Data Classification Policy & Procedures (DC-1)

Data classification provides a framework for categorizing information and information resources according to the impact of loss and sensitivity of data they contain. Classification will help units allocate resources, prioritize the selection and placement of security controls, and ensure that systems containing sensitive information meet baseline security standards.

In classifying data, the university:
  • Uses a risk-based approach to help information resource owners and users identify the data they use, understand its level of sensitivity, and learn how to best secure it.
  • Seeks to balance protecting the confidentiality, integrity, and availability of ‚Äčuniversity data‚Äč, recognizing the need for collaboration and sharing of knowledge across campus and the world.

Roles & Responsibilities (DC-2)

Texas A&M University data is not owned by a single individual, but is a university asset that is owned by the institution and entrusted to appropriate individuals for their care. Understanding these roles and their relationship to the data they oversee is critical for ensuring good governance of university data. This is true of all types of university data, including research data, unless there is a legally binding agreement in place with different terms (ref. SAP 15.99.03.M1.03).

Public Data (DC-3)

Public data is the lowest data classification level, and includes data openly available to the public. This may include low-sensitivity data which is openly distributed and presents no risk to the university, such as official university communications and public announcements. Most data hosted on publicly-accessible websites falls into this classification level. Few restrictions are placed on this type of data.

University-Internal Data (DC-4)

University-Internal (formerly Controlled) data is information that may be accessed by eligible employees in the course of university business. This information is not generally created for or made available for public consumption, but it may be subject to public disclosure through the Texas Public Information Act or similar laws. Such data must be appropriately protected to ensure lawful release.

Confidential Data (DC-5)

This classification level is used for data that is restricted because of legal, ethical, or contractual constraints, and should not be accessed without specific authorization. Improper release of data in this category would have a significant adverse impact to the university. Data in this category is often specifically protected by federal or state law, and may be subject to state or federal breach notification requirements. Data in this category is generally not subject to release under open records laws.

Critical Data (DC-6)

This classification level is used for data that can likely result in criminal or civil penalties if inappropriately handled. This is the highest level of classification for data, and use is limited to explicitly designated individuals with a stringent business requirement. Data in this category is specifically protected by federal or state law, and is typically subject to exacting breach notification requirements. Data in this category is never subject to release under open records laws, but may still be released due to a legal discovery process or court order.