Data Classification

As of May 2015, a new set of classifications has been established and is now in effect for Stanford data: High Risk, Moderate Risk, and Low Risk.  For each level, they have defined who is allowed access to the information, and how that information is permitted to be stored and transmitted. For the full definitions of each category, see the official Risk Classifications.

The former framework - Prohibited, Restricted, Confidential, and Unrestricted - will be phased out by January 2016.

If you have further questions, including questions about specific kinds of data (student records, grades, applications, etc), see the FAQ for handling Prohibited and Restricted Data.

Cheat Sheet (For the full definitions, see the Official Risk Classifications.)


Information is classified as “High Risk” (formerly "Prohibited") if protection of the information is required by law or regulation, or if Stanford is required to report to the government and/or the individual if information is inappropriately accessed.

This includes:

  • Health Information, including Protected Health Information (PHI)
  • Health Insurance policy ID numbers
  • Social Security Numbers
  • Credit card numbers
  • Financial account numbers
  • Export controlled information under U.S. laws
  • Driver's license numbers
  • Passport and visa numbers
  • Donor contact information and non-public gift information

 ** You should never store any of this data on any of your computers at ALL, without the express permission of the Data Governance Board. This information is required to be encrypted.

Moderate Risk

(Previously "Restricted")

This includes:

  • Unpublished research data (at data owner's discretion)
  • Student records and admission applications
  • Faculty/staff employment applications, personnel files, benefits, salary, birth date, personal contact information
  • Non-public Stanford policies and policy manuals
  • Non-public contracts
  • Stanford internal memos and email, non-public reports, budgets, plans, financial info
  • University and employee ID numbers
  • Project/task/award (PTA) numbers
  • Engineering, design and operational information regarding Stanford infrastructure

This information is required to be encrypted.


(Previously "Confidential")

This includes:

  • Research data (at data owner's discretion)
  • SUNet IDs
  • Information authorized to be available on or through Stanford's website without SUNet ID authentication
  • Policy and procedure manuals designated by the owner as public
  • Job postings
  • University contact information not designated by the individual as "private" in StanfordYou
  • Information in the public domain
  • Publicly available campus maps



If you are unsure about what you need to do, contact the IRT Service Desk at 5-8000 and the folks there will answer your questions.