What are the Data Classifications

All Western University data stored, processed, or transmitted on or through university resources or other resources where university business occurs must be classified into one of the three categories. The appropriate use and security measures followed to protect data are dependent upon the determined data classification as defined below.  Based on the data classification assigned, you are required to implement appropriate technical security measures to protect the data consistent with the university minimum Data Classification Standard operational treatment (Operational Standards to be determined). Data classified as “Confidential” have more stringent requirements than those classified as “Sensitive” and “Public”.

Note: Data that are personal to the operator of a system and stored, processed, or transmitted on a university resource as a result of incidental personal use are not considered university data. University data stored on non-university devices must still be protected and used according to the respective university minimum security standards.

To classify your data, you must start by understanding what the data classifications are. There are specific laws and regulations that govern some kinds of data. Additionally, there are situations where you must consider whether the confidentiality, integrity, or availability of the data is a factor. 

Data Classification Standards

Data Classification Definitions

Confidential

Confidential data, if compromised in some form or fashion, is likely to result in significant and/or long-term harm to the institution and/or individuals whose data it is.

Protection of such information could be required by university policy and/or provincial or federal legislation.

This type of information could be strictly protected by provincial or federal statutes or regulations, university policy, or contractual agreement and must be protected from unauthorized access, modification, transmission, storage, destruction, or use.

Access to confidental information is restricted to those who have a legitimate purpose for accessing such information.

Sensitive

Sensitive data, when released without authorization, could be expected to cause minor, short-term harm or embarrassment to the institution and/or individuals whose data it is, and is intended for only limited dissemination.

The major difference between Confidential data and Sensitive data is the likelihood, duration, and the level of harm incurred.

Protection of such information could be recommended by university policy and/or provincial or federal legislation.  

Access to Sensitive information should be granted to those who have a legitimate purpose for accessing such information.

PLEASE NOTE:  Information classified as Sensitive could potentially become classified as Confidential if, in the aggregate, information could be reconstructed to reveal personally identifiable information.

Public

Public data is data which is readily available to any member of the Western University community or to the general public, either upon request or by virtue of its being posted or published by Western University through its proper administrative procedures. This type of information has no legal restriction on access or usage.

It may include information collected for the express purpose of public release with the knowledge and consent of the individuals the information is about.

Data Classification Examples

Introduction

Canadian Privacy Legislation
Fundamental rights and freedoms in the Canadian Constitution have been interpreted by the courts to include privacy protections. Privacy rights are protected in federal and provincial/territorial legislation.

Identifiable Information: Information that may reasonably be expected to identify an individual, alone or in combination with other available information, is considered identifiable information (or information that is identifiable). The term “personal information” or (personal identifier) refers to identifiable information.

Directly Identifying information (Personal Identifiers) – the information identifies a specific individual through direct identifiers.  Some examples are: full name, employee ID, student ID, S.I.N., driver's license, specific types of research data (participants of research study, employees, students, passwords).

Indirectly identifying information (Personally Identifiable Data) – the information can reasonably be expected to identify an individual through a combination of indirect identifiers (birth date, gender, sexual orientation, place of residence or a unique personal characteristic).

Examples
PLEASE NOTE: these example lists are not exhaustive and are to be used as illustrative (most data should fit accordingly).

Confidential Data

Patient Medical/Health Information (PHIPA/PIPEDA)

  • Identification Numbers (Social Insurance Number (S.I.N.), OHIP, Hospital PIN);
  • Full patient name, full address, postal code;
  • Biometric identifiers (finger prints, voiceprint);
  • Medical Records;
  • Personal and Demographic Information (marital status, birth date, age, height, weight, email address);
  • Dates (except year) related to an individual, account / medical record numbers, health plan beneficiary numbers;
  • Medical images.

Student Records (FIPPA)

This applies to applicants, enrolled students and prospective student data.
  • Identification Numbers (Social Insurance Number (S.I.N.));
  • Student Grades;
  • Student financials, bank accounts, payment history, financial aid/grants, student bills;
  • Demographic information (name, marital status, birth date, race, ethnic origin);
  • Personal Information of students (email address, religion, educational level).

Donor/Alumni Information (FIPPA, PHIPA)

  • Identification Numbers (Social Insurance Number (S.I.N.), Alumni ID);
  • Personal financial information;
  • Family information;
  • Demographic information (name, marital status, birth date, race, ethnic origin);
  • Personal Information (email address, telephone / fax numbers, educational level).

Research Information (Granting Agency Agreements, Contracts, Applications, TCPS, Tri-Agency Framework) (FIPPA, PIPEDA)

  • Identification Numbers (Social Insurance Number (S.I.N.), Award Number);
  • Human participant information (demographic and personal);
  • Unpublished research information after it has transitioned to administrators (grant applications, grant proposals);
  • Research data that is identifiable (i.e. includes participant identifiers);
  • Export Controlled Information or technology;
  • Information which could affect patent processes, proprietary data, and intellectual property;
  • Contracts and agreements;
  • CVs.

Employee Information (PIPEDA)

  • Identification Numbers (Social Insurance Number (S.I.N.), Employee ID);
  • Personal financial information, including non-Western University income level and sources (bank account, income);
  • Insurance and benefit information;
  • Demographic information (name, marital status, birth date, race, ethnic origin);
  • Personal Information of employees (email address, religion, educational level, tax return information);
  • Certain management information (performance evaluations, agreements, employment history etc).

Other Institutional Data

  • Critical infrastructure detail (network topology, security apparatus, etc).

Sensitive Data

  • Draft planning documents;
  • Internal internet websites;
  • Official meeting minutes before approved;
  • Research awards notifications (time sensitive);
  • RFP processes (time sensitive);
  • Research data that is NOT identifiable or protected under a Confidentiality Agreement (i.e. identifiers removed);
  • Personal and Demographic Information (marital status, birth date, age, height, weight, email address, Student Number, PIN ) when NOT aggregated with other personally identifiable information;
  • Employee / Student Email messages;
  • Employee / Student Network usage information.

Public Data

  • Any information that does not need to be protected to comply with Confidential or Sensitive classification standard;
  • Any information that has been publicly published through official channels.

Published on  and maintained in Cascade CMS.