Skip to main content

Controlled Data

What is Restricted or Controlled Data?

Restricted or Controlled Data is confidential or sensitive information requiring a high level of security and privacy protection. The unauthorized disclosure, alteration, or destruction of restricted or controlled data could cause a significant level of risk to institutional operations, institutional assets, or an individual. Often, additional requirements exist for protection of restricted or controlled data based on sponsors, contracts, regulations, or data use agreements.

Data Sets, Data Types, and Data Classifications
  • a Data Set is set of data records collated to support a specific activity.
  • a Data Type is a specific category of information. A particular data type may be defined by an organization or, in some instances, by a specific law, Executive Order, directive, policy, or regulation. Data type identification is carried-out in the context of and based on a law-related determination which accounts for a set of laws and regulations, university policies and procedures, or industry standards. University Policy 5120, Export Control and Controlled Data, relates to data type identification.
  • a Data Classification is a simple and high level means of identifying the level of security and privacy protection to be applied to a Data Type or Data Set and the scope in which it can be shared. Data classification is carried-out in the context of the utilization of an IT tool or service. University Policy 8060, Information Privacy and Data Security, relates to data classification.
Data Types that are Restricted or Controlled Data and common in the context of research
  • Export Controlled Information (ECI) which includes information (which may include technology, technical data, assistance or software), the export (including, as applicable, transfer to foreign persons within the United States) of which is controlled under the EAR, the ITAR, 10 CFR Part 810, or by OFAC. ECI is information scientific or technical in nature (STI). ECI is broadly defined and intended to capture a wide variety of STI. ECI may be found in: statements of work, conference papers, conference presentations, journal articles, abstracts, drawings, fact sheets, reports, memos, manuals, data sets, dissertations, instructions, blueprints, specifications, test data, engineering analysis, software, scripts, intangible files, patent applications, proposals, photographs, audio files, videos, or the like.
  • Protected Health Information (PHI) which includes information transmitted or maintained in any form or medium (electronic, paper, oral or other) that (i) is created or received by a Covered Entity or any Health Care Component of a Hybrid Entity, (ii) relates to the past, present or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual, and (iii) is identifiable to an individual or there is a reasonable basis to believe can be used to identify an individual. PHI is protected by HIPAA and includes any individual health information created, collected or received by any health care component of the university for either treatment or research purposes. PHI specifically includes but is not limited to the following, any PII field in combination with the following medical modifiers: Diagnosis or ICD code, Treatment or CPT code, Provider name or number, DEA number, Physician name, Treatment date, Patient notes, Psychiatric notes, Patient photos, or Radiology images.
  • Personally Identifiable Information (PII) which includes any information that permits the identity of an individual to be directly or indirectly inferred, which if lost, compromised, or disclosed without authorization could result in substantial harm, embarrassment, inconvenience, or unfairness to an individual. PII includes but is not limited to the following: a) any of the following stand-alone elements: Full Social Security Number (SSN), Driver’s license or State ID number, Passport number, Visa number, Alien Registration Number, Fingerprints or other biometric identifiers, or b) Full name in combination with: Mother’s maiden name, Date of birth, Last 4 digits of SSN, Citizenship or immigration status, Ethnic or religious affiliation.
  • Controlled Unclassified Information (CUI) which is unclassified information requiring safeguarding and dissemination controls mandated by statute or policy. Examples of such information include Official Use Only (OUO), Export Controlled Information (ECI), Unclassified Controlled Nuclear Information (UCNI), unclassified Naval Nuclear Propulsion Information (U-NNPI), Unclassified Controlled Information (UCI), Sensitive Unclassified Information (SUI), Statistical Information (STAT), Health Information (HLTH), Protected Health Information (PHI), and protected Personally Identifiable Information (PII).

Department of Defense CUI Training for information on the eleven training requirements for accessing, marking, safeguarding, decontrolling and destroying CUI.