Data Classification | Technology Services

Understanding and Protecting University Information

Texas A&M University handles a vast amount of information every day, ranging from public announcements to sensitive research data and personal details. Not all data carries the same level of sensitivity or risk. Data classification is the university's framework for categorizing information based on its sensitivity, value, and the legal or contractual requirements for protecting it.

Texas A&M's Data Classification Levels

graphic of multicolor thermometer showing data classification levels

4. Critical Data

The highest level of classification. Unauthorized handling or disclosure could result in severe harm, including potential criminal or civil penalties. Access is limited to specifically designated individuals with a stringent business need.

3. University-Confidential Data

Sensitive data protected by law (state/federal), regulations, or contractual agreements. Unauthorized disclosure could cause significant harm to individuals or the university and may trigger breach notification requirements. Access requires specific authorization.

2. University-Internal Data

Information primarily intended for university business operations. It's not meant for the general public but might be releasable under the Texas Public Information Act. Requires protection against unauthorized access or disclosure.

1. Public Data

Information intended for public release or that is openly available. Disclosure carries little to no risk.

Texas A&M University classifies data into four main levels, ranging from lowest to highest sensitivity:

Level 1: Public Data (DC-3)

Definition

Information intended for public release or that is openly available. Disclosure carries little to no risk.

Handling

Few restrictions apply, but care should still be taken to ensure non-public data isn't accidentally included before release.

Examples

Official university press releases and public announcements, public website content, course catalog descriptions, publicly released research publications, public directory information for employees or students (who haven't restricted it).

Level 2: University-Internal Data (DC-4)

Definition

Information primarily intended for university business operations. It's not meant for the general public but might be releasable under the Texas Public Information Act. Requires protection against unauthorized access or disclosure.

Handling

Access should generally be limited to employees or authorized individuals needing it for university business. Care must be taken to ensure lawful release if requested publicly.

Examples

Internal memos and emails, non-confidential departmental procedures, general internal communications, licensed software or license keys, library paid subscription resources.

Level 3: University-Confidential Data (DC-5)

Definition

Sensitive data protected by law (state/federal), regulations, or contractual agreements. Unauthorized disclosure could cause significant harm to individuals or the university and may trigger breach notification requirements. Access requires specific authorization.

Handling

Requires significant security controls, often including encryption, strict access management, secure storage environments, and multi-factor authentication for network access.

Examples

Student education records (FERPA), protected health information (HIPAA), sensitive personally identifiable information (PII like SSNs combined with names, driver's license numbers, financial account numbers), credit card data (PCI DSS), human subjects research data, export-controlled information (ITAR/EAR), non-public intellectual property, system authentication credentials (passwords).

Level 4: Critical Data (DC-6)

Definition

The highest level of classification. Unauthorized handling or disclosure could result in severe harm, including potential criminal or civil penalties. Access is limited to specifically designated individuals with a stringent business need.

Handling

Requires the most stringent security controls, including encryption, strict access limitations, potentially dedicated secure environments, and rigorous monitoring.

Examples

Data requiring specific, heightened protection by law or contract, potentially including highly sensitive government classified information handled under specific agreements (though this is rare and involves specialized procedures beyond standard IT policy). Often overlaps significantly with University-Confidential data but represents the most sensitive subset demanding the strictest controls.

Why Do We Classify Data?

Understanding how data is classified is essential for everyone at Texas A&M. It helps us:

Apply Appropriate Security

Knowing the classification level tells us how carefully we need to protect the data. More sensitive data requires stronger security controls.

Ensure Compliance

Proper classification helps the university meet requirements set by state and federal laws (like FERPA, HIPAA, TAC 202) and contractual agreements.

Manage Risk

It allows us to identify high-risk data and prioritize resources to protect it effectively from unauthorized access, disclosure, or loss.

Guide Handling Procedures

Classification informs decisions about how data should be stored, accessed, transmitted, and eventually disposed of securely.

Your Responsibility

Everyone at Texas A&M who handles university data is responsible for knowing its classification and protecting it accordingly. If data seems to fit into multiple categories, always treat it according to the most restrictive classification.

Need Help Classifying Data?

Texas A&M Technology Services provides a Data Classification Calculator to help you determine the appropriate classification level based on regulations and data type. For detailed security control requirements associated with each classification level, refer to the university's IT Policy Controls Catalog, specifically controls DC-1 through DC-6. If you have further questions, you can contact IT Security at security@tamu.edu or consult your unit's IT support or Information Resource Owner.

Data Classification Calculator