5.7 USG Classification of Information Standard
The USG’s records (paper or electronic, including automated files and databases) are essential public resources that must be given appropriate protection from unauthorized use, access, disclosure, modification, loss, or deletion. Each USG institution, the USO, the GPLS, and the Georgia Archives must classify each record using the following classification structure:
- Unrestricted/Public Information is information maintained by a USG organization that is not exempt from disclosure under the provisions of the Open Records Act or other applicable state or federal laws.
- Sensitive Information is information maintained by a USG organization that requires special precautions to protect from unauthorized use, access, disclosure, modification, loss, or deletion. Sensitive information may be either public or confidential. It is information that requires a higher than normal assurance of accuracy and completeness. Thus, the key factor for sensitive information is that of integrity. Typically, sensitive information includes records of USG financial transactions and regulatory actions.
- Confidential Information is information maintained by a USG organization that is exempt from disclosure under the provisions of the Open Records Act or other applicable state or federal laws.
- Note: The Open Records Act is located at: http://law.ga.gov/law.
In addition, Personal Information may occur in unrestricted/public, sensitive, and/or confidential information. Personal information is information that identifies or describes an individual as defined in, but not limited by, the statutes listed below. This information must be protected from inappropriate access, use, or disclosure and must be made accessible to data subjects upon request. Personal information includes, but is not limited to:
- Notice-triggering personal information - specific items or personal information (name plus Social Security Number, driver’s license/Georgia identification card number, or financial account number) that may trigger a requirement to notify individuals if it is acquired by an unauthorized person.
- Protected Health Information - individually identifiable information created, received, or maintained by such organizations as health care payers, health care providers, health plans, and contractors to these entities, in electronic or physical form. Laws require special precautions to protect from unauthorized use, access, or disclosure.
- Electronic Health Information - individually identifiable health information transmitted by electronic media or maintained in electronic media. Federal regulations require state entities that are health plans, health care clearinghouses, or health care providers conducting electronic transactions ensure the privacy and security of electronic protected health information from unauthorized use, access, or disclosure.
- Personal Information for Research Purposes - personal information requested by researchers specifically for research purposes. Releases may only be made to the USG or other non-profit educational institutions in accordance with the provisions set forth in the law.
- Personally Identifiable Information (PII) - any information that permits the identity of an individual to be directly or indirectly inferred, including any information that is linked or linkable to that individual regardless of whether the individual is a U.S. citizen, lawful permanent resident, visitor to the U.S., or employee or contractor to the institution. Some PII is not sensitive, such as the PII on a business card, while other PII is considered Sensitive Personally Identifiable Information (Sensitive PII), as defined below.
- Sensitive Personally Identifiable Information (Sensitive PII) - personally identifiable information that if lost, compromised, or disclosed without authorization, could result in substantial harm, embarrassment, inconvenience, or unfairness to an individual, such as a Social Security number or alien number (A-number). Sensitive PII requires stricter handling guidelines because of the increased risk to an individual if compromised.
The designated owner of a record is responsible for making the determination as to whether that record should be classified as public or confidential, and whether it contains personal and/or sensitive information. The owner of the record is responsible for defining special security precautions that must be followed to ensure the integrity, security, and appropriate level of confidentiality of the information.
Note: The definition of Owner is covered in Section 9, Data Governance and Management Structure, of this Handbook.
Records containing sensitive and/or personal information require special precautions to prevent inappropriate disclosure. When confidential, sensitive, or personal information is contained in public records, procedures must be used to protect it from inappropriate disclosure. Such procedures include the removal, redaction, or otherwise masking of the confidential, sensitive, or personal portions of the information before a public record is released or disclosed.
While the need for the USG institutions, the USO, the GPLS, and the Georgia Archives to protect data from inappropriate disclosure is important, so is the need for the USG participant organization to take necessary action to preserve the integrity of the data. USG participant organizations must develop and implement procedures for access, handling, and maintenance of personal and sensitive information.
Information classification must be part of the IT/IS risk management program, as detailed in Section 5.5 of this Handbook, for each USG institution, the USO, the GPLS, and the Georgia Archives.Return to Top