Data Classification

Effective:  August 1, 2015
Contact:  Information Technology Services (ITS)


The Iowa State University Data Classification policy provides the university with a method to categorize the information collected, stored, and managed by the university community.  Using the data classification method will improve the ability of the university community to properly manage access to university information in compliance with federal and state laws and regulations, and other university policy requirements.


This policy applies to:

  • All persons or entities that have access to Iowa State University data, and are employees, students, agents or contractors of Iowa State University
  • Electronic and non-electronic representations of data utilized by the university community for the purpose of carrying out the institutional mission of research, teaching, outreach, and data used in the execution of required business functions, limited by any overriding contractual or statutory regulations

Policy Statement

Data stewards shall classify information according to the impact resulting from loss or unauthorized exposure as per the standards defined in the Data Classification Standards and Guidance (see Resources below). Data stewards may refer classification decisions to the Data Governance Committee.

Data custodians and data users shall inform data stewards of any data that requires classification. Iowa State University data stored electronically on university or non-university resources must be verifiably protected according to the Minimum Security Standards and Guidance for Protection of Electronic Data (see Resources below). 

Data stewards, data custodians and data users shall ensure data is protected according to the classification assigned as prescribed in the Minimum Security Standards and Guidance.

The Data Governance Committee shall render the final decision on classification in cases of indecision or when a data steward cannot be identified.