Skip to Content

Data Classification

DATA CLASSIFICATION – BASIC BEST PRACTICES

NOTE: For the purposes of this document, the terms "data," "information," and "records" are synonymous.

 
 
Confidential Information
Sensitive Information
Public Information
 
 
Level of Sensitivity
 
High
 
 
Moderate
 
Low
 
Legal Requirements
Protection of data is required by law (e.g., TPIA, FERPA, and HIPAA data) or contractual agreements.

Often considered “public” in the sense it is releasable under the Texas Public Information Act, some assurance is required so release of information is both controlled and lawful.
 
Public information by its very nature is designed to be shared broadly, without restriction, at the complete discretion of the owner.
 
Disclosure Risk
Confidential information presents the most serious risk of harm if improperly disclosed.

Unauthorized disclosure of Sensitive information could adversely impact the University, individuals or affiliates.
 
From the perspective of confidentiality, public information may be disclosed or published by any person at any time.
 
Examples of Information
- Social Security Numbers
- Credit Card Info
- Personal Health Info
- Student Records
- Crime Victim Information
- Library Transactions
- Court Sealed Records
- Access Control Credentials

- Performance Appraisals
- Employee Dates of Birth
- Employee Email Addresses
- Donor Information
- Voicemail
- Contents of Email
- Unpublished Research
 
- Job Postings
- Service Offerings
- Published Research
- Directory Information
- Degree Programs
- General information about University products and services
 
  1. Prior to releasing, publishing, or disclosing any information, the owner of the information should classify the information according to its need for confidentiality (PUBLIC, SENSITIVE or CONFIDENTIAL, as described in 3 below).
  2. The owner of the information should ensure that disclosure controls and procedures are implemented to afford the degree of protection required by the assigned classification.
  3. Higher education and industry best practices suggest the need for three classes, or levels, with respect to data confidentiality. In order from least to most confidential, these are:

    Public information by its very nature is designed to be shared broadly, without restriction, at the complete discretion of the owner. It may or may not have been explicitly designated as public. There is no such thing as unauthorized disclosure of this information and it may be freely disseminated without potential harm to the University, individuals, or affiliates. From the perspective of confidentiality, Public information may be disclosed or published by any person at any time.

    Examples: advertising, degree program descriptions, course offerings and schedules, campus maps, published research (within copyright restrictions), job postings, press releases, general information about University products and services, certain types of unrestricted directory information as specified by the Family Educations Rights and Privacy Act of 1974 (FERPA) and the Health Insurance Portability and Accountability Act (HIPAA).

    Sensitive information is the most difficult to describe as it often presents attributes of both Public and Confidential information. Sensitive information is often considered “public” in the sense that it is releasable under provisions of the Texas Public Information Act, while also requiring assurances that its release is both controlled and lawful. Sensitive information is often intended for use within a specific workgroup, department or group of individuals with a legitimate need-to-know. Likewise, access to Sensitive information is often controlled by identity authentication and authorization measures (e.g., NetID and password). Unauthorized disclosure of Sensitive information could adversely impact the University, individuals or affiliates.

    Examples: some employee records (such as performance appraisals, dates of birth and e-mail addresses), departmental policies and procedures that might reveal otherwise restricted information, the contents of e-mail, voicemail, instant messages and memos, unpublished research, information covered by non-disclosure agreements, donor information, etc.

    Generally speaking, Sensitive information should not be published or disclosed to the public except by the University’s designated owner of the requested information in accordance with the owner’s established procedures for processing TPIA requests, or as otherwise authorized by the Information Security Office or the TSUS Associate General Counsel. (See separate list of the University's designated information owners)

    According to Chapter 202 of the Texas Administrative Code (TAC 202), Confidential information is “information that is excepted from disclosure requirements under the provisions of applicable state or federal law” such as the Texas Public Information Act (TPIA) and the Family Education Rights and Privacy Act (FERPA). Confidential information presents the most serious risk of harm if improperly disclosed. Confidential information is generally intended for  a very specific purpose and should not be disclosed to anyone without a demonstrated need-to-know, even within a workgroup or department. Disclosure of Confidential information is generally regulated by specific legal statutes (e.g., TPIA, FERPA, HIPAA), published opinions by the Office of the Attorney General of Texas, Texas State University System rules, or contractual agreements.  Unauthorized disclosure of this information could have a serious adverse impact on the University, individuals, or affiliates.

    Examples: student education records as defined under FERPA, credit card information, bank account numbers, social security numbers, driver license numbers, personally identifiable medical records, passport information, crime victim information, library transactions (e.g., circulation records), court sealed records, access control credentials (e.g., PINs and passwords), etc.

    Confidential information must not be published or disclosed to the public under any circumstances other than those specifically authorized by law. Any such disclosure should be immediately reported to the Information Security Office for damage mitigation and investigation. Requests for such information received from persons with a questionable need to know should be directed to the TSUS Associate General Counsel.

[Back to Top]

  • Public (Level 1) Information
  • Sensitive (Level 2) Information
  • Confidential (Level 3) Information