The University of Texas at San Antonio

Office of Information Technology

Office of Information Security (OIS) Standards


OIS 9 – Standard for Data Classification



The increase in technology enhancements, affordability of portable devices and increased ability to transmit data on demand increases the risk of losing or inadvertently disclosing data. The operation and mission of the University rely heavily on the accuracy, integrity and usability of its data.



This standard supports HOP Policy 8-12 Information Resources Use and Security Policy



This standard applies to all UTSA faculty, staff, and students.



If you have any questions about OIS 9 Standard for Data Classification contact the following office:


The Office of Information Security



1. UTSA faculty, staff and other employees are responsible for the security of university data they access, process, transmit and store. UTSA Data Owners must first identify the data they use and classify the data according to the risk categories outlined in the Data Classification Guidelines.



2.       University data shall be:

    1. Identified as to its classification – Confidential, Controlled or Published Data – by the Data Owner
    2. Protected in a manner commensurate with its value or category
    3. Appropriately secured against unauthorized creation, updating, processing, destruction and distribution


3.      Data Classification

    1. Applies to all data created and maintained by all campuses, except where superseded provisions of a grant, contract or by Federal copyright law.
    2. Applies to all authorized users of the University’s computing resources.
    3. Complies with applicable Federal and State laws which govern the privacy and confidentiality of data


4.      Classification Categories

All institutional data, on paper as well as in electronic format, must be categorized into one of three levels, Confidential, Controlled, and Published Data. More information about each category is available in the Data Classification Guideline.


Category I


Category II


Category III

Published Data

 Risk Data whose disclosure, destruction, display, or modification would violate state or federal laws or regulations, University of Texas System policies, or the Texas Open Records Act. University data that are not otherwise protected identified as Confidential data, but which are releasable with the Texas Public Information Act. These data will be protected to ensure a controlled release. University data that are not identified as Confidential or Controlled data.

University data that have no requirement for confidentiality, integrity or availability.

Public data, while subject to University disclosure rules, is available to all members of the University community and to all external individuals and entities.

Risk Long-term loss of reputation, long-term loss of critical campus services, long-term loss of research funding, tampering with research, unauthorized exposure of litigation materials, identity or credit theft Short-term loss of reputation, short-term loss of research funding, short-term loss of departmental services, Unauthorized tampering with research Loss of data with no impact to the university, inaccurate general information


5. More information on Category I data can be found on the Category I Extended Guidelines page. 


Effective Date: January 1, 2014
Last Revised: March 16, 2016