Information Security Office Menu

Functional Classification/Corresponding Retention Schedule Series

Data Type

Description & Examples

Security Classification

Office of Record

Data Steward

Data Custodian

III.05 ADMINISTRATION OF STUDENT AFFAIRS/Student Records

Accessible Education Center (AEC) disability information

The confidentiality requirements of the Americans with Disabilities Act (ADA) apply to any medical or mental health information a student discloses or provides for the purposes of determining or modifying accommodations to disability. AEC may have records including, psychoeducational evaluations, hospital discharge summaries, psychological evaluations, letters from licensed health care practitioners, health care case notes, neuropsychological evaluations, etc. AEC interactions with students are noted in case notes and will commonly contain detailed medical or mental health information, including symptoms, medications, treatments, determined accommodations, etc.

High Risk (Red)

Provost Office – Accessible Education Center (AEC)

Assistant Vice Provost for Accessibility

Functional Classification/Corresponding Retention Schedule Series

Data Type

Description & Examples

Security Classification

Office of Record

Data Steward

Data Custodian

IV.05. FINANCE/Public safety and Risk Services

IV.06. FINANCE/Information technology

IV.07. FINANCE/Property, facilities and planning; sustainability

IV.09. FINANCE/Purchasing and contracting

Architectural diagrams for the physical spaces where critical systems or functions exist.

Information resides in multiple systems (GIS, CPFM Asset Management) and includes location and in some cases what specific equipment is in them. Examples of sensitive locations include:

• Animal Labs (e.g., Zebra Fish)
• Tunnels
• UE Facility
• Datacenters
• Building Mechanical Rooms

High Risk (Red)

Safety & Risk Services (SRS)

Campus Planning & Facility Management (CPFM)

Chief Resilience Officer

Associate Vice President for Campus Planning and Facilities Management

Lead IT service provider(s) for Office of Record

Functional Classification/Corresponding Retention Schedule Series

Data Type

Description & Examples

Security Classification

Office of Record

Data Steward

Data Custodian

I.02. GOVERNANCE/Legal affairs

Attorney-Client Privileged and/or Attorney Work-Product Information

Office of General Counsel’s notes, communications and other records maintained related to client and an attorney. Examples of this type of record include:

• Office of General Counsel communications with client that provide legal advice, discuss actual or potential lawsuits, grievances, disputes with third-party vendors, legal holds, subpoenas and requests for information, communication to/from government agencies, etc.
• Data relevant to the above matters.

High Risk (Red)

Office of General Counsel

Vice President & General Counsel

Lead IT service provider for Office of Record

Functional Classification/Corresponding Retention Schedule Series

Data Type

Description & Examples

Security Classification

Office of Record

Data Steward

Data Custodian

All

Common Composite High Risk Data

Combination of data elements classified as High Risk although the security classifications of each individual data element are classified as Medium or Low Risk. Examples of this type of information include combination of:

• Last-4 of social security number (SSN), name, phone, address
• Mother's maiden names, name, ...

High Risk (Red)

All

All

University IT

Functional Classification/Corresponding Retention Schedule Series

Data Type

Description & Examples

Security Classification

Office of Record

Data Steward

Data Custodian

II.06. ACADEMICS/Research, general

Controlled Unclassified Information (CUI) - Research

Unclassified federal information (received or created) that requires safeguarding or dissemination controls. Examples of this type of information include:

DoD Controlled Technical Information (CTI)

Controlled Defense Information (CDI)

Export Controlled Information or material is any information or material that cannot be released to foreign nationals or representatives of a foreign entity, without obtaining approval of license from the Department of State for items controlled by the International Traffic in Arms Regulation (ITAR). Federal laws require that this type of data be stored in the US and must only be assessed by authorized U.S. persons. Examples of this type of information are detailed on the UO Export Controlled Items List at: https://exportcontrols.uoregon.edu/export-controlled-items

Please refer to the National Archives’ CUI Registry for further examples and details.

