Categorizing data for a state agency

Under Washington State IT Policy 141.10 (Securing Information Technology Assets), state agencies must classify data into categories based on the sensitivity of the data. This checklist helps agencies determine what type of data they are collecting and the proper handling of that data.

The following are four categories data will fall under. If you cannot establish the proper category for your data there are resources listed at the end of the checklist you can contact who can help you with the categorization.

Category 4: "Confidential information requiring special handling."

If you can reasonably answer "yes" the following two questions then you are included in Category 4:

1. Does the data have any especially strict handling requirements applied by statutes (such as HIPAA) or regulations (such as rules on employee files) or agreements?

2. Would serious consequences arise from unauthorized disclosure, such as threats to health and safety, or legal sanctions?

Category 3: "Confidential information."

1. If your data was NOT covered under Category 4, then evaluate whether it is covered under Category 3. Under Category 3 the information is specifically protected from either release or disclosure by law.

2. Is the data "Personal information" as defined in RCW 42.56.590 (security breaches) and RCW 19.255.010 (personal information disclosure)? An individual's first name or first initial and last name in combination with any one or more of the following data elements:

  • Social security number.
  • Driver's license number or Washington identification card number.
  • Full account number, credit or debit card number, or any required security code, access code, or password that would permit access to an individual's financial account.

3. If the data is held by a public agency in personnel records, does it contain any of the following about home health care workers, employees, or volunteers of a public agency or their dependents?

  • Residential addresses.
  • Residential telephone numbers.
  • Personal wireless telephone numbers.
  • Personal email addresses.
  • Social security numbers.
  • Driver's license numbers.
  • Identicard numbers, and emergency contact information.

4. Evaluate whether the data is basically a list of individuals and is it NOT a list of licensees or applicants. Also:

  • Is the requestor NOT the profession's recognized licensing or examination board
  • Was it requested for commercial purposes?

5. Does the data concern the infrastructure and security of computer and telecommunication networks?

6. If you are unsure if your data fits in any of the groups listed above for Category 3 then consult these resources:

  • Your organization's public records officer.
  • RCW 42.56.250 - employee files.
  • RCW 42.56.070(8) - list of individuals.
  • RCW 42.56.420 - security.

7. Does your agency have specific public records requirements that have to be considered?

Category 2: "Sensitive information."

If your data is not covered in the above categories then consider whether it is covered under Category 2. Answering "yes" to both of the following questions indicates whether your information is covered under this category.

  • Is the data intended for official use only?
  • Is it usually withheld unless specifically requested?

Category 1: "Public Information."

If your information is not covered under Categories 4, 3 or 2 then it is probably under Category 1 or even "Open Data." The following are characteristics of public information:

Is the information already released to the public - such as through a previous public records request?
If not, does the agency believe it should be released rather than protected?

Still not sure it's public data? Consult these resources:

  • Your organization's Privacy Officer.
  • Your organization's Records Officer.
  • Your organization's Open Data Plan.
  • Our checklist on Publishing Open Data.
  • WaTech guidance on what to publish first.