Data Classification Policy

Revision History

  • Last Revised: 02/21/2025
  • Date Issued: 10/01/2024
  • Version 1.1
  • Approved by Jason Silva, Acting State Chief Information Security Officer

   1.  ​Purpose

This policy establishes standards of information classification, providing a framework outlining security levels that promotes effective management and oversight of data to protect against unauthorized access and use. The State’s policy is to be transparent in enabling the public to access public information while at the same time protecting individuals’ rights to data privacy and the State’s interest in maintaining the confidentiality of highly sensitive or confidential information.

This policy forms the basis from which Maryland Executive Branch agencies create procedures to protect the confidentiality, integrity and availability (CIA) of data by considering data content, data context, regulatory requirements, and risk level to stakeholders (public, individuals, agencies). Risk of harm to individuals who authorize the use of their “personal information” for a specific purpose is a key factor when determining data classification. Risk of harm to the agency and the State, be it financial, reputational, or social welfare, is considered as well. Data classification informs the level of security to be applied to a system to protect against unauthorized access to the data. Data classification should inform the data user on how to protect that data. 

Agencies are responsible for adhering to this Data Classification Policy and the application of appropriate handling requirements to ensure data is used and protected in accordance with its data classification. 

   2.  Scope 

This policy applies to all data, whether in electronic or non-electronic formats, collected, created or processed by All Executive Agencies. This policy applies to all State Executive Branch Agency data owners, employees, contractors, processors, and data users granted authorized access to State data and information systems. Information security personnel use data classification levels to provide the appropriate system security level. 

This policy is subject to applicable law. In the event of a conflict between the provisions of this policy and applicable law, including, without limitation, Md. Code Ann., Gen. Provisions Article, Title 4 (Public Information Act), the provisions of applicable law shall control.

   3.  Authority 

Md. State Finance and Procurement Code Ann, 3.5-2A-04(b)(1) 
Md. State Finance and Procurement Code Ann, 3.5-303

   4.  Policy

Data classification aids in the proper management and security of data in use, in transit, and at rest. This Data Classification Policy establishes a baseline against which to assess the responsibilities for CIA (Appendix B Table 1), and legal requirements to ensure the appropriate designation for data accessibility and protection. Data creators/generators and owners are responsible for appropriate classification of their data, while data users are responsible for following data protection guidelines for each data classification.

While data may be provided security levels above the data’s classification, data should not have security levels below its classification. Assigning higher data protection levels than necessary may impact data protection resource requirements and lessen transparency and needed access.

This Policy categorizes data into four (4) levels of classifications, as follows: 

  • Public
  • Protected/Internal Use Only
  • Confidential
  • Restricted

Level 1 -Public

Public data is data that a State entity has collected or created and is permitted, required or able to make available to the public consistent with applicable laws, rules and regulations. 

Correctly classifying data as Public is the most effective way to deliver government transparency and accountability and maximize access to authoritative, reliable and current data.

Level 2 -Protected/Internal Use Only

Data within this classification is accessible to Agency personnel or contractors who require access, and require protection from unauthorized use, disclosure, modification, or destruction. For example, draft versions of statistical or factual information that are used for internal analysis by a governmental entity do not constitute “open data” under the Open Data Act and should be classified as “Protected/Internal Use Only.” Storage of Protected/Internal Only information should be protected via physical and logical access controls to ensure authorized staff can easily access the data and maintain a level of control such that unauthorized individuals cannot easily access the data.

Level 3 -Confidential 

The sensitive nature of some data requires that it be treated as confidential. Confidential information is information that is protected from either release or disclosure by law. Confidential information includes but is not limited to Personally Identifiable Information (PII), Protected Health Information (PHI), credit card and financial information, student records, information about children, and other privileged or sensitive information. Confidential information must be kept confidential and requires individual consent, de-identification or anonymization, a public health mandate, or other requirement of law prior to being released. Confidential data should be accessible to authorized users only, remain encrypted at rest and in transit, and used for only those purposes for which it was collected or for which an individual consented.

Level 4 -Restricted

Restricted is data that, if disclosed, accessed, altered or destroyed without authorization, could cause significant damage to the Agency, e.g., financial loss, damage to the Agency’s or the State’s reputation, or the individual(s) whose information is compromised, and may lead to criminal charges or other legal consequences.

Statutes, regulations, other legal obligations or mandates protect much of this information. Federal and/or state laws or regulations mandate specific, restrictive, administrative, technical and physical controls be in place throughout the restricted information’s lifecycle. Disclosure of restricted data is limited to only those individuals who meet and maintain the legal criteria to be authorized to access the restricted data for only those purposes allowable by regulation, law or policy.

Examples of restricted data include Federal Tax Information (FTI), Criminal Justice Information maintained by law enforcement and Non-Criminal Justice Information maintained by Non-Criminal Justice Agencies with legal authority to utilize CJIS data. Restricted information should be accessible to only authorized users who meet the regulatory requirements to access the information, remain encrypted at rest and in transit, and used for only those purposes for which an individual consented or a governing authority allows.

