Skip to main content

Information Security Office

Data Classification Examples

Extended List of Category-I (Confidential) Data

This document provides an expanded list of representative examples of data classified as Category-I (Confidential) data. This list is provided to help owners and custodians with a way to evaluate the level of protections required for their systems.

NOTE: Social Security numbers may be stored on only authorized systems, such as the payroll system. They are released only as required by law; for example, to the IRS for tax purposes.

This list is not all-inclusive, and it does not cover the release of information.

Patient Medical/Health Information (HIPAA)

The following information is sensitive:

  • Social Security number
  • Patient names, street address, city, county, zip code, telephone / fax numbers
  • Dates (except year) related to an individual, account / medical record numbers, health plan beneficiary numbers
  • Personal vehicle information
  • Certificate / license numbers, device IDs and serial numbers, e-mail, URLs, IP addresses
  • Biometric identifiers and full face images
  • Any other unique identifying number, characteristic, or code
  • Payment Guarantor's information

Student Records (FERPA)

The following information is sensitive. This applies to both enrolled and prospective student data.

  • Social Security number
  • Grades (including test scores, assignments, and class grades)
  • Student financials, credit cards, bank accounts, wire transfers, payment history, financial aid/grants, student bills
  • Biometric identifiers

Note that for enrolled students, the following data may ordinarily be revealed by the university without student consent unless the student designates otherwise:

  • Name, directory address and phone number, mailing address, secondary mailing or permanent address, residence assignment and room or apartment number, campus office address (for graduate students)
  • Date of birth, place of birth
  • Electronic mail address
  • Specific semesters of registration at UT Arlington; UT Arlington degree(s) awarded and date(s); major(s), minor(s), and field(s); university degree honors
  • Institution attended immediately prior to UT Arlington
  • ID card photographs for course instructor use

For more information, see the University of Texas at Arlington’s FERPA Web page.

Donor/Alumni Information (Texas Identity Theft Enforcement and Protection Act)

The following information is sensitive:

  • Social Security number
  • Name
  • Personal financial information
  • Family information
  • Medical information
  • Credit card numbers, bank account numbers, amount / what donated
  • Telephone / fax numbers, e-mail, URLs

Research Information (Granting Agency Agreements, Other IRB Governance)

The following information is confidential:

  • Human subject information
  • Sensitive digital research data

Refer to the Institutional Review Board for more information on research involving human subjects.

Employee Information (UT System Policy, Texas Identity Theft Enforcement and Protection Act)

There can be confusion over which rules apply when an employee is also a student. The rule of thumb is that the student rules apply when the employee is in a student job title.

The following employee information is confidential:

  • Social Security number
  • Personal financial information, including non-UT income level and sources
  • Insurance benefit information
  • Biometric identifiers
  • Family information, home address, and home phone number may be revealed unless restricted by the employee. UT Arlington employees can restrict this information in UT Direct.

Please note that information considered public, such as employee names, birth dates, salary, and performance review information, would be released under an open records request.

Business/Vendor Data (Gramm-Leach-Bliley Act, Non-Disclosure agreement)

The following information is confidential:

  • Vendor social security number
  • Credit card information
  • Contract information (between UT Arlington and a third party)
  • Biometric identifiers
  • Certificate / license numbers, device IDs and serial numbers, e-mail, URLs, IP addresses

Other Institutional Data (Gramm-Leach-Bliley Act, Other Considerations)

The following information is confidential:

  • Financial records
  • Contracts
  • Physical plant detail
  • Credit card numbers
  • Certain management information
  • Critical infrastructure detail
  • User account passwords