Data Classification Standard
This standard serves as a supplement to the UNT Health Information Security Policy. Adherence to the standard will facilitate applying the appropriate security controls to university data. This standard exists in addition to all other university policies and federal and state regulations governing the protection of the university’s data. Compliance with this classification standard will not ensure that data will be properly secured. Instead, this standard should be integrated into a comprehensive information security plan.
Category I
UNT Health data that is: Protected specifically by federal or state law or Protected by UNT Health or UNT System rules and regulations Data not otherwise protected by a known civil statute or regulation, but which must be protected due to contractual agreements requiring confidentiality, integrity, or availability considerations |
Category II
UNT Health data not otherwise identified as Category I, and: Data not publicly available, and Data releasable in accordance with the Texas Public Information Act (e.g., contents of specific e-mail, date of birth, salary, etc.) |
Category III
UNT Health data not otherwise identified as Category I or Category II data, and: The data is publicly available, and Such data has no requirement for confidentiality, integrity, or availability |
Data Classification Examples
Use the examples below to determine which classification is appropriate for a given type of data. When data falls into multiple data categories, use the highest classification
Category I
Social Security numbers Access device numbers (building access code, etc.) Biometric identifiers (eye images, full face images, fingerprints, etc.) Date of birth Driver’s license numbers Passport and visa numbers Personal vehicle information Financial information and records (credit card numbers, account numbers, etc.), including non-UNTHSC income level and sources Information pertaining to the Office of General Counsel Contracts Certain management information User account passwords Health Information, including Protected Health Information (PHI) Health Insurance policy ID numbers Export controlled information Physical plant and critical infrastructure detail: Engineering, design, and operational information on UNT Health infrastructure There are additional types of Confidential Data; see below. |
Category II
Employee names Employee salary information Employee performance review information Unpublished research data (at data owner’s discretion) Non-public UNT Health policies and policy manuals Internal memos and email |
Category III
Research data (at data owner’s discretion) Information authorized to be available on or through UNT Health’s website without
EUID authentication Policy and procedure manuals designated by the owner as public Job postings University directory information Information in the public domain Publicly available campus maps |
Extended List of Category I Data:
- Patient names, street address, city, county, zip code, telephone / fax numbers
- Dates (except year) related to an individual, account / medical record numbers, health plan beneficiary numbers
- PHI-related certificate / license numbers, device IDs and serial numbers, e-mail, URLs, IP addresses
- Any other unique identifying number, characteristic, or code
- Payment Guarantor’s information
- Grades (including test scores, assignments, and class grades)
- Student financials, credit cards, bank accounts, wire transfers, payment history, financial aid/grants, bills
Note that for enrolled students, the following data may ordinarily be revealed by the university without student consent unless the student designates otherwise:
- Name, directory address and phone number, mailing address, secondary mailing or permanent address, residence assignment and room or apartment number, campus office address (for graduate students)
- Place of birth
- Electronic mail address
- Specific semesters of registration at UNTHSC; UNT Health degree(s) awarded and date(s); major(s), minor(s), and field(s); university degree honors
- Institution attended immediately prior to UNTHSC
- ID card photographs for course instructor use
- Name
- Family information
- Amount / what donated
- Other non-public gift information
- Telephone / fax numbers, e-mail, URLs
- Human subject information. See the Institutional Review Board for more information.
- Sensitive digital research data
- Export Controlled Information – Information or technology controlled under International Traffic in Arms Regulations (ITAR) or Export Administration Regulations (EAR), required for the design, development, production, manufacture, assembly, operation, repair, testing, maintenance or modification of a controlled item or product, including blueprints, drawings, photographs, plans, instructions or documentation.
- Classified information relating to defense articles and defense services;
- Information covered by an invention secrecy order;
- Software directly related to a controlled item;
- Insurance benefit information
- Family information, home address, and home phone number may be revealed unless restricted by the employee. UNT Health employees can restrict this information in MyHSC.
There can be confusion over which rules apply when an employee is also a student. The rule of thumb is that the student rules apply when the employee is in a student job role.
- Contract information (between UNT Health and a third party)
- NDA-protected certificate / license numbers, device IDs and serial numbers, e-mail, URLs, IP addresses