Data Classification Guide to IT Services

Use this guide to make informed decisions about where to safely store and share university data. Protecting sensitive data is a shared responsibility. You are responsible for ensuring that your use of permitted services complies with laws, regulations, and policies where applicable. Please visit the Core Security Standards webpage for more information about how to safely secure workstations and servers.  Contact or with any questions.

Data Types

Level I - Low Sensitivity: data that is public, or published with no restrictions.  Examples include published "white pages" directory information, maps, academic course descriptions.

Level II - Moderate Sensitivity: data that is non-public or internal data.  Examples of institutional data include official university records, budget information, unofficial student records, some research data.  PLEASE NOTE - The University of Iowa recognizes genetic data as non-identifiable, Level II data unless paired with other identifiers.

Level III - High Sensitivity: data that is confidential or restricted due to personal privacy considerations or compliance regulations and laws.  Examples include social security numbers, human subjects research data, identifiable health information, full-face photogenic images or videos. PLEASE NOTE - PCI data should not be stored on any of the services listed below.  If you are working with PCI data, please contact the IT Security Office.

Export-Controlled - High Sensitivity: U.S. defense-related data where disclosure to a foreign national must be prevented.  Examples include military items, space-related technology, technical defense data (e.g. ITAR, EAR)

HIPAA - High Sensitivity: protected health information (PHI) from the University of Iowa Hospitals and Clinics.  Examples of Level III data combined with any health information.

IT Tools & Services


Level I

Level II

Level III



Research Data Storage Service (RDSS)

Large Scale Storage (LSS)

Home Drives (Files@Iowa)

Shared Drive (Files@Iowa)

OneDrive for Business

SharePoint Online (O365)


Google Drive

Apple iCloud


Personal Devices (e.g. laptops, USBs, personal cloud services, etc.)

AWS Cloud Enterprise

Microsoft Azure Cloud Services Enterprise

HPC Systems



Research Remote Desktop Service


Skype for Business


Permitted with IT Security Consultation
Not Permitted


Article number: 
Last updated: 
January 31, 2019