Data Classification Standard

This standard serves as a supplement to the UNTHSC Information Security Policy.  Adherence to the standard will facilitate applying the appropriate security controls to university data.  This standard exists in addition to all other university policies and federal and state regulations governing the protection of the university’s data. Compliance with this classification standard will not ensure that data will be properly secured. Instead, this standard should be integrated into a comprehensive information security plan.

 

Category I

 

UNTHSC data that is:

Protected specifically by federal or state law or

Protected by UNTHSC or UNT System rules and regulations

Data not otherwise protected by a known civil statute or regulation, but which must be protected due to contractual agreements requiring confidentiality, integrity, or availability considerations

Category II

 

UNTHSC data not otherwise identified as Category I, and:

Data not publicly available, and

Data releasable in accordance with the Texas Public Information Act (e.g., contents of specific e-mail, date of birth, salary, etc.)

Category III

 

UNTHSC data not otherwise identified as Category I or Category II data, and:

The data is publicly available, and

Such data has no requirement for confidentiality, integrity, or availability

 

Data Classification Examples

Use the examples below to determine which classification is appropriate for a given type of data.  When data falls into multiple data categories, use the highest classification

 

 

Category I

 

Social Security numbers

Access device numbers  (building access code, etc.)

Biometric identifiers (eye images, full face images, fingerprints, etc.)

Date of birth

Driver’s license numbers

Passport and visa numbers

Personal vehicle information

Financial information and records (credit card numbers, account numbers, etc.), including non-UNTHSC income level and sources

Information pertaining to the Office of General Counsel

Contracts

Certain management information

User account passwords

Health Information, including Protected Health Information (PHI)

Health Insurance policy ID numbers

Export controlled information

Physical plant and critical infrastructure detail: Engineering, design, and operational information on UNTHSC infrastructure

There are additional types of Confidential Data; see below.

Category II

 

Employee names

Employee salary information

Employee performance review information

Unpublished research data (at data owner’s discretion)

Non-public UNTHSC policies and policy manuals

Internal memos and email

Category III

 

Research data (at data owner’s discretion)

Information authorized to be available on or through UNTHSC’s website without EUID authentication

Policy and procedure manuals designated by the owner as public

Job postings

University directory information

Information in the public domain

Publicly available campus maps

 

Extended  List of Category I Data:

HIPAA

  • Patient names, street address, city, county, zip code, telephone / fax numbers
  • Dates (except year) related to an individual, account / medical record numbers, health plan beneficiary numbers
  • PHI-related certificate / license numbers, device IDs and serial numbers, e-mail, URLs, IP addresses
  • Any other unique identifying number, characteristic, or code
  • Payment Guarantor's information

FERPA

  • Grades (including test scores, assignments, and class grades)
  • Student financials, credit cards, bank accounts, wire transfers, payment history, financial aid/grants, bills

Note that for enrolled students, the following data may ordinarily be revealed by the university without student consent unless the student designates otherwise:

  • Name, directory address and phone number, mailing address, secondary mailing or permanent address, residence assignment and room or apartment number, campus office address (for graduate students)
  • Place of birth
  • Electronic mail address
  • Specific semesters of registration at UNTHSC; UNTHSC degree(s) awarded and date(s); major(s), minor(s), and field(s); university degree honors
  • Institution attended immediately prior to UNTHSC
  • ID card photographs for course instructor use

Alumni/Donor Information

  • Name
  • Family information
  • Amount / what donated
  • Other non-public gift information
  • Telephone / fax numbers, e-mail, URLs

Research Information

  • Human subject information. See the Institutional Review Board for more information.
  • Sensitive digital research data
  • Export Controlled Information – Information or technology controlled under International Traffic in Arms Regulations (ITAR) or Export Administration Regulations (EAR), required for the design, development, production, manufacture, assembly, operation, repair, testing, maintenance or modification of a controlled item or product, including blueprints, drawings, photographs, plans, instructions or documentation.
  • Classified information relating to defense articles and defense services;
  • Information covered by an invention secrecy order;
  • Software directly related to a controlled item;

UNTHSC Employee Information

  • Insurance benefit information
  • Family information, home address, and home phone number may be revealed unless restricted by the employee. UNTHSC employees can restrict this information in MyHSC.

There can be confusion over which rules apply when an employee is also a student. The rule of thumb is that the student rules apply when the employee is in a student job role.

Vendor Information

  • Contract information (between UNTHSC and a third party)
  • NDA-protected certificate / license numbers, device IDs and serial numbers, e-mail, URLs, IP addresses

 

This page was last modified on September 2, 2020