Information Privacy & Security Program

​​​D​allas College Information Privacy & Security Program Information Classification Scheme

The College, as a public entity, is governed by the Texas Public I​nformation Act, which requires disclosure of information by a public body -- unless the law specifically protects that information. In general, the classification given to information is a shorthand way of determining how this information is to be handled and protected by College school officials. The information classification scheme must be reviewed annually by the College Information Security Officer.

According to the Texas Administrative Code § 202.71, institutions of high​er education are responsible for defining all information classification categories except the confidential Information category, which is defined in Subchapter A of § 202.1, and establis​hing the appropriate controls for each category. These classifications are defined to ensure understanding and consistency in their application.

The Texas Department of Information Resources identifies four lev​​els of information classification in ascending degree of sensitivity. This information classification scheme should be used throughout the College as a means to identify and address the safeguards, precautions, and handling requirements necessary to prevent accidental data disclosure.

1. Public – Information that is freely and without reservation made available to the public.
2. Sensitive – Information that could be subject to release under an open records requests but should be controlled to protect third parties.
3. Confidential – Information that typically is excepted from the Public Information Act.
4. Regulated – Information that is controlled by a federal/state regulation or other third-party agreement.

Public – Category I

The lowest data classification level includes data openly available to the public. This might also include official Dallas College communications and public announcements.

The Public information label is used for information such as published reports, press releases, and information published to the Dallas College website. Such information requires no authentication and is freely distributable by all personnel.

Examples of public data

• Internet web site contents for general viewing
• Reports pertaining to public fund expenditures
• Policy statements
• Election information, including candidates' applications and campaign finance reports
• Press releases
• Public directory information
• Student directory information not marked private (per FERPA rules). NOTE: Unless you can verify that each student record has not been flagged as private, student directory information should always be considered as Sensitive - Category II information.
• Faculty and staff directory information
• Course catalog information
• Intercollegiate sports information (e.g., team rosters, statistics, scores, schedules)
• Data covered by non-disclosure agreements, service level agreements, grants, etc.

Please note that information considered public, such as employee names, birth dates, salary, and performance review information, would be released under an open records request.

Sensitive – Category II

Dallas College data not otherwise identified as confidential or regulated, but which may or may not be releasable in accordance with Open Records Requests or Texas Public Information Act (e.g., contents of specific email, date of birth, salary, etc.). Such data must be appropriately protected to ensure a controlled and lawful release (if applicable). Open records request must be submitted and approved by General Counsel office.

Much of the information is still subject to public release under an open records request, but the information should be vetted and verified before release. These types of data include items such as employee records and gross salary information. While these records and information are considered “public” under the Texas Public Information Act, they should still be afforded a higher level of protection to ensure confidential data (e.g., net salary information) is not comingled. Submit open records requests to the General Counsel office.

Examples of Sensitive data

• Internal memorandums or e-mails
• Internal meeting minutes
• Internal (Intranet) Web sites
• Business procedures
• Student ID
• Student email address containing Student ID (e.g., ID@student.dallascollege.edu)
• Employee ID
• “3x4” ID (e.g., xxx1111)
• Employee email address if not using alias (e.g., xxx1111@dallascollege.edu)
• Non-public administrative or operational data
• Employee: Evaluations, Personal information, Information used to validate identity
• Asset listings and locations, building plans
• Email content, Policies, Procedures, Training Materials, Meeting information
• Non-restricted research data, Controlled unclassified data, Unpublished research work and intellectual property
• Personnel records excluding information categorized as confidential
• Student directory information marked private (per FERPA rules)
• Family information, home address, and home phone number may be released unless restricted by the employee. DCCCD employees can restrict this information by contacting Human Resources

Confidential/Regulated – Category III

This classification level is reserved for information that would, if inadvertently released, have a significant severe adverse impact to Dallas College. This data is protected specifically by federal or state law or Dallas College rules and regulations. Such information may also be subject to state or federal breach notification requirements. This category also focuses on information restricted through certain legal requirements.