High Risk (Red)

Head of Office, Institute, Department or Lab that Received the Data

Head of Office, Institute, Department or Lab that Received the Data, Principal Investigators or Principal Researchers (including student researchers)

Lead IT service provider for Office of Record which may also include the data stewards themselves

Functional Classification/Corresponding Retention Schedule Series

Data Type

Description & Examples

Security Classification

Office of Record

Data Steward

Data Custodian

IV.04. FINANCE/Business affairs

Customer Card Data (PCI DSS)

Credit card, debit card or other payment card information, governed by the Payment Card Industry Data Security Standards (PCI DSS). Examples of this type of information include:

At a minimum, the full PAN (Primary Account Number)

Full PAN plus any of the following: cardholder name, card expiration date and/or service code

High Risk (Red)

Business Affairs Office (BAO)

Associate Vice President, Business Affairs/Controller

Lead IT service provider for Office of Record

Functional Classification/Corresponding Retention Schedule Series

Data Type

Description & Examples

Security Classification

Office of Record

Data Steward

Data Custodian

V.01. HR/Affirmative Action and Equal Opportunity

V.02. HR/Benefits

V.03. HR/Compensation and payroll

V.04. HR/Workplace

V.05. HR/Performance Management

V.06. HR/Recruitment and selection

V.07. HR/Separation

V.08. HR/Time-off and leave

V.09. HR/Employee Records

V.10. HR/Human resources, other

Disability-Related Medical Information

The confidentiality requirements of the Americans with Disabilities Act (ADA) apply to any medical information an employee voluntarily discloses or that the university obtains through lawful disability-related inquiries or employment-related medical examinations.

Examples of potential sources of confidential medical information include:

• Written or oral statements an employee (or applicant) voluntarily discloses to management/university administration regarding a medical condition (e.g., employee sends an email to their supervisor informing them that they suffer from migraines stemming from head trauma);
• Doctors’ notes/letters including information regarding an employee’s medical diagnosis, symptoms, or other information obtained via a medical examination.

Examples of information that does not constitute medical information includes, but is not limited to, the following:

• A doctor’s note stating an employee is released to return to work without restrictions
• A doctor’s note stating an employee missed work to attend a doctor’s appointment or was sick on “X” date.
• The results of a physical agility or fitness test, which measure an employee's ability to perform actual or simulated job tasks, or performance of physical tasks, such as running or lifting, as long as these tests do not include examinations that could be considered medical (e.g., measuring heart rate, blood pressure, vision, etc.).

High Risk (Red)

Human Resource Office

Provost Office- Accessible Education Center (AEC)

Chief Human Resource Officer (CHRO)

Assistant Vice Provost for Accessibility

Director, HR Operations

Lead IT service provider for Office of Record

Functional Classification/Corresponding Retention Schedule Series

Data Type

Description & Examples

Security Classification

Office of Record

Data Steward

Data Custodian

IV.05. FINANCE/Public safety and Risk Services

Disaster recovery/business continuity plans

Data relating to continuity plans, which may include moderately sensitive information relating to systems or business processes.

Moderate Risk (Amber)

Safety and Risk Services (SRS)

Director of Operations

Lead IT service provider(s) for Office of Record

Functional Classification/Corresponding Retention Schedule Series

Data Type

Description & Examples

Security Classification

Office of Record

Data Steward

Data Custodian

IV.07 FINANCE, ADMINISTRATION AND INFRASTRUCTURE/Property, Facilities and Planning; Sustainability

Electrical, Steam, Chiller Utility data.

Data relating to temperature, pressures, voltage, fluid flows throughout Campus Utility Production and Distribution. Includes real-time and historic information.

Moderate Risk (Amber)

Campus Planning & Facility Management (CPFM)

Associate Vice President for Campus Planning and Facilities Management

Lead IT service provider(s) for Office of Record

Functional Classification/Corresponding Retention Schedule Series

Data Type

Description & Examples

Security Classification

Office of Record

Data Steward

Data Custodian

V.07 HUMAN RESOURCES/Recruitment and Selection

Human Resource Search Files

Search files including but not limited to evaluation of qualifications, interview questions and notes, search process documentation, reference checks.

Moderate Risk (Amber)

Units conducting the search are holders of these aspects of search files.

Unit HR Partner

Unit IT Lead

Functional Classification/Corresponding Retention Schedule Series

Data Type

Description & Examples

Security Classification

Office of Record

Data Steward

Data Custodian

II.06. ACADEMICS/Research, general

Identifiable Human Subject Data - Research

Individually identifiable research data containing sensitive information about human subjects. A human subject is a living individual about whom an investigator (whether professional or student) obtains: 1) information or biospecimens through intervention or interaction with the individual, and uses, studies, or analyzes the information or biospecimens; or 2) obtains, uses, studies, analyzes, or generates identifiable private information or identifiable biospecimens.

