Definition: confidential data

Confidential data is defined as any information that is not intended for public dissemination. This can be understood from three aspects:

• TUM wants to protect its own data, such as research findings and financial data.
• TUM wants to protect the data of others, such as data that belongs to employees and students (this data is also protected under applicable laws and regulations for handling such information).
• Members of TUM want to protect their own data, such as their own communications.

Depending on the aspect, data confidentiality is divided into three categories that result in different requirements for protecting the data:

Personal data, sensitive personal data

Personal data means any information relating to an (directly or indirectly) identified or identifiable natural living person. At a university, this includes the basic data for employees, students and other persons with a connection to TUM.

• Applicant, student, exam/lecture data
• Data that is related to an employee of the university
• IT user data such as the access ID and password or the user certificate
• IT utilization data (log data related to utilization of the TUM IT services [1] )

The Bavarian Data Protection Act (BayDSG) defines sensitive data as information regarding a person's race or ethnicity, political opinions, religious or philosophical beliefs or union memberships, as well as information about health and sexual orientation/practices.

Article 7 of the BayDSG stipulates the minimum technical or administrative measures that must be in place to protect data.

Intellectual property

Researchers have a very keen interest in protecting research information and material that is not public. The researchers and/or collaboration partners are responsible for determining the measures needed to protect the information in a research project.

Lecture material may contain copyrighted content designed for teaching activities, but which may not be made public.

Business-critical data

Business-critical data includes any internal university information accessible by specific groups of people. This includes strategic documents, accounting/financial data and information about benefactors and foundations.

Business-critical data should be available to only a few select employees and protected from access by unauthorized personnel.

Other internal university data

Any non-public data that does not fall under one of the above categories should be referred to from this point on as other internal university data.

This data must be protected against external access only, but it can be viewed by all employees of the university.

Other categories

Apart from this confidential data, there are essentially three other categories that should be mentioned here for the sake of completeness.

• Public data: Public data is information that is available to employees, students and the public. This data can be read by anyone, but edited only by a few select people.
• Private data: This is information intended for personal use only. Read and write access is restricted to the owner. Access by others is at the discretion of the owner.
• System data: This is any data that falls under the area of system administration and can also include personal data. In this case, system data should also be classified as confidential.
  System administrators are normally the only people with read and write access to non-personal system data. This data should be afforded adequate protection as well since it can potentially provide information for facilitating an attack.

From this point on, these three categories will be taken into consideration only as needed.