Research Data Classification

Research data classification can be determined by the data contents or might be directed by a funding agency or partner. Please review this information and apply it to the Selector Tool (see sidebar option 1) to view the available research data solutions. If in doubt as to whether or not your research activities involve regulated research data, please contact the Research Data Management Office for additional guidance.

For research involving Indigenous or culturally sensitive data, please request a consultation here and the Research Data Management Office can connect you with our partners at the ASU Library.

Public / Low Risk Data

Data openly and freely available to the public or data collected while ensuring anonymity. For example:

• Data openly and freely available to the public - for example, dataset associated with an already-published manuscript
• De-identified data that neither contains nor asks for direct or indirect identifiers and cannot be re-identified

Please see the Code of Federal Regulations, 45 CFR 164.514(b)(2)(i), for a list of direct identifiers.

Sensitive / Moderate Risk Data

Data that are not yet available to the public or that contain no confidential, restricted, or regulated information. For example:

• Most unpublished research project data, such as working data and research notes collected during the course of research
• Research data that contains personally identifiable information (PII) with no links to human health data
• Sensitive data involving animal research
• Environmentally sensitive data

ASU-regulated Data

Institutional/internal information classified as high-risk university data that is subject to legal or regulatory requirements and requires additional provisions to ensure it is adequately stored and protected. This usually includes additional controls and policies to restrict unauthorized or unapproved access to (or sharing of) the data. Examples of internal/institutional data that is regulated includes, but is not limited to:

• Identifiable human subject data (PII)
• Human health data with links to the individual (PHI)
• Identifiable financial data (PFI)
• Export Administration Regulations (EAR)
• International Traffic in Arms Regulations (ITAR)
• Dark web
• National Security Defense data
• Some social media data
• Cybersecurity
• Data provided by a 3rd party via a data use agreement that has restrictions on use, possession, or access

Important: some research data may need to be treated as ASU-regulated data. For example:

• Pseudonymous data that contains no direct identifiers, but indirect identifiers remain intact with links to human health data

Health Insurance Portability and Accountability Act (HIPAA)

Certain health information is protected by HIPAA (Health Information Portability and Accountability Act) and considered confidential if it is individually identifiable and held or transmitted by a covered entity. Examples of these data include, but not limited to:

• Human health data with links to the individual (PHI)
• Health records
• Patient treatment information
• Health insurance billing information

Important: some research data may need to be treated as HIPAA-regulated data.

Family Educational Rights and Privacy Act (FERPA)

The Family Educational Rights and Privacy Act (FERPA) defines education records as materials that contain information directly related to a student and that are maintained by an educational agency or institution or by a person acting for such agency or institution. Examples of educational record data include, but not limited to:

• Personally identifiable information (PII)
• Transcripts and grades
• Financial aid information
• Disciplinary records
• Citizen status

Export Controlled (ITAR/EAR)

• International Traffic in Arms Regulations (ITAR) data are related to and required for the design, development, production, manufacture, assembly, operation, repair, testing, maintenance or modification of defense articles and software directly related to defense articles.
• Export Administration Regulations (EAR) data cover the commercial components of product and data import and export. This applies to dual-use items available for both commercial sales and government use like GPS or high-performance computers.

Important: Export Controlled Information (EPI) is considered High Risk; none of the services described here are appropriate for EPI. Researchers needing to store EPI should consult with the Export Controls Office.

Controlled Unclassified Information (CUI) or
Cybersecurity Maturity Model Certification (CMMC) Level 2 or 3

Data that contains personally identifiable or legally protected information. These data require safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies but is not classified.

• Data that has restrictions due to data use agreements or other regulations such as census data, NIH dbGaP data, data containing social security numbers, or credit card numbers along with names or other identifiers.
• CMMC data relate to US defense contractors and combines different standards and requirements to measure the cybersecurity maturity of the defense supply chain.