This data type is governed by the Federal Policy for the Protection of Human Subjects (also called the “Common Rule”) and must comply with UO IRB regulations. Examples of this type of information are listed on the UO Research Compliance website at: http://rcs.uoregon.edu/sites/infosec2.uoregon.edu/files/HSR%20definitions.pdf

High Risk (Red)

Head of Office, Institute, Department or Lab that Received the Data

Head of Office, Institute, Department or Lab that Received the Data, Principal Investigators or Principal Researchers (including student researchers)

Lead IT service provider for Office of Record which may also include the data stewards themselves

Functional Classification/Corresponding Retention Schedule Series

Data Type

Description & Examples

Security Classification

Office of Record

Data Steward

Data Custodian

IV.05. FINANCE/Public safety and Risk Services

IV.06. FINANCE/Information technology

IV.07. FINANCE/Property, facilities and planning; sustainability

IV.09. FINANCE/Purchasing and contracting

Information System Configuration

Information system and configuration data, where modification (maliciously or accidentally) could compromise the confidentiality, integrity or availability of UO information systems and data. Examples of this type of record include:

• Information system configurations
• Network diagrams
• Application system architecture diagrams
• Data flow diagrams
• Security architecture diagrams

High Risk (Red)

Information Services

Vice Provost and Chief Information Officer

ACIOs, CTO, CISO

Functional Classification/Corresponding Retention Schedule Series

Data Type

Description & Examples

Security Classification

Office of Record

Data Steward

Data Custodian

IV.02. FINANCE/Audits

Internal Audit Working Papers

Evidence obtained by Internal Audit or their delegates during audit, consulting or investigative activities, used to support final opinions or recommendations during an engagement. Examples of this type of record include:

• Financial records
• Confidential interview notes
• Sensitive system security vulnerabilities or weaknesses
• Sensitive personnel information

High Risk (Red)

Audit

Chief Auditor

Lead IT service provider for Office of Record

Functional Classification/Corresponding Retention Schedule Series

Data Type

Description & Examples

Security Classification

Office of Record

Data Steward

Data Custodian

IV.09. FINANCE/Purchasing and contracting

Items Covered by Contractual Non-Disclosure or Data Use Agreement

Items including information, equipment, materials, or data deemed confidential or sensitive by contract executed by University representatives with third parties. Example:

• Trade secrets
• Proprietary datasets
• Proprietary methods or processes
• Data Use Agreements or confidentiality terms in Testing, Sponsored Research or Other Sponsored Activity Agreements

High Risk (Red)

Office, Department or Lab that Received the Data

Head of Office, Department or Lab that Received the Data

Lead IT Support for Office of Record

Functional Classification/Corresponding Retention Schedule Series

Data Type

Description & Examples

Security Classification

Office of Record

Data Steward

Data Custodian

IV.05 FINANCE, ADMINISTRATION AND INFRASTRUCTURE/Public Safety and Risk Services

Law Enforcement Information (LEI)

Non-public law enforcement records generated or maintained by the University of Oregon Police Department (UOPD) and Regional Partners (City of Eugene PD, City of Springfield PD, Junction City PD).  Examples of this type of information include:

• Unpublished criminal records (NCIC returns, local CHRI)
• Active investigation information (Case Files)
• Vehicle/Officer location information (via CAD or GPS)
• Video recording of police activity (Body Cam, In-car video, Taser video)
• Audio Recording of police activity
• Background Check Information
• Electronic Fingerprint combined with PII

High Risk (Red)

UOPD

UO Police Chief

Lead IT service provider for Office of Record

Functional Classification/Corresponding Retention Schedule Series

Data Type

Description & Examples

Security Classification

Office of Record

Data Steward

Data Custodian

II.08 ACADEMICS, INSTRUCTION AND RESEARCH/Museums and Libraries

Library Transactional Data

Library circulation data that are exempt from Public Records Request under Oregon Public Records law. Specifically, E.4.e.(23) Library Records ORS 192.502(23) exempts the records of a library, including:

• Circulation records, showing use of specific library material by a named person;
• The name of a library patron together with the address or telephone number of the patron; and
• The electronic mail address of a patron.

