The increase in technology enhancements, affordability of portable devices and increased ability to transmit data on demand increases the risk of losing or inadvertently disclosing data. The operation and mission of the University rely heavily on the accuracy, integrity and usability of its data. UTSA faculty, staff and other employees are responsible for the security of university data they access, process, transmit and store. UTSA Data Owners must first identify the data they use and classify the data according to the risk categories outlined in the Data Classification Guidelines.
University data shall be:
- Identified as to its classification, Confidential, Restricted Use or Public, by the Data Owner
- Protected in a manner commensurate with its value or category
- Appropriately secured against unauthorized creation, updating, processing, destruction and distribution
Data Classification
- Applies to all data created and maintained by all campuses, except where superseded provisions of a grant, contract or by Federal copyright law.
- Applies to all authorized users of the University’s computing resources.
- Complies with applicable Federal and State laws which govern the privacy and confidentiality of data
Classification Categories
All institutional data, on paper as well as in electronic format, must be categorized into one of three levels, Confidential, Restricted Use, and Public. More information about each category is available in the Data Classification Guideline.
|
Category I
Confidential |
Category II
Restricited Use |
Category III
Public |
|
Data whose disclosure, destruction, display, or modification would violate state or federal laws or regulations, University of Texas System policies, or the Texas Open Records Act. |
University data that are not otherwise protected identified as Confidential data, but which are releasable with the Texas Public Information Act. These data will be protected to endure a controlled release. |
University data that are not identified as Confidential or Restricted Use data
University data that have no requirement for confidentiality, integrity or availability.
Public data, while subject to University disclosure rules, is available to all members of the University community and to all external individuals and entities. |
Risk |
Long-term loss of reputation, long-term loss of critical campus services, long-term loss of research funding, tampering with research, unauthorized exposure of litigation materials, identity or credit theft
|
Short-term loss of reputation, short-term loss of research funding, short-term loss of departmental services, Unauthorized tampering with research
|
Loss of data with no impact to the university, inaccurate general information
|
Data examples |
Student records, litigation, law enforcement data, Social Security Numbers, Credit cards, health-related research, reports marked confidential, passwords
|
Business transactions that are not sensitive, project data, HR data that are not sensitive, research data or results that are not sensitive.
|
Institutionally published public data, directory data, academic course descriptions, faculty evaluation data, blogs and other social media
|
|