The University of Pittsburgh takes seriously its commitment to protecting the privacy of its students, alumni, faculty, and staff and protecting the confidentiality, integrity, and availability of information essential to the University's academic and research mission. For that reason, we classify our information assets into risk categories to determine who may access the information and what minimum security precautions must be taken to protect it against unauthorized access.
Note: The Pitt Digital Security team must assess all systems that transmit, process, or store data classified as Restricted. Please contact the 24/7 IT Help Desk with questions about the appropriate protection of information.
| Risk | Restricted Data High Risk | Private Data Moderate Risk | Public Data Low Risk |
|---|---|---|---|
| Definition | Data that must be protected by law, regulation, or University policy. Loss of confidentiality, integrity, or availability of this data or systems on which it is stored and used could have a severe adverse impact on the University's mission, safety, finance, or reputation. The loss of confidentiality, integrity, or availability of the data or system could have a severe adverse impact on our mission, safety, finances, or reputation. | Data that is not generally available to the general public. Loss of confidentiality, integrity, or availability of this data or the systems on which it is stored and used could have an adverse impact on the University's mission, safety, finance, or reputation. The loss of confidentiality, integrity, or availability of the data or system could have an adverse impact on our mission, safety, finances, or reputation. | Data that is intended for public disclosure and use. Loss of confidentiality, integrity, or availability of this data would have little to no adverse impact on the University's mission, safety, finance, or reputation. The loss of confidentiality, integrity, or availability of the data or system would have little to no adverse impact on our mission, safety, finances, or reputation. |
| Data Examples | Social Security Number Date of Birth Driver's License/State ID number Bank/Financial account number Credit/Debit card number Visa/Passport number Electronic Protected Health Information (ePHI) Controlled Unclassified Information (CUI) Export controlled information under U.S. laws Donor contact information and non-public gift information Mental health counseling information Other information protected by contractual agreements High risk University Intellectual property | Student records and admission applications Employment applications, personnel files, benefits, salary, personal contact information Non-public policies, manuals, and contracts Internal correspondence, non-public reports, budgets, plans, financial info University and employee ID numbers Engineering, design, and operational information regarding infrastructure Moderate risk University Intellectual property | Directory information Policy and procedure manuals designated by the owner as public Job postings Information in the public domain Low risk University Intellectual property |
| Human Subject Research Data Examples* | Identifiable sensitive human subject data | Identifiable non-sensitive human subject data De-identified sensitive human subject data | Anonymous human subject data De-identified non-sensitive human subject data |
| Storage, Transmission, and Collaboration | Storage is prohibited on computing equipment unless registered with and approved by Pitt Digital. Encryption in transit and at rest is required. Legal, ethical, or other constraints prevent access without specific authorization. | Data may be stored on departmental, Pitt Digital hosted or approved cloud-based systems. Encryption in transit is required. May be accessed by Pitt affiliates and non-employees with authorization. | Data may be stored on departmental, Pitt Digital hosted or approved cloud-based systems. Encryption in transit is not required but is recommended. No specific access restrictions. |
*Human Subject Research Data is considered sensitive when the disclosure of information could have adverse consequences for subjects or others, place them at risk for criminal or civil liability, or damage their financial standing, employability, insurability, or reputation.
Data Classification Compliance
Protecting sensitive data is a shared responsibility. Pitt Digital provides guidance and resources to store data securely. You are responsible for ensuring that your use of permitted services complies with laws, regulations, and policies where applicable.
Entering data into non-approved AI tools such as DeepSeek or ChatGPT carries the inherent risk of that data being compromised or mishandled, potentially leading to serious consequences such as privacy violations, financial loss, or reputational damage. The use of restricted or private data in these tools is strictly prohibited.
Please contact the Technology Help Desk with questions about the appropriate protection of information.
| Key | |
|---|---|
 | Data type is permitted. Please follow the Security Guide where available. |
 | Data type is generally permitted. Contact Pitt Digital for a security consultation before use. |
 | Data type is not permitted due to regulatory compliance or high risk. |
Service Security Guide
| Maximum Acceptable Data Class | |||||
|---|---|---|---|---|---|---|
Non-Directory Student Records | Student Financial Information | Protected Health Information | Payment Card Information | |||
| Enterprise Cloud Computing Amazon Web Services, Google Cloud Platform, Microsoft Azure | Restricted |  |  | |  | |
Cloud Storage | Restricted | | | | | |
Cloud Storage | Public | | | | | |
| Document Management Perceptive Content/ImageNow | Restricted | | | | | |
| eFax | Restricted | | | | | |
| Electronic Research Notebooks LabArchives | Restricted | | | | | |
| Public | | | | | | |
| Email – Encrypted | Restricted | | | | | |
| Enterprise Storage (Isilon / PowerScale) – Non-restricted Access Zone | Private | | | | | |
| Enterprise Storage (Isilon / PowerScale) – Restricted Access Zone | Restricted | | | | | |
| Restricted | | | | | | |
| Learning Management System Canvas | Private | | | | | |
| Private | | | | | | |
| Restricted | | | | | | |
| Restricted | | | | | | |
| Student Information System (PeopleSoft) | Restricted | | | | | |
| Restricted | | | | | | |
| Private | | | | | | |
| Videoconferencing Sensitive/HIPAA Zoom | Restricted | | | | | |