One West University Boulevard, Brownsville, Texas 78520 | 956-882-8200

Data Classification Guidelines

 

Restricted Data
(highest, most sensitive)

Sensitive Data
(moderate level of sensitivity)

Public Data
(low level of sensitivity)

Legal requirements

Protection of data is required by law (e.g., HIPAA and FERPA data elements)

UTB has a obligation to protect the data

Protection of data is at the discretion of the owner or custodian

Reputation risk

High

Medium

Low

Other Institutional Risks

Information which provides access to resources, physical or virtual

Smaller subsets of protected data from a school or department

General university information

Access

Only those individuals designated with approved access and signed non-disclosure agreements

UTB employees and non-employees who have a business need to know

UTB affiliates and general public with a need to know

Examples

  • Medical
  • Research Data
  • Students
  • Prospective students
  • Personnel
  • Donor or prospect
  • Financial
  • Contracts
  • Physical plant detail
  • Credit card numbers
  • Certain management information
  • See below for more specific examples
  • Information resources with access to restricted data
  • Research detail or results that are not restricted data
  • Library transactions (e.g., catalog, circulation, acquisitions)
  • Financial transactions which do not include restricted data (e.g., telephone billing)
  • Information covered by non-disclosure agreements
  • Very limited subsets of restricted data
  • Campus maps
  • Personal directory data (e.g., contact information)
  • Email

Use the following criteria to determine which data category is appropriate for data stored on or manipulated by a particular information or infrastructure system. Owners are responsible for categorizing their data appropriately.

Restricted Data

Consider the following examples and scenarios when determining the classification level for your data.

DATA CLASSIFICATION EXAMPLES: Data protected specifically by federal or state law or University of Texas rules and regulations, for example: HIPAA; FERPA; specific donor, employee, or sensitive research data; Data that is not otherwise protected by a known civil statute or regulation, but which must be protected due to proprietary, ethical, privacy, or criticality considerations.

LOSS IMPACT SCENARIOS: Long-term loss of reputation, long-term loss of research funding, increase in regulatory requirements, long-term loss of critical campus or departmental service, unauthorized tampering of research data, loss of any personal or university owned mobile storage device (desktop, laptop, thumb drive, PDA, etc.) containing university data whose release would fall into the loss impact scenarios listed in this section.

NOTE: If you are creating a new system that has Restricted data, you should inform the Information Resources department. A security review or risk assessment may be required.

Sensitive Data

Consider the following examples and scenarios when determining the classification level for your data.

DATA CLASSIFICATION EXAMPLES: Data releasable in accordance with the Texas Public Information Act (contents of specific e-mail, date of birth, salary, etc.); data that must be protected due to proprietary, ethical, or privacy considerations. This classification applies even to data that is not otherwise protected by a known civil statute or regulation.

LOSS IMPACT SCENARIOS: Short-term loss of reputation, short-term loss of research funding, short-term loss of critical departmental service, unauthorized tampering of research data.

Public Data

DATA CLASSIFICATION EXAMPLES: Data that might otherwise be considered publicly available, personal Internet browsing data, personal notes, etc.

LOSS IMPACT SCENARIOS: Loss of use of personal workstation or laptop, loss of personal data with no impact to the university.

Your confidentiality, integrity, and availability ratings are most useful in assessing the risk to the assets in your department. It helps create a better understanding of which assets are the most critical, as well as allowing you to prioritize and develop effective actions to protect the assets at risk.

For comments and questions, please contact the Webmaster.