Where there is no clear system to assign the proper classification to a particular dataset, the impact as described in Table 1 below can lend to assigning the appropriate level of protection

Table 1: Data Classification Quick Reference Table

  • Data Class: Level 1, Public
    • Description: Information that can be or currently is released to the public. It does not need protection from unauthorized disclosure.
    • Example: The original or copy of any documentary material in any form, including written materials, books, photographs, photocopies, films, microfilms, records, tapes, computerized records, maps, and drawings created or received by the agency in connection with the transaction of public business. Data collected and permitted, required, or able to be made available to the public in a machine-readable format. Includes recordings of public meetings, public websites, press releases, job. 
  • Data Class: Level 2, Protected/Internal-Only
    •  Description: Information that may not be specifically protected from disclosure by law, is generally for official use only and is not released to the public unless specifically requested and permissible. Does not include confidential information. Protected/Internal data could be potentially harmful were unauthorized people to access it. 
    • Example: Draft versions of statistical or factual information reserved for internal analysis, draft reports and memos, internal project documents, learning management data, budget documentation, minutes or recordings of departmental or inter-departmental meetings, unreleased press releases, unpublished marketing materials, and competitive analysis. 
  • Data Class: Level 3, Confidential
    •  Description: Data subject to protection by law or regulation and access to which requires specific authorization. Includes personal information and sensitive data. The data is subject to protection from disclosure.
    • Example: Personnel records, sensitive, but unclassified data, financial records, student records, health records, non-critical infrastructure information, non-critical network information, and customer transaction account data. Includes data such as Personally Identifiable Information (PII), Protected Health Information (PHI), Payment Card Information (PCI), Family Educational Rights and Privacy Act (FERPA), Substance Use Disorder (SUD), children’s information, and Privileged or Sensitive.
  • Data Class: Level 4, Restricted
    • Description: Information that is specifically protected from disclosure by law. Unauthorized disclosure of data could cause irreparable damage to the Agency and/or the State and may lead to criminal charges and/or other legal consequences. If released could endanger the public health, safety, or welfare, hinder the operation of government, impose an undue financial, operational, or administrative burden on a State entity, and disclose proprietary or confidential information. 
    • Example: Criminal justice information (CJI or CJIS), Non-criminal Justice Information NCJI), federal tax information (FTI), law enforcement sensitive data, legally privileged data, critical infrastructure information, critical network information, information about security vulnerabilities and risk, cybersecurity assessments and findings, cybersecurity audits, and physical security access logs.

   5.  Policy Roles and Responsibilities  

Each individual with authorized access to protected/internal only, confidential, and/or restricted information is accountable to protect the data from unauthorized use and disclosure. Data governance and privacy mechanisms delineate the appropriate disclosure, processing, and analysis of data. 

Data Owner: An individual or entity that is responsible for a particular data asset or for a group of data assets at the Agency and has approval authority for decisions about the data asset(s). A data owner is an individual or entity responsible to appropriately classify data. 

Data Steward: A data steward is an individual or entity who is responsible for safeguarding data based on the labeled classification. 

Data User: A data user is an individual or entity who is responsible for complying with the data use requirements associated with the labeled classification. The user is accountable to protect the data by ensuring only those who require and have been authorized to access the data as part of their job function have access to the data, use reasonable security controls, and, with the exception of open/public data, ensure only that data which is necessary to fulfill a valid request is provided. Data users need to understand that various data elements alone may not constitute personal information; but the combination of disparate data elements may create “personally identifiable information” such that the combined data is subject to a higher data classification level.

   6.  References and Maintenance

The State Chief Information Security Officer maintains and reviews this policy annually and on an ad hoc basis in response to changes in security and privacy related laws and regulations. The following regulations, recommendations, and standards impact the data classification policy:

42 CFR Part 2 -Confidentiality of Substance Use Disorder Patient Records

Health Information Protection and Portability Act (HIPAA) Privacy Rule: 45 CFR Part 160 and Subparts A and E of Part 164.

Internal Revenue Service Publication 1075 -Tax Information Security Guidelines (2021) 

US Department of Justice: Criminal Justice Information System (CJIS) Security Policy, v.5.9.4 

Maryland General Provisions -Title 4 -Public Information Act (PIA) 

Md. State Finance and Procurement Code Ann, 3.5-2A-04(b)(1)

Maryland State Government, Title 10, Subtitle 13 Protection of Information in    Government Agencies (MD PIGA) 

Maryland State Government, Title 10, Subtitle 15 Open Data NIST 800-53 v5, AC-11  

Department ofInformation Technology
​​​​100 Community Place, Crownsville, MD 21032

300-301 West Preston Street, Baltimore MD 21201

Phone: 410-697-9700
Maryland Relay: 7-1-1​