Legally protected data elements
- Social Security numbers (SSN)
- Financial account numbers, including personal credit card numbers
- Drivers license numbers or State ID numbers
- Protected Health Information (PHI)
- Student education records
Other sensitive information, which may or may not require notification in the event of an unauthorized disclosure, include:
- Personal employee information, such as date of birth and salary
- Proprietary research data
- Confidential legal data
- Confidential financial data
- Other proprietary data that should not be shared with the public
Data Classification
Data is assigned a level of sensitivity based on who should have access to it and how much harm would be done if it were disclosed. This assignment of sensitivity is called "data classification." MIT's data classification process must be context-sensitive in many cases, and incidents involving data in MIT's custody should be judged on a case-by-case basis.
Level 1 - Public Information
This information is meant to be freely available to both members of the MIT community as well as the general public without access controls. Publicly available information may still be subject to University review or disclosure procedures to mitigate potential risks of inappropriate disclosure. Examples include:
Administrative or Academic Information
- Directory information for faculty, staff, or students1
- Published research papers
- Course catalogs
Research or Human Subject Information
- Collecting de-identified data from public websites
- Analyzing anonymous specimens that are publicly available
1Excluding data for which a Family Educational Rights and Privacy Act (FERPA) block has been requested.
Level 2 - Sensitive Information
Information that the Institute has chosen to not to disclose, but which would not result in material harm. This is the first classification level that requires specific security and access controls. Examples include:
Administrative or Academic Information
- Patent applications
- Unpublished research papers
- Building plans
- Legal investigations
- HR-related matters
- Contracts and bids for services
Research or Human Subject Information
- Employment or educational records
- Sexual preference
Level 3 – Confidential Information
Individually identifiable information that could reasonably be expected to result in legal liability, reputational damage, or potential for other types of material harm if disclosed. Examples include:
Administrative or Academic Information
- MIT IDs with associated identifying information
- Personnel records
- Institute financial records
- Individual donor information
Research or Human Subject Information
- Financial records
- Health information or medical records
- Genetic information
Level 4 – Regulated Information
Information that would likely cause serious harm to individuals or the Institute if disclosed. Examples include:
Regulated Administrative or Academic Information
- Personal information requiring notification (PIRN)
- MIT credentials with access to Level 2 or higher information
- Student information classified under FERPA
- Health information covered under HIPAA/HITECH
- Credit card information covered by PCI-DSS rules
- Court or national security orders that prohibit disclosure (e.g., subpoenas, National Security Letters)
Regulated Research or Human Subject Information
- Information regarding illegal activities
- National security information
ITAR (International Traffic in Arms Regulations) and the EAR (Export Administration Regulations)
- Export-related security controls on information that is subject to a Technology Control Plan