Information Classification Best Practices | Information Technology and Services

Information Classification

Understanding Rensselaer Polytechnic Institute Information Classification policy

Data is classified at RPI into three categories, Confidential, Internal Use, and Public. Please see below for information regarding these data types, examples of data, and permitted authorization for access to this data. More information can also be found at: Office of General Counsel - Policy - Information Classification

It is critical that our Rensselaer Community stores sensitive data in secure locations, and that individuals use secure methods of transmission when there is a business need to share confidential/high risk, and internal use data. If working with Confidential data also means disclosing to third parties, there could also be legal requirements to be met before data transmission.

If you need assistance with data classification and risk, Book Office Hours with Information Security

Confidential Data

Unauthorized or inappropriate disclosure of Confidential data - whether through malicious intent, human error, or system vulnerabilities, would have severe adverse effects on operations, assets, or reputation of RPI confidentiality obligations. See Information Classification Policy - Office of General Counsel - Policy - Information Classification

Inappropriate handling of Confidential data without authorization could result in potential consequences such as criminal or civil penalties, loss of federal funding, reputational damage, identity theft, financial loss, and/or invasion of privacy.

Examples of Confidential Data include:

Personnel File
Social Security Numbers
Dates of Birth
Health Records
Email Password
Mother's Maiden name
Student Grades
Banking Information
Personal Identifiable Information (PII)

Access to Confidential Data is only permitted to Rensselaer Employees, Contractors, and others with a business need to know who have signed confidentiality agreements and/or completed data classification training.

Internal Use

Inappropriate handling of Internal Data without authorization could result in reputational damage, loss of competitive advantage if Institute trade secrets are exposed, and loss of trust and confidence from stakeholders.

Examples of Internal Use Data include:

Unpublished Research Data
Parking Lot Assignments
Employee Home Address
Course Notes
Portfolio Performance Plans

Access to Internal Data is only permitted to Rensselaer Employees, Contractors, and others with a business need to know.

Public Data

Information that has been made available for public distribution through authorized Rensselaer channels. Public information is not sensitive in context or content and requires no special protection.

Examples of Public Data include:

Course Catalog
Research Publications
RPI Forward Plan

There are no restrictions for access to Public Data.

Information Security Tips

Know where your data is stored - and who has access to it
- If a sensitive attachment is saved in your email, and is synced to multiple devices, the attachment is on all of those devices. Knowing where your data is stored allows you to put proper protections, encryption, and permissions in place to safeguard this data.
Protect your identity and login credentials
- Your RCSUserID credentials are used to access many of RPI systems that contain personal or Institute sensitive data. Avoid Phishing attempts, create complex passwords, and enroll in Biometric authentication for your devices (fingerprint, FaceID, etc.).
Ensure that websites are using encryption
- Before entering sensitive information, including login credentials, look for signs of an encrypted webpage:
- URL starts with "https://"
- Padlock icon is visible on the Address Bar: or

Thank you,

Matthew Lewis

Information Security Analyst

A person in a blue shirt and tie

AI-generated content may be incorrect.