Data security & classification: information for employees

All employees of the university are responsible for safeguarding the privacy and security of data stored on their individual computers and on any shared or removable media. They are also responsible for safeguarding all information to which they have been given access via applications, systems, reports, etc.

Every university employee has an obligation to abide by the standards of acceptable and ethical use included in the university's Data Computing Standards.

  • Use only those information technology and computing resources for which you are authorized.
  • Implement security in your daily interactions with people, data, systems, and facilities.
  • Be conscious of the environment around you and notify the appropriate security/system administrators if you notice any security vulnerability.
  • Use computing and information technology resources only for their intended purposes.
  • Safeguard the integrity of university data by taking all reasonable steps to protect university data from theft; destruction; unauthorized access; or any form of compromise resulting from negligent acts, or omissions.
  • Properly create, access, use and dispose of university data based on the data's classification.
  • Appropriately back up data and computer system and applications software to allow for recovery if there is a disruption.
  • Use antivirus software on any computer system you use which accesses university data or computing systems/resources.
  • Obtain authorization for the processing of university data or conducting university business on home computer systems from the appropriate data custodian.
  • Only perform remote/distributed access to administrative or research computer systems via a virtual private network (i.e., VPN).
  • Notify the appropriate system, network and/or security administrator(s) of any suspected or actual security violations/incidents.
  • Be aware that the university disclaims any loss or damage to software or data that results from its efforts to enforce its data computing standards.

--Adapted from the Data Computing Standards

Violation of university data and computing standards/guidelines may result in the loss of your computer account; disconnection from networks; your being denied or given limited access to university data, applications and/or computer systems. Individuals may be subject to reprimand, suspension, dismissal/termination, or other disciplinary action based on the offense and may be charged with criminal offenses or have civil action taken for computer abuses or violation of law within the confines of law.

Data classification

There are three classifications for university data:


Data whose loss, corruption or unauthorized disclosure would be a violation of federal or state laws/regulations or university contracts (i.e., protected data); personally identifiable data; data that involves issues of personal privacy; or data whose loss, corruption or unauthorized disclosure may impair the academic, research or business functions of the university, or result in any business, financial, or legal loss.

Operational Use Only

Data whose loss, corruption or unauthorized disclosure would not necessarily result in any business, financial or legal loss BUT which the university had determined is critical to its business and requires a higher degree of handling than unclassified data. Access to Operational Use Only data is available to data custodian approved users only.


Data that does not fall into any of the other data classifications noted below, and may be made generally available without specific data custodian approval.


More information

Employees should be aware of the university's policies, guidelines, and requirements regarding data security:

UMass Security Awareness

Related information is available on these government sites