Data Classification Guide

Contact the Data Governance Office for additional guidance on data classification.

Classification Level



Regulated data is information that is protected by local, national, or international statute or regulation mandating certain restrictions.

Regulated information constitutes an area of critical concern because of the severe risk to the university, its affiliates and to individuals, should information be inappropriately accessed, altered, disclosed or destroyed.

Regulated information requires strict control, very limited access and disclosure, which may be subject to legal restrictions. Access to regulated data must be limited to authorized university employees (staff and faculty) with a valid business need. Where access to regulated data has been authorized, use of such data shall be limited to the purpose required to perform university business. Authorized users must respect the confidentiality and privacy of individuals whose regulated information they access, observe ethical restrictions that apply to the information they access, and abide by applicable laws and policies with respect to accessing, using, or disclosing information.

Examples of regulated data include:

  • Student academic and financial records, regulated by the Family Educational Rights and Privacy Act (FERPA).
  • Government-issued identification numbers, including social security numbers, driver license numbers, and passport numbers.
  • Individuals' financial account numbers, including credit card numbers and bank account numbers.
  • Data, information, or technical specifications not in the public domain that are regulated by export control laws, excluding technology or software that arises during, or results from, fundamental research under Section 734.8 of the Export Administration Regulations (EAR).

Data Owners in partnership with their appointed Data Stewards  are responsible for implementing appropriate managerial, operational, physical, and role-based controls. Consult with the GW Data Governance Office and GW Information Technology, for guidance or questions regarding access to, use of, transmission of, and disposal of Regulated Information (Data Protection Guide)


Restricted data is information that is not generally available to the public, but deemed confidential due to university policies, contracts, regulations or due to proprietary considerations.

Access to restricted data must be limited to appropriate university faculty, staff, students, or other authorized users with a valid business need. This information must be protected from unauthorized access, use, or disclosure. If disclosed, altered or destroyed, restricted data could cause a moderate adverse impact to the individual, university or its affiliates.

Examples of restricted data include:

  • payroll and tax information, performance appraisals
  • legal records and contracts;
  • general ledger data, Facilities records
  • internal directory information

Public data is information that can be freely used, reused and redistributed by anyone with no existing local, national or international legal restrictions on access or usage.

Security controls are required to protect public data, against unauthorized modification or destruction. If altered or destroyed, public data would cause little or no adverse impact to the university, its affiliates, or the individual. 

Example of public data include:

  • announcements and press releases
  • public event information
  • public directories and maps

View Examples of regulated and restricted data types.