Skip to main contentSkip to main navigationSkip to footer content

Data Classification Policy and Procedure

Policy Purpose

This policy defines the classifications of data that is stored, maintained, and transmitted throughout the UAFS community. Federal and state laws require protection for certain types of data. In order to comply with these laws, data must first be classified to determine if they fall under the protection of these laws. 

Policy Statement

It shall be the policy of the University of Arkansas-Fort Smith that data will be classified into different categories according to its sensitivity and criticality.

Applicability

This policy applies to all University employees, students, contractors, vendors, and guests.

Definitions

None Applicable.

Policy Procedure

Data will be classified into one of the following categories by its sensitivity and criticality
1. Highly Sensitive: Highly sensitive data is information that, if disclosed to unauthorized persons, would be a violation of federal or state laws, university policy, or university contracts. Any file or data that contains personally identifiable information (PII) of a trustee, officer, agent, faculty, staff, retiree, student, graduate, donor, or vendor qualifies as highly sensitive data. The highly sensitive classification includes all data defined by the state of Arkansas’ “Data and System Security Standard Classifications” as Level C (Very Sensitive) or Level D (Extremely Sensitive).
2. Internal: Internal data is information that must be guarded due to proprietary, ethical, or privacy considerations and must be protected from unauthorized access, modification, transmission, storage, or other use. This classification applies even though that is restricted to personnel designated by the university who have a legitimate business purpose for accessing such data. Much of this data includes any information that is made available through open records requests or other formal or
legal processes. Internal data includes all data defined by the state of Arkansas’ “Data and System Security Standard Classification” as Level B (Sensitive).
3. Public: Public data is information to which the general public may be granted access in accordance with University of Arkansas policy or standards. Public data includes all data defined by the state of Arkansas’ “Data and System Security Standard Classification” as Level A (Unrestricted).

Enforcement

This policy is only for defining types of classification.

Policy Management

This policy is managed by the IT department. The IT Director and appointed IT personnel are the primary administrators of this policy. The responsible executive is the VCFA.

Exclusions

None Applicable.

Effective and Approved Date

This internal policy was approved by Terry Meadows – Director of IT/CIO on 3/7/2023.

Last Updated

10/20/2025 – Reformatted for accessibility by Terry Meadows Director of IT/CIO