Data Classification Standard

From: Office of the Chief Information Security Officer

Effective: April 30, 2019

Endorsed by the Information Security Council on April 30, 2019.

Overview

Knowing the criticality of your data is the first step towards adequately protecting it. The University of Toronto’s data classification groups U of T data into four levels based on its importance, sensitivity and potential for misuse.

Data classification table

Level

Definition

Explanation and examples

Level 4

Non-public data that the University has designated as level 4. Level 4 data requires substantially greater protection measures than confidential data.

Some non-public data is highly sensitive such that its disclosure poses substantially greater risk of harm to the University than level 3 data, and it is possible to manage this risk by storing and using the data so that extra protections are always in place. This category is for data of particular sensitivity that should not normally reside on general-purpose computer systems or be handled in the same way as ordinary office paperwork.

Examples (not exhaustive):

  • Personal health records as defined by Personal Health Information Protection Act (PHIPA)
  • Customer payment card information when University is in a merchant capacity
  • Social insurance number

Highly sensitive research data[1], requiring stronger security controls, whose unauthorized access, disclosure, or loss poses significant financial, reputational, legal or physical risk to the data subject, researcher, University, etc.

Examples (not exhaustive):

  • Personal health information (PHI).
  • Research data subject to export controls or the Controlled Goods Program.
  • Personal data from the European Union classified as “extra sensitive” under the General Data Protection Regulation (GDPR).
  • Information that, if disclosed, could place data subjects or researchers at risk of foreseeable physical, psychological, social, financial or legal harm.
  • Research data with confirmed dual-use potential.
  • Research data requiring stronger security controls by partners, funding agencies, the Research Ethics Board (REB), legislation or regulations.
Level 3

Non-public data that contains personal information (as defined by Freedom of Information and Protection of Privacy Act [FIPPA] for which appropriate permission to disclose has not been received) and other data that the University has designated as being level 3.

Much administrative data, including general-purpose email and business paperwork in a typical University office, would fall into this category, given that the administration of the University’s teaching generally involves the handling of personal information about students and sometimes about staff and faculty. FIPPA imposes additional privacy obligations on the University, so in addition to risks for levels one and two, FIPPA risks also apply.

Examples (not exhaustive):

  • Student numbers, names, marks, records
  • Employee records
  • Video surveillance security footage
  • Research data involving identified living human subjects
  • Research data classified as confidential by funding agencies/research ethics board

Sensitive research data, requiring strong security controls, whose unauthorized access, disclosure or loss poses some (non-minimal) financial, reputational or legal risk to the data subject, researcher, University, etc.

Examples (not exhaustive):

  • Administrative records or data used for research purposes whose original data classification was level 3 (e.g., education/student records, employee records, other FIPPA-covered data).
  • Potentially identifiable information related to human subject data, including (de-identified) genomic data that can be re-identified using publicly available data.
  • Personal data from the EU not classified as “extra sensitive” under GDPR.
  • Collections of variables or indirectly identifiable information that, when merged, becomes sensitive.
  • Research data requiring strong security controls by partners, funding agencies, REB, legislation or regulations.
Level 2

Data the University has not chosen to make public but has not been designated by the University as being in another level.

This is the default category. In addition to risks for level 1, this data should not be disclosed to the general public or to people other than those the data owner or steward wishes, until/unless the data owner/steward decides to make it public.

Examples (not exhaustive):

  • The U of T advanced directory for faculty and staff
  • Most unpublished research
  • Most course materials
  • Building floor plans
  • Unpublished software source code

Non-public but non-sensitive research data; most active research data is at least level 2 prior to publication.

Examples (not exhaustive):

  • Most active and/or unpublished research and intellectual property that is not already classified as level 3 or 4.
  • Published research data under embargo.
  • Research data which is REB-exempt and/or has no contractual obligations for additional protections.
  • Anonymous information (e.g., survey) where no identifiers were collected.
  • Anonymized, de-identified or coded information, which is not PHI-related, where all directly identifiable information has been obfuscated, and the risk of (unauthorized) re-identification is low or very low.
    • Note: The code/data keys for the purposes of re-linkage are classified at the same level as the original, uncoded data.
Level 1

Data available for broad or general open view.

This category is for data that the University has designated as being generally accessible to the public. Privacy and confidentiality of this data is not an issue; the issue is authenticity/integrity of the data (no unauthorized additions/modifications/deletions).

Examples (not exhaustive):

  • The U of T directory
  • Press releases
  • News articles
  • Published annual reports
  • Faculty and staff directory
  • Published research
  • External job postings, distributed
  • Open source software source code

Publicly available.

Examples (not exhaustive):

  • Publicly available data or datasets.
  • Published research data not subject to embargo or beyond embargo period.
  • Open-source software source code.
  • Identifiable information which the data subject explicitly consented to make publicly available or has no expectation for privacy.

Data classification decision tool for research

Use this tool to determine which data classification level applies to your research data.

Interpretive guidance on handling of social insurance numbers (SINs)

This guidance clarifies the University’s Information Security Control Standard as it applies to the collection storage, processing and sharing of SINs by the University.

U of T Data Classification Guidance

The University’s Data Classification Guidance is intended to support data trustees and their delegates to classify institutional data in their custody. It includes a list of data elements by data classification level, along with supplementary considerations.

Note: Research data are held at the University for conducting scholarly research and are therefore outside the scope of this guidance.

Additional resources: