Legally protected data elements
Social Security numbers (SSN)
Financial account numbers, including personal credit card numbers
Drivers license numbers or State ID numbers
Protected Health Information (PHI)
Student education records
Other sensitive information, which may or may not require notification in the event of an unauthorized disclosure, include:
Personal employee information, such as date of birth and salary
Proprietary research data
Confidential legal data
Confidential financial data
Other proprietary data that should not be shared with the public
Data is assigned a level of sensitivity based on who should have access to it and how much harm would be done if it were disclosed. This assignment of sensitivity is called "data classification." MIT's data classification process must be context-sensitive in many cases, and incidents involving data in MIT's custody should be judged on a case-by-case basis.
Level 1 - Public Information
This information is meant to be freely available to both members of the MIT community as well as the general public without access controls. Publicly available information may still be subject to University review or disclosure procedures to mitigate potential risks of inappropriate disclosure.
Examples include:
Administrative or Academic Information
Directory information for faculty, staff, or students
Published research papers
Course catalogs
Research or Human Subject Information
Collecting de-identified data from public websites
Analyzing anonymous specimens that are publicly available
Level 2 - Sensitive Information
Information that the Institute has chosen to not to disclose, but which would not result in material harm. This is the first classification level that requires specific security and access controls. Examples include:
Administrative or Academic Information
Patent applications
Unpublished research papers
Building plans
Legal investigations
HR-related matters
Contracts and bids for services
Research or Human Subject Information
Employment or educational records
Sexual preference
Level 3 – Confidential Information
Individually identifiable information that could reasonably be expected to result in legal liability, reputational damage, or potential for other types of material harm if disclosed. Examples include:
Administrative or Academic Information
MIT IDs with associated identifying information
Personnel records
Institute financial records
Individual donor information
Research or Human Subject Information
Financial records
Health information or medical records
Genetic information
Level 4 – Regulated Information
Information that would likely cause serious harm to individuals or the Institute if disclosed. Examples include:
Regulated Administrative or Academic Information
Personal information requiring notification (PIRN)
MIT credentials with access to Level 2 or higher information
Student information classified under FERPA
Health information covered under HIPAA/HITECH
Credit card information covered by PCI-DSS rules
Court or national security orders that prohibit disclosure (e.g., subpoenas, National Security Letters)
Regulated Research or Human Subject Information
Information regarding illegal activities
National security information
ITAR (International Traffic in Arms Regulations) and the EAR (Export Administration Regulations)
Export-related security controls on information that is subject to a Technology Control Plan