Examples of Confidential/Regulated Data

• Social Security Number (SSN)
• Federal Tax Information (e.g., W-4, W-2 Forms)
• Drivers’ License Number
• Information that would give advantage to a competitor or bidder, and audit working documents
• Credit/charge/debit/access device card numbers, magnetic stripe data and security codes
• Personal financial information including financial/bank account number
• Biometric identifiers and full-face images
• Information exposing details of employee use of benefits or health information pertaining to the use of benefits
• Contract information between Dallas College and third party
• Physical plant detail
• Critical infrastructure detail
• All student records information, including grades – See Regulated – Category III
• Certain personnel records information, such as bank account/routing numbers and beneficiary information
• Certain medical and health benefit information, including medical records protected by HIPAA
• User account passwords
• Device IDs, serial numbers, IP Addresses ​(does not apply to public or dynamic IP Addresses)
• Attorney-client communications
• Protected draft communications
• Computer vulnerability reports
• Any other uniquely identifying number, characteristic, or code

Regulated – Category III – Expanded Explanation:

Regulated focuses on the types of data typically regulated by federal statute or third-party agreements. It is the highest level of classification and use is limited to explicitly designated or groups of individuals with a stringent business need to know. Agencies that maintain protected health, federal tax, payment card, or certain personal information will have specific requirements placed on that data by a non-Texas regulation. Regulated data has specific handling requirements unique to their applicable laws, regulations and standards not limited to:

• Federal Educational Rights and Privacy Act (FERPA)
• Gramm-Leach-Bliley Act (GLBA)
• Payment Card Industry – Data Security Standard (PCI-DSS)
• Health Insurance Portability and Accountability Act (HIPAA)
• Texas Identity Theft Enforcement and Protect Act
• Texas Public Information Statutes
• General Data Protection Regulation (GDPR)

Student Records (FERPA):

This applies to both enrolled and prospective student data.

• Grades (including test scores, assignments, and class grades)
• Bank accounts, wire transfers, payment history, financial aid/grants, student bills
• Access device numbers (card number, building access code, etc.) used to protect student records information
• Internal ID numbers (campus ID/CID)

Note that for enrolled students, the following data may ordinarily be revealed by the Dallas College without student consent unless the student designates otherwise by using Office of the Registrar approved methods:

• Student name
• Local and permanent mailing address
• Digital image (e.g., Photograph)
• Major and minor fields of study
• Participation in recognized activities and sports
  • weight and height of members of athletic teams
  • team photographs
• Dates of attendance
• Classification
• Enrollment status
• Degree candidate
• Degrees
• Awards and honors received, type of award/honor
• Previous educational agencies and institutions attended
• Hometown

There can be confusion over which rules apply when an employee is also a student. The rule of thumb is that the student rules apply when the employee is in a student job title.

For additional examples, see Texas Public Information Act, SUBCHAPTER C. INFORMATION EXCEPTED FROM REQUIRED DISCLOSURE.

NOTE: Please refer to the College's Board Policies on Student Records, FJ (LOCAL) and FJ (LEGAL), definition and the handling of Student Records.

NOTE: For written requests received for Student Directory Information, notify and send to the Registrar's Office. For all other written requests, fax to College Legal. Questions regarding whether an employee has a "need-to-know" should be directed to the employee's supervisor, the location Information Security Officer, or the College Legal Counsel.

Terms

• FERPA: Family Educational Rights and Privacy Act.
• GLB: Gramm-Leach Bliley.
• HIPAA: Health Insurance Portability and Accountability Act.
• Information Classification Scheme: The classification level given to information — according to its use, sensitivity, and importance — that determines how information is to be handled and protected within Dallas College. The three categories of information are as follows:
  • Category I — Public Information
  • Category II — Internal Information
  • Category III — Confidential/Regulated Information
• PCI: Payment Card Industry.
• School Officials: Any employees, Trustees, or agents of the College, as well as attorneys, consultants, and independent contractors who are retained by the College. School officials have a "legitimate educational interest" in a student's record when they are working with the student; considering disciplinary or academic actions or the student's case; compiling statistical data; or investigating or evaluating programs.
• USA PATRIOT Act: Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism.

Related References

• Board Policies:
  • CS(LOCAL) Information Security
  • CS(REGULATION) Information Security
  • Violations DH(LOCAL) Employee Standards of Conduct
  • FJ (LOCAL) Student Records
  • FJ (LEGAL) Student Records
• Texas Administrative Code Department of Information Resources Information Security Standards for Institutions of Higher Education
• Texas Public Information Act