Moderate Risk (Amber)

University Libraries

Dean of Libraries

Lead IT service provider(s) for Office of Record

Functional Classification/Corresponding Retention Schedule Series

Data Type

Description & Examples

Security Classification

Office of Record

Data Steward

Data Custodian

II.01 ACADEMICS, INSTRUCTION AND RESEARCH/Curriculum and Instruction

Non-sensitive Course or Program Information

Majority of data generated or received as part of conducting course work, that has not been identified by the University as sensitive and subject to another classification in this table. Examples of this type of data include:

• Course descriptions
• Student coursework

Low Risk (Green)

Head of Office, Institute, Department or Lab that Received the Data

Course instructors, students for their work products

Lead IT service provider for Office of Record which may also include the data stewards themselves

Functional Classification/Corresponding Retention Schedule Series

Data Type

Description & Examples

Security Classification

Office of Record

Data Steward

Data Custodian

II.06. ACADEMICS/Research, general

II.08. ACADEMICS/Museums and Libraries

Non-sensitive Research Information

Majority of data generated or received as part of conducting research, testing or other sponsored activity, that has not been identified by funders/sponsors, or by the University as sensitive and subject to another classification in this table.

Low Risk (Green)

Head of Office, Institute, Department or Lab that Received the Data

Head of Office, Institute, Department or Lab that Received the Data, Principal Investigators or Principal Researchers (including student researchers)

Lead IT service provider for Office of Record which may also include the data stewards themselves

Functional Classification/Corresponding Retention Schedule Series

Data Type

Description & Examples

Security Classification

Office of Record

Data Steward

Data Custodian

II.06. ACADEMICS/Research, general

II.08. ACADEMICS/Museums and Libraries

III.01. STUDENTS/Conduct and Student Activities

III.02. STUDENTS/Housing and residence life

III.03. STUDENTS/Tuition and student fees

III.04. STUDENTS/Student health services

III.05. STUDENTS/Student records

III.06. STUDENTS/Scholarships and financial aid

III.07. STUDENTS/Intercollegiate athletics

III.08. STUDENTS/Admissions, Oregon residency

IV.04. FINANCE/Business affairs

IV.05. FINANCE/Public safety and Risk Services

IV.06. FINANCE/Information technology

IV.08. FINANCE/Parking and vehicles

IV.09. FINANCE/Purchasing and contracting

IV.11. FINANCE/Fundraising and Development

V.01. HR/Affirmative Action and Equal Opportunity

V.02. HR/Benefits

V.03. HR/Compensation and payroll

V.04. HR/Workplace

V.05. HR/Performance Management

V.06. HR/Recruitment and selection

V.07. HR/Separation

V.08. HR/Time-off and leave

V.09. HR/Employee Records

V.10. HR/Human resources, other

Personally Identifiable Information (PII)

Personally Identifiable Information (PII) is defined as any data element or combination of data elements that would be sufficient to be used to fraudulently assume the identity of an individual, consistent with the Oregon Consumer Identify Theft Protection Act (OCITPA). Examples of this type data include a person’s name in combination with one or more of the following:

• Social Security number (SSN)
  • note: UOIDs or 95#s are treated as Moderate
• W2s, W4s, I9s
• Driver’s license number or state identification card number
• Identification number issued by a foreign nation
• Passport number
• Bank Account number, Credit Card number or Debit Card number, in combination with any required security code, access code or password that would permit access to a consumer’s financial account
• Biometrics
• Date of Birth
• Personal Data of covered “data subjects” defined under the EU General Data Protection Regulation (GDPR) including - name, email, government-issued IDs, photo, IP address or web cookies, health information, genetics, race or ethnic origin, biometrics, sex life or sexual orientation, political opinions, religious or philosophical beliefs, trade/union, and criminal convictions.

High Risk (Red)

University Registrar’s Office

Law School

Human Resource Office

University Libraries

University Advancement

Business Affairs Office (BAO)

Office of Student Financial Aid and Scholarships

Office, Department or Lab that Received the Data

University Registrar

Law School Registrar

Chief Human Resource Officer (CHRO)

Dean of Libraries

Senior Associate Vice President of Development Advancement

Associate Vice President, Business Affairs/Controller

Director of Financial Aid

Head of Office, Department or Lab that Received the Data

Lead IT service provider for Office of Record

Associate Director for Operations, Student Financial Aid and Scholarships

Lead IT service provider for Office of Record

Functional Classification/Corresponding Retention Schedule Series

Data Type

Description & Examples

Security Classification

Office of Record

Data Steward

Data Custodian

V.09. HR/Employee Records

Personnel Files

Faculty or staff personnel records. Examples of this include:

• Performance related documents such as annual appraisals or disciplinary documents.
• Employment related documents such as: applications, resumes/CV, offer letters or contracts,
• Pay related documents
• Separation documents

This information can be in a variety of formats, systems, and locations such as, MyTrack, and personnel files held in the department, Provost Office and/or Human Resources in paper and electronic file drives. Some of this information can be obtained via a public record request.

