Common types of data you use on a regular basis may include financial, employee, donor, legal or other data. Academic applications being used may include the following: ESSIC, IBIS, ISIS, FIT, Doc Finity, Data Warehouse, EJMS, GAPS, Doc Finity, ANGEL (just to name a few).

Key Concepts for Data Categorization

(Resources to all four concepts can be found at:

  • Categorize. Know how to categorize data.
  • Secure. Do your part and secure the data (everyone is responsible, not just IT staff).
  • Store. Store data according to the category in permissible locations only.
  • Preserve. Keep data for the proper amount of time and destroy according to the retention schedule.

Categorize your Data

A variety of data types with corresponding categories can be found at: A combination of data types that correspond with differing categories should always use the highest category level. As an example, you may have a document that includes a combination of data categories – directory information (public data), employee home addresses (internal/controlled) and salary information (restricted). In this example, all three categories are represented; therefore, the document should be considered restricted. Check with the central Data Categorization Team ( if a data type you are using is not listed or categorized.

Take Action

  • Bookmark and reference often the four key data categorization concepts searchable site.
  • Connect with your unit Records Management Liaison (every department has an assigned liaison) to learn more about your responsibility. Contact the Records Management Program Staff 814-867-0286 to identify the liaison for your unit.
  • Check out the suite of less than six-minute videos around data safeguards (
  • Connect with your local IT staff and build a professional relationship. Alert them of any new software or equipment purchase requests made by staff, faculty or grad students. The local IT staff can review the purchase in advance and make sure the necessary measures are in place to secure the data electronically. In respect to software purchases, the local IT staff can determine whether the software will pose a security risk to the existing environment.
    • Did you know that software purchases which involve internal/controlled or restricted data should be routed to either Purchasing or Risk Management prior to purchase? Click through agreements for online access to software also require special approval by one or both of these offices depending on the data involved. For more information, visit
  • Scan for Personally Identifiable Information (PII). Identify whether the data is needed and whether it is stored in the proper location. Most units are using Identity Finder to scan for PII data so check with your local IT staff if you do not have or if you are not familiar with this software. PII data consists of a first name or first initial and last name combined with a Social Security Number (SSN), Driver’s License, credit card number or bank account number.
  • Request proper authorization if you are using, storing or processing Social Security Numbers (SSN). SSN use, process or storage is not permitted at the University unless special approval is granted by the Privacy Office. Check with your supervisor and/or the Privacy Office ( to see if an authorization is on file and up to date according to the renewal cycle.

Useful Resources

Penn State Mark
The Pennsylvania State University @2014
Privacy | Legal