Data Classification Standard
This standard serves as a supplement to the UNTHSC Information Security Policy. Adherence to the standard will facilitate applying the appropriate security controls to university data. This standard exists in addition to all other university policies and federal and state regulations governing the protection of the university’s data. Compliance with this classification standard will not ensure that data will be properly secured. Instead, this standard should be integrated into a comprehensive information security plan.
Category I
UNTHSC data that is: Protected specifically by federal or state law or Protected by UNTHSC or UNT System rules and regulations Data not otherwise protected by a known civil statute or regulation, but which must be protected due to contractual agreements requiring confidentiality, integrity, or availability considerations |
Category II
UNTHSC data not otherwise identified as Category I, and: Data not publicly available, and Data releasable in accordance with the Texas Public Information Act (e.g., contents of specific e-mail, date of birth, salary, etc.) |
Category III
UNTHSC data not otherwise identified as Category I or Category II data, and: The data is publicly available, and Such data has no requirement for confidentiality, integrity, or availability |
Data Classification Examples
Use the examples below to determine which classification is appropriate for a given type of data. When data falls into multiple data categories, use the highest classification
Category I
Social Security numbers Access device numbers (building access code, etc.) Biometric identifiers (eye images, full face images, fingerprints, etc.) Date of birth Driver’s license numbers Passport and visa numbers Personal vehicle information Financial information and records (credit card numbers, account numbers, etc.), including non-UNTHSC income level and sources Information pertaining to the Office of General Counsel Contracts Certain management information User account passwords Health Information, including Protected Health Information (PHI) Health Insurance policy ID numbers Export controlled information Physical plant and critical infrastructure detail: Engineering, design, and operational information on UNTHSC infrastructure There are additional types of Confidential Data; see below. |
Category II
Employee names Employee salary information Employee performance review information Unpublished research data (at data owner’s discretion) Non-public UNTHSC policies and policy manuals Internal memos and email |
Category III
Research data (at data owner’s discretion) Information authorized to be available on or through UNTHSC’s website without EUID authentication Policy and procedure manuals designated by the owner as public Job postings University directory information Information in the public domain Publicly available campus maps |
Extended List of Category I Data:
HIPAA
- Patient names, street address, city, county, zip code, telephone / fax numbers
- Dates (except year) related to an individual, account / medical record numbers, health plan beneficiary numbers
- PHI-related certificate / license numbers, device IDs and serial numbers, e-mail, URLs, IP addresses
- Any other unique identifying number, characteristic, or code
- Payment Guarantor’s information
FERPA
- Grades (including test scores, assignments, and class grades)
- Student financials, credit cards, bank accounts, wire transfers, payment history, financial aid/grants, bills
Note that for enrolled students, the following data may ordinarily be revealed by the university without student consent unless the student designates otherwise:
- Name, directory address and phone number, mailing address, secondary mailing or permanent address, residence assignment and room or apartment number, campus office address (for graduate students)
- Place of birth
- Electronic mail address
- Specific semesters of registration at UNTHSC; UNTHSC degree(s) awarded and date(s); major(s), minor(s), and field(s); university degree honors
- Institution attended immediately prior to UNTHSC
- ID card photographs for course instructor use
Alumni/Donor Information
- Name
- Family information
- Amount / what donated
- Other non-public gift information
- Telephone / fax numbers, e-mail, URLs
Research Information
- Human subject information. See the Institutional Review Board for more information.
- Sensitive digital research data
- Export Controlled Information – Information or technology controlled under International Traffic in Arms Regulations (ITAR) or Export Administration Regulations (EAR), required for the design, development, production, manufacture, assembly, operation, repair, testing, maintenance or modification of a controlled item or product, including blueprints, drawings, photographs, plans, instructions or documentation.
- Classified information relating to defense articles and defense services;
- Information covered by an invention secrecy order;
- Software directly related to a controlled item;
UNTHSC Employee Information
- Insurance benefit information
- Family information, home address, and home phone number may be revealed unless restricted by the employee. UNTHSC employees can restrict this information in MyHSC.
There can be confusion over which rules apply when an employee is also a student. The rule of thumb is that the student rules apply when the employee is in a student job role.
Vendor Information
- Contract information (between UNTHSC and a third party)
- NDA-protected certificate / license numbers, device IDs and serial numbers, e-mail, URLs, IP addresses
Social media