Data Classification
Classifying data based on sensitivity and criticality to establish appropriate security and access control measures
Classification Overview
Data classification is the process of categorizing data based on its sensitivity and criticality. All institutional data within this framework should be divided into different access levels, each defined according to data sensitivity and criticality. Additionally, each level has a set of minimum security and access requirements. These access levels will determine the authorization needed to access specific datasets.
Classification Process Overview
All data should be classified according to sensitivity and criticality as follows:
Detailed Classification Process
Data classification is a systematic process ensuring all data elements are appropriately categorized and protected.
Identify data elements and datasets
Assess sensitivity and criticality
Assign appropriate classification level
Implement appropriate security controls
Regularly review and update classification
Data classification should be documented in the data inventory.
Sensitivity Levels
Restricted
Highest Level Protection
Highly sensitive data requiring the highest level of protection.
- Personal Identifiable Information (PII)
- Financial data
- Health records
- Passwords and encryption keys
Confidential
Legal and Ethical Protection
Data requiring protection due to legal, ethical, or specific functional, group, or role requirements.
- Human resources records
- Research data
- Contract information
- Internal audit reports
Internal
Internal Use Only
Data intended for internal use only.
- Internal memoranda
- Department reports
- Operating manuals
- Internal communications
Public
No Access Restrictions
Data with no privacy, security, or access control expectations.
- Public website content
- Press releases
- Course catalogs
- Public reports
Criticality Level - Critical Data Elements (CDE)
All institutional data should be designated as Critical Data Elements (CDE) or non-critical data elements based on assessment of their strategic value, operational importance, and compliance requirements.
Strategic Value
Is the data critical to university strategic planning?
- Data supporting long-term planning
- Data impacting major decisions
- Data related to university competitive advantage
Operational Importance
Is the data critical to supporting key operational processes?
- Data relied upon by core business processes
- Data essential for daily operations
- Critical data for system operations
Compliance & Privacy
Must the data be protected according to legal or regulatory requirements?
- Personal data protected by law
- Data required for regulatory reporting
- Data related to contractual obligations
Strategic Value Assessment
Is data critical to university strategy?
Operational Importance Assessment
Is data critical to operations?
Compliance Requirement Assessment
Is data legally protected?
CDE Determination
Critical Data Element
If data meets any of the above criteria, it should be designated as a Critical Data Element (CDE).
Data Inventory Example
Data classification should be documented and maintained in the data inventory. Below is an example:
| Data Element Name | Sensitivity Level | Critical Data Element | Data Domain |
|---|---|---|---|
| Student ID Number | Restricted | Yes | Student Personal Data |
| Student Academic Records | Confidential | Yes | Student Management Data |
| Staff Contact Information | Internal | No | Staff Personal Data |
| Course Syllabus | Public | No | Course Management Data |
| Research Grant Amount | Confidential | Yes | Research Data |
Roles & Responsibilities
- Data Stewards are responsible for proposing initial data classification and documenting it in the data inventory.
- Since strategic value, operational importance, and regulatory or compliance requirements may change over time, data classification needs regular review.
- Data Trustees are responsible for approving data classification.
- For data classified as Restricted, Data Trustees must ensure the data is handled according to stricter guidelines associated with higher classification levels.
- Data Custodians are responsible for implementing appropriate security controls based on approved classification.
- Data Guardians are responsible for monitoring compliance and effectiveness of data classification.