7.5.7 Data Classification
A. Purpose
This policy is designed to assist Data Owners (also known as "Information Owner" and Information Resources Owner) in classifying data under their responsibility so that appropriate controls are implemented to ensure data accuracy, authenticity, and integrity.
This policy is also valuable to educate the community about the importance of protecting data generated, accessed, transmitted and stored by the University, to identify procedures that should be in place to protect the confidentiality, integrity and availability of University data, and to comply with local and federal regulations regarding privacy and confidentiality of information.
B. Persons Affected
All members of The University of Texas at Tyler community have a responsibility to protect University data from unauthorized generation, access, modification, disclosure, transmission or destruction, and are expected to be familiar with and comply with this policy.
C. Definitions
N/A
D. Policy
Data is a critical asset of The University of Texas at Tyler. All members of The University of Texas at Tyler have a responsibility to protect the confidentiality, integrity, and availability of data generated, accessed, modified, transmitted, stored or used by the University, irrespective of the medium on which the data resides and regardless of format (such as in electronic, paper or other physical form).
Departments are responsible for implementing appropriate managerial, operational, physical, and technical controls for access to, use of, transmission of, and disposal of University data in compliance with this policy.
Data Owners are defined as the primary person responsible for a business function and for determining controls and access to information resources supporting that business function. In addition, a data owner is responsible for classification of their data based on data sensitivity and risk.
Data owned, used, created or maintained by is classified into the following three categories:
- Confidential
- Controlled
- Published
Data Owners should carefully evaluate the appropriate data classification category for their information. When provided in this policy, examples are illustrative only, and serve as an identification guide. Departments may require policies and/or procedures in addition to the ones identified in this document.
Data Classifications
Confidential
Information that must be protected from unauthorized disclosure or public release based on state or federal law, (e.g. the Texas Public Information Act and other constitutional, statutory, judicial, and legal agreements). Examples of Confidential data may include but are not limited to:
- protected health information under HIPAA
- protected student information under FERPA
- credit card numbers associated with an individual's name
The unauthorized destruction, disclosure or modification of Confidential information would be expected to have a severe or catastrophic adverse effect on organization operations, organizational assets, or on individuals.
Confidential Data:
- When stored in an electronic format, must be protected with strong passwords and stored on servers that have administrative, physical, and technical safeguards and may require encryption measures approved by the Information Security Officer in order to protect against loss, theft, unauthorized access and unauthorized disclosure. Safeguards required will be determined by data sensitivity and risk.
- Must not be disclosed to unauthorized parties without explicit executive management authorization.
- Must be stored only in a locked drawer or room or an area where access is controlled by a guard, cipher lock, and/or card reader, or that otherwise has sufficient physical access control measures to afford adequate protection and prevent unauthorized access by members of the public, visitors, or other persons without a need-to-know.
- When sent via fax must be sent only to a previously established and used address or one that has been verified as using a secured location.
- Must not be posted on any public website.
- Data is not to be copied to or stored on a Portable Computing Device or a Non-University Owned Computing Device except with the specific permission of the Data Owner based upon demonstration of a business need and the risk of unauthorized access weighted against potential loss or compromise of the Data. Must be destroyed when no longer needed subject to the most applicable State of Texas, Federal, NIH, and/or other Records Retention Schedules. Destruction may be accomplished by:
- "Hard Copy" materials must be destroyed by shredding or another process that destroys the data beyond either recognition or reconstruction. After destruction, non-PHI materials may be disposed of with normal waste. Special shred bins are available for PHI data to be shredded by a contracted vendor.
- Electronic storage media shall be sanitized appropriately in the Information Technology department by degaussing or physical destruction prior to disposal. Disposal of electronic equipment must be performed in accordance with the University's policy Eradication of Data Stored on Electronic Media.
The Information Security Officer must be notified immediately if data classified as Confidential is lost, disclosed to unauthorized parties or suspected of being lost or disclosed to unauthorized parties, or if any unauthorized use of the University's information systems has taken place or is suspected of taking place.
Controlled
Information that is not generally created for, or made available for public consumption, but that is subject to release to the public through request via the Texas Public Information Act or similar state or federal law. Examples of Controlled data may include but are not limited to:
- operational information and statistics
- employee salaries
- budgets and expenditures
- non-published research
- internal communications
The unauthorized destruction, disclosure or modification of Controlled information would be expected to have a limited adverse effect on organization operations, organizational assets, or on individuals.
Controlled Data:
- Must be protected to prevent loss, theft, unauthorized access and/or unauthorized disclosure.
- Must be stored in a closed container (i.e. file cabinet, closed office, or department where physical controls are in place to prevent disclosure) when not in use.
- Must not be posted on any public website.
- Must be destroyed when no longer needed subject to the State of Texas Records Retention Schedule. Destruction may be accomplished by:
- "Hard Copy" materials must be destroyed by shredding or another process that destroys the data beyond either recognition or reconstruction. After destruction, materials may be disposed of with normal waste.
Electronic storage media shall be sanitized appropriately in the Information Technology department by overwriting or degaussing prior to disposal. Disposal of electronic equipment must be performed in accordance with the University's policy Eradication of Data Stored on Electronic Media.
Published:
Published information includes all data made available to the public through posting to public websites, distribution through email or social media, print publications or other media. Examples of Published data may include but are not limited to:
- statistical reports
- Fast Facts
- published research
- unrestricted directory information
- educational content available to the public at no cost
The unauthorized destruction, disclosure or modification of Published information would be expected to have no or only a slight adverse effect on organization operations, organizational assets, or on individuals.
Enforcement:
Violation of this policy may result in disciplinary action that may include termination for employees and temporaries; a termination of employment relations in the case of contractors or consultants; dismissal for interns and volunteers; or suspension or expulsion in the case of a student. Additionally, individuals are subject to loss of Information Resources access privileges, civil, and criminal prosecution.
E. References
Eradication of Data Stored on Electronic Media
Data Owner Policy
UTS 165
TAC 202.72
Texas Public Information Act
F. Review Responsibilities and Dates
The Division Head for this Policy is the Chief Information Security Officer and this Policy shall be reviewed every two (2) years or sooner, if necessary, by the Division Head or their designee.
APPROVED: 09/2021
AMENDED: 05/2023