Skip to main content

Information Security Office


Classification of Sensitive Digital Data

All data owners, data stewards, or designated custodians, shall be responsible for classifying digital data processed by systems under their purview based on data sensitivity and risk so that the appropriate security controls can be applied.

The data classification standard shall be used to identify digital data that is sensitive.

A data classification of Category-I (Confidential) shall be based on compliance with applicable Federal or State law, a contract, or on the demonstrated need to (a) document the integrity of that digital data (that is, the data had not been altered by either intent or accident), (b) restrict and document individuals with access to that digital data, and (c) ensure appropriate backup and retention of that digital data. These would most frequently be required by:

    * Federal or State agencies (for example, Food and Drug Administration)
    * Employee Benefits Providers
    * Intellectual Property and/or Technology Transfer requirements
    * UT System Office of General Counsel or university Office of Legal Affairs (in the case of data subject to or involved in litigation or confidentiality agreements)
    * Federal regulations (for example, FERPA, HIPAA, Gramm-Leach-Bliley, Biodefense, Homeland Security, DoD, etc.)

Category-I (Confidential) digital data must include all high-risk Information Resources as defined by 1 TAC 202.72.

Certain digital data not defined as a high-risk Information Resource by 1 TAC 202.72 can be classified as Category-I (Confidential) digital data if warranted by the college, school, or unit's demonstrated need. With suitable justification, the university may convert its classification of these digital data from Category-I digital data to a lesser classification upon request by the data owner, with appropriate review and approval.