What makes information sensitive?
There are three characteristics that determine how "sensitive" a piece of information should be considered:
- Its need to be kept confidential,
- Its need to be maintained in a manner where its integrity, or accuracy, can be guaranteed,
- Its need to be available whenever it is needed.
The University of Houston System has defined three sensitivity levels for component campus data
- Level 1 data (most sensitive)
- Confidential information: Information that includes, but is not limited to:
- Social security numbers,
- Educational records as defined by the Family Educational Rights and Privacy Act (“FERPA”),
- Health care information as defined by the Health Insurance Portability and Accountability Act (“HIPAA”) and other applicable law, and
- Customer information as defined by the Gramm-Leach-Bliley Act (“GLB Act”).
- Sensitive personal information: As defined by the Texas Business and Commerce Code
- An individual’s first name or first initial and last name in combination with any
one or more of the following items, if the name and the items are not encrypted:
- Social security number;
- Driver’s license number or government-issued identification number; or
- Account number or credit or debit card number in combination with any required security code, access code, or password that would permit access to an individual’s financial account.
- Information that identifies an individual and related to:
- The physical or mental health or condition of the individual;
- The provision of health care of the individual; or
- Payment for the provision of health care to the individual.
- An individual’s first name or first initial and last name in combination with any one or more of the following items, if the name and the items are not encrypted:
- Mission-critical information: Information defined by the university or information owner to be essential to the continued performance of the mission of the University or department. An event causing the unavailability of mission critical information would result in consequences such as significant financial loss, institutional embarrassment, failure to comply with regulations or legal obligations, or closure of the University or department.
- Level 2 data (sensitive)
- Protected information: Information that may be subject to disclosure or release under the Texas Public Information Act as requested.
- Level 3 data (least sensitive)
- Public information: Information readily available in the public domain, such as information posted on the component university’s public web site, and any other information not classified as Level 1 or 2.
What about information that is not listed above?
While the pieces of information identified above list data elements that have been identified by legislation and contracts, there are many other data elements that can cause significant financial or reputational loss if exposed to unauthorized individuals. Therefore, it is critical for individuals who need to access the University's information resources to check with the individuals who best understand the sensitivity of the information that they require.
In general practice, these individuals, referred to as "Information Owners", are responsible for determining and keeping the campus informed about:
- How their information is classified,
- Who or what roles across the University should have access to Level 1 and Level 2 information,
- What type of access is permitted (e.g., read only, create, edit, delete) for each specified individual or role,
- How the information should be protected (e.g., the need for authentication, encryption, digital signature)
Typically, an Information Owner is typically the head of the department that is most associated with the information. For example, the Information Owner of staff information would likely be the Director of Human Resources. While the Information Owner usually designates specific staff members to perform the day-to-day data classification, access authorization and data protection decisions, he or she is ultimately responsible for the decisions made.
How is someone who needs access to information authorized?
When a department or an individual needs to be granted access to information owned by another department, the individual or department representative should contact the appropriate Information Owner or designee to discuss the business requirement and to determine what type of access will be granted. With surveys claiming that a vast majority of information security breaches are caused by human error or lack of awareness, it is critical that everyone who uses the University's information understands how information is to be used and with whom it can be shared. Documenting the information use agreements among departments, even if it is done informally via an e-mail message, is not only the most effective approach but also provides the University with the protection of being able to demonstrate that processes are in place to ensure that the information is handled appropriately.