Moderate Risk (Amber)

Human Resource Office

Chief Human Resource Officer (CHRO)

Director, HR Operations

Functional Classification/Corresponding Retention Schedule Series

Data Type

Description & Examples

Security Classification

Office of Record

Data Steward

Data Custodian

Spans many series

Private Personal Information (PPI)

Faculty, staff, students and others as applicable:

• Biographic/demographic data including date and location of birth, citizenship, citizenship status, marital status, gender identity and sexual orientation.
• Genetic Information protected under the Genetic Information Nondiscrimination Act (GINA)
• Employee contact information (home address and phone numbers)
• Military status
• Pre-employment checks including but not limited to criminal history, post offer testing, driver's license, employment or educational verification and credit.
• Grievance information
• Absence or time-off reason
• Medical information, including disability status
• Conflict of Interest information
• FMLA Information (Family Medical Leave Act)
• OFLA Information (Oregon Family Leave Act)
• Fitness for Duty Information
• Vendor TAX Identification Information (e.g., EIN, SSN, W9, W8, etc.)

High Risk (Red)

Human Resource Office

University Registrar’s Office

Law School Registrar’s Office

University Libraries

Business Affairs Office (BAO)

Purchasing & Contracting Services (PCS)

Office of Student Financial Aid and Scholarships

Chief Human Resource Officer (CHRO)

University Registrar

Law School Registrar

Dean of Libraries

Associate Vice President, Business Affairs/Controller

Chief Procurement Officer (CPO)

Director of Financial Aid

Director, HR Operations

Lead IT service provider for Office of Record

Associate Director for Operations, Student Financial Aid and Scholarships

Functional Classification/Corresponding Retention Schedule Series

Data Type

Description & Examples

Security Classification

Office of Record

Data Steward

Data Custodian

III.04. STUDENTS/Student health services

III.07. STUDENTS/Intercollegiate athletics

V.01. HR/Affirmative Action and Equal Opportunity

V.07. HR/Separation

V.08. HR/Time-off and leave

V.09. HR/Employee Records

V.10. HR/Human resources, other

Protected Health Information (PHI)

Protected Health Information (PHI) as defined by the Health Insurance Portability and Accountability Act (HIPAA) refers to “all individually identifiable health information” in any form that is related to the provision of past, present, or future physical or mental health care to the individual, or the payment of health care. It is also defined as health and demographic information with respect to which there is a reasonable basis to believe the information can be used to identify the individual. Note: similar data used in HIPAA Hybrid Covered Entities are classified similar to PHI used in HIPAA Covered Components.

Health information combined with unique identifiers of the individual or of relatives, employers, or household members of the individual, will result in the information being categorized as Protected Health Information (PHI):

• Names
• All geographic subdivisions smaller than a State, including
  • Street address
  • City
  • County
  • Precinct
  • Zip code

• All elements of dates (except year) for dates directly related to the individual, including

  • Birth date
  • Admission date
  • Discharge date
  • Date of death
  • Elements of dates for individuals over 89 years old
• Telephone numbers
• Fax numbers
• Social security numbers (SSN)
• Medical record numbers
• Health plan beneficiary numbers (health insurance number)
• Bank Account numbers
• Certificate/license numbers
• Email addresses
• Social media profile names (or handles)
• Web Universal Resource Locators (URLs)
• Internet Protocol (IP) address numbers
• Device identifiers and serial numbers
• Vehicle identifiers and serial numbers, including license plate numbers
• Device identifiers and serial numbers
• Biometric identifiers, including finger and voice prints
• Full-face photographs and any comparable images
• Any other unique identifying number, characteristic, or code. In addition to the removal of unique identifiers, there should be reasonable assurance that the individual or entity intending to use the data does not have actual knowledge that the remaining information could be used alone or in combination with any reasonably available information to identify an individual who is subject. Other details that may result in the identification of an individual include: initials, circumstances associated with the care of an individual, highly publicized details, and profession or occupation.

