Category I Extended Guidelines

This site provides an expanded list of representative examples of data that should be classified as Category I. This list provides assistance with evaluating the level of protection required for data and computer systems.


NOTE: Social Security Numbers may be stored on only authorized systems, such as the payroll system. They are released only as required by law; for example, to the IRS for tax purposes.

This list is not all-inclusive, and it does not cover the release of information.


1. Patient Medical/Health Information – Health Insurance Portability and Accountability Act (HIPAA)

The following information is confidential:

  • Social Security Number
  • Patient names, street address, city, county, zip code, telephone / fax numbers
  • Dates (except year) related to an individual, account / medical record numbers, health plan beneficiary numbers
  • Personal vehicle information
  • Certificate / license numbers, device IDs and serial numbers, e-mail, URLs, IP addresses
  • Access device numbers (ISO number, building access code, etc.)
  • Biometric identifiers and full face images
  • Any other unique identifying number, characteristic, or code
  • Payment Guarantor's information


2. Student Records – Family Educational Rights and Privacy Act (FERPA)


Private Records...
The following categories of information are considered private, or protected, by UTSA:

  • Social Security Number
  • UTSA student ID Number
  • Residency status
  • Marital status
  • Married name or previous name
  • Parents' name and address
  • Transfer credits
  • Courses completed
  • Grades
  • Grade point average
  • Rank in class
  • Current class schedule
  • Advisor's name
  • Academic status
  • Current disciplinary actions.


In accordance with FERPA, UTSA has designated the following categories of information about individual students as public or directory information. This information will be routinely released to any inquirer, unless the student has specifically requested that all or part of the following list be withheld:


  • Name
  • Address and telephone number
  • Email address
  • Date and place of birth
  • Major field of study
  • Enrollment status
  • Dates of attendance (in person or by correspondence, Internet, or other electronic and telecommunications technologies)
  • Most recent previous educational agency or institution attended
  • Classification
  • Degrees, certificates and awards (including scholarships) received
  • Date of graduation
  • Participation in officially recognized activities and sports
  • Physical factors (height and weight) of athletes
  • Photographs.

3. Donor/Alumni Information (UT System Business Process Memorandum, Texas Identity Theft Enforcement and Protection Act, HIPAA)

The following information is confidential:

  • Social Security Number
  • Name
  • Personal financial information
  • Family information
  • Medical information
  • Credit card numbers, bank account numbers, amount / what donated
  • Telephone / fax numbers, e-mail, URLs


4. Research Information (Granting Agency Agreements, Other IRB Governance)

The following information is confidential:

  • Data on human subjects that contains personal identifiers.
  • Sensitive digital research data
  • Export Controlled Information – ITAR and EAR - Information or technology controlled under the International Traffic in Arms Regulations (ITAR) or Export Administration Regulations (EAR) as described below, is confidential:
  • Information which is required for the design, development, production, manufacture, assembly, operation, repair, testing, maintenance or modification of a controlled item or product. This includes information in the form of blueprints, drawings, photographs, plans, instructions or documentation.
  • Classified information relating to defense articles and defense services;
  • Information covered by an invention secrecy order;
  • Software directly related to a controlled item;
  • This does not include information concerning general scientific, mathematical or engineering principles commonly taught in schools, colleges and universities or information in the public domain. It also does not include basic marketing information on function or purpose or general system descriptions of an article or product.


5. Employee Information (UT System Policy, Texas Identity Theft Enforcement and Protection Act)

There can be confusion over which rules apply when an employee is also a student. The rule of thumb is that the student rules apply when the employee is in a student job title.

The following employee information is confidential:

  • Social Security number
  • Date of Birth
  • Personal financial information, including non-UT income level and sources
  • Insurance benefit information
  • Access device numbers (building access code, etc.)
  • Biometric identifiers
  • Family information, home address, and home phone number may be revealed unless restricted by the employee. UTSA employees can restrict this information in UT Direct.

Please note that information considered public, such as employee names, salary and performance review information, would be released under an open records request.


6. Business/Vendor Data (Gramm-Leach-Bliley Act, Non-Disclosure agreement)

The following information is confidential:

  • Vendor Social Security Number
  • Credit card information
  • Contract information (between UTSA and a third party)
  • Access device numbers (building access code, etc.)
  • Biometric identifiers
  • Certificate / license numbers, device IDs and serial numbers, email, URLs, IP addresses


7. Other Institutional Data (Gramm-Leach-Bliley Act, Other Considerations)

The following information is confidential:

  • Information pertaining to the Office of Institutional Relations and Legal Affairs
  • Financial records
  • Contracts
  • Physical plant detail
  • Credit card numbers
  • Certain management information
  • Critical infrastructure detail
  • User account passwords
  • User Identification Number (UIN)



Special thanks to the UT Austin Information Security Office for providing content.

<< Back