID: 1659
Wed 6/3/20 5:33 PM
Mon 1/30/23 9:45 AM

Related Articles (5)

The following locations have been approved by ITS for storage of university data, consistent with U of I policies and standards.
This guide describes the current settings enforced for High Risk data access on macOS, Windows, iOS, and Android.
Instructions for user setup of Filevault encryption on macOS.
A guide for a new UI employee covering basic ITS services and general orientation.
Learn about the requirements for SharePoint Storage locations.