High Risk (Red)

HIPAA Covered Components:

University Health Center

Health Insurance Program

Counseling Center

HEDCO Clinic

EC CARES

HIPAA Hybrid Covered Entities:

Business Affairs Office (BAO)

Information Services

Student Life

Internal Audit

Office of General Counsel (OGC)

Research Compliance Services

Safety and Risk Services

Other:

Office, Department or Lab that Received the Data

Other medical information (e.g., maintained by Athletics)

Executive Director, University Health Center

Executive Director, University Health Center

Executive Director, Counseling Center

Director, HEDCO Clinic

Director, EC Cares

Associate Vice President, Business Affairs/Controller

Chief Information Officer

Associate Vice President and Chief of Staff

Chief Auditor

Vice President & General Counsel

Director, Research Compliance Services

Chief Resilience Officer (CRO)

Head of Office, Department or Lab that Received the Data

Athletics Director

Lead IT service provider for Office of Record

Functional Classification/Corresponding Retention Schedule Series

Data Type

Description & Examples

Security Classification

Office of Record

Data Steward

Data Custodian

Spans many series

Sensitive Alumni, Donor or Constituent Information

Sensitive information of alumni and donors including:

• Bio/demographic Data
• Contact Information (home address, phone numbers, email, etc.)
• Prospect and Engagement Data
• Gift and Gift Planning Data
• Membership Data
• Fund Data
• Reports

High Risk (Red)

University Advancement

UO Alumni Association

UO Foundation

Senior Associate Vice President of Development

Vice President, Advancement Services

Executive Director, UO Alumni Association

Lead IT service provider for Office of Record

Vice President, Technology Services, UO Foundation

Executive Director, Development Strategies and Pipeline Programs

Functional Classification/Corresponding Retention Schedule Series

Data Type

Description & Examples

Security Classification

Office of Record

Data Steward

Data Custodian

II.06. ACADEMICS/Research, general

Sensitive Intellectual Property - Research

Information about intellectual property created by University employees in connection with their work, or information provided to UO employees that represents intellectual property to the owner. Examples of this type of information include:

• Sensitive unpublished research data
• Sensitive pre-patent data
• Trade secrets, other information deemed sensitive via contracts with external organizations of individuals

High Risk (Red)

Head of Office, Institute, Department or Lab that Received the Data

Head of Office, Institute, Department or Lab that Received the Data, Principal Investigators or Principal Researchers (including student researchers)

Lead IT service provider for Office of Record which may also include the data stewards themselves

Functional Classification/Corresponding Retention Schedule Series

Data Type

Description & Examples

Security Classification

Office of Record

Data Steward

Data Custodian

IV.05. FINANCE/Public safety and Risk Services

Sensitive Security Data

Information that can be used to assist an attacker in compromising the confidentiality, integrity or availability of UO information systems and data. Examples of this type of record include:

• Vulnerability scanning results
• System log details relating to security events or sensitive functions
• Detailed network diagrams, data flow diagrams, or detailed application system architecture diagrams
• Security and risk assessment data and results
• Internal security investigations
• Internal or external security audit findings
• Active incident response data – evidence, results, internal communication, response tactics, etc.

Authentication data, e.g.,

• PAC (personal access code)
• DuckID password
• Digital Certificates and private keys
• Biometrics (e.g., finger prints, iris scans)
• PINs, etc.

High Risk (Red)

Information Security Office

Chief Information Security Officer

Director of Information Security Services and Assurance

Functional Classification/Corresponding Retention Schedule Series

Data Type

Description & Examples

Security Classification

Office of Record

Data Steward

Data Custodian

III.06. STUDENTS/Scholarships and financial aid

III.07. STUDENTS/Intercollegiate athletics

IV.04. FINANCE/Business affairs

V.03. HR/Compensation and payroll

V.09. HR/Employee Records

Student Financial Aid Data (GLBA)

The Gramm-Leach-Bliley Act (GLBA) requires that financial institutions act to ensure the confidentiality and security of customers’ “nonpublic personal information,” or NPI. This law also covers Financial Aid Data stored and processed by Universities. Examples of this type of information include nonpublic personal information such as:

• Social Security numbers (SSN)
• Credit and income histories
• Credit and bank card account numbers
• Phone numbers, addresses, names, and any other personal customer information received by a “financial institution” [Office of Financial Aid and Scholarships] that is not public.

High Risk (Red)

Office of Student Financial Aid and Scholarships

Business Affairs Office (BAO)

Director of Financial Aid

Associate Vice President, Business Affairs/Controller

Associate Director for Operations, Student Financial Aid and Scholarships

Lead IT service provider for Office of Record

Functional Classification/Corresponding Retention Schedule Series

Data Type

Description & Examples

Security Classification

Office of Record

Data Steward

Data Custodian

III.01 ADMINISTRATION OF STUDENT AFFAIRS/Conduct and Student Activities

III.02 ADMINISTRATION OF STUDENT AFFAIRS/Housing and Residence Life

III.04 ADMINISTRATION OF STUDENT AFFAIRS/Student Health Services

III.05 ADMINISTRATION OF STUDENT AFFAIRS/Student Records

III.06 ADMINISTRATION OF STUDENT AFFAIRS/Scholarships and Financial Aid

III.07 ADMINISTRATION OF STUDENT AFFAIRS/Intercollegiate Athletics

Student Records (directory information)

Student educational records designated as “directory information” by the University Registrar’s Office; by default these records can be released without student approval. Students can request nondisclosure by filing a Directory Information Restriction via the Registrar’s Office. Examples of this type of information are listed on the Registrar’s website at: https://registrar.uoregon.edu/records-privacy

Low Risk (Green)

University Registrar’s Office

Law School Registrar’s Office

University Registrar

Law School Registrar

Director of Technology for OEM, Assc Reg.

Director of IT, Law School

Functional Classification/Corresponding Retention Schedule Series

Data Type

Description & Examples

Security Classification

Office of Record

Data Steward

Data Custodian

All series under “Student Records”

Student Records (non-directory)

Student educational records designated as “nondirectory information” by the University Registrar’s Office. The Family Educational Rights and Privacy Act (FERPA) governs release of, and access to, student education records. Examples of this type of information are listed on the Registrar’s website at: https://registrar.uoregon.edu/records-privacy

Moderate Risk (Amber)

University Registrar’s Office

Law School Registrar’s Office

University Registrar

Law School Registrar

Lead IT service provider(s) for Office of Record

Functional Classification/Corresponding Retention Schedule Series

Data Type

Description & Examples

Security Classification

Office of Record

Data Steward

Data Custodian

II.06 ACADEMICS, INSTRUCTION AND RESEARCH/Research, General

III.03 ADMINISTR

ATION OF STUDENT AFFAIRS/Tuition and Student Fees

III.06 ADMINISTRATION OF STUDENT AFFAIRS/Scholarships and Financial Aid

IV.01 FINANCE, ADMINISTRATION AND INFRASTRUCTURE/Budget

IV.04 FINANCE, ADMINISTRATION AND INFRASTRUCTURE/Business Affairs

IV.09 FINANCE, ADMINISTRATION AND INFRASTRUCTURE/Purchasing and Contracting

IV.11 FINANCE, ADMINISTRATION AND INFRASTRUCTURE/Fundraising and Development

V.03 HUMAN RESOURCES/Compensation and Payroll

University Financial Records

UO internal financial records subject to public records law but not yet vetted for release. Examples of this type of information include:

• Budget planning information
• Accounting records (Payables, Receivables, Fixed Assets, Ledger Entries)
• Payroll information
• Procurement and contracting information (e.g., bids, contract, RFPs, proposals)
• P-Card and eProcurement Data
• Travel information
• Treasury management information (debt, investments, and banking)
• Insurance and claims records
• Taxation records

Moderate Risk (Amber)

Business Affairs Office (BAO)

Purchasing & Contracting Services (PCS)

Budget and Resource Planning

Associate Vice President, Business Affairs/Controller

Chief Procurement Officer (CPO)

Director of Budget Operations (Stuart Laing)

Director,

BAO Information Systems

Functional Classification/Corresponding Retention Schedule Series

Data Type

Description & Examples

Security Classification

Office of Record

Data Steward

Data Custodian

IV.05. FINANCE/Public safety and Risk Services

Workers Compensation

Data relating to workers compensation injuries, which could contain medical information.

High Risk (Red)

Safety and Risk Services (SRS)

Occupational Health & Safety Manager

Lead IT service provider(s) for Office of Record