Data Classification Standard

Knowing the criticality of your data is the first step towards adequately protecting it. The University of Toronto’s data classification groups U of T data into four levels based on its importance, sensitivity and potential for misuse.

Data classification table

Level Definition Explanation and examples
Level 4 Non-public data that the University has designated as level 4. Level 4 data requires substantially greater protection measures than confidential data. Some non-public data is highly sensitive such that its disclosure poses substantially greater risk of harm to the University than level 3 data, and it is possible to manage this risk by storing and using the data so that extra protections are always in place. This category is for data of particular sensitivity that should not normally reside on general-purpose computer systems or be handled in the same way as ordinary office paperwork.

Examples (not exhaustive):

  • Personal health records as defined by Personal Health Information Protection Act (PHIPA)
  • Customer payment card information when University is in a merchant capacity
  • Social insurance number
Level 3 Non-public data that contains personal information (as defined by Freedom of Information and Protection of Privacy Act [FIPPA] for which appropriate permission to disclose has not been received) and other data that the University has designated as being level 3. Much administrative data, including general-purpose email and business paperwork in a typical University office, would fall into this category, given that the administration of the University’s teaching generally involves the handling of personal information about students and sometimes about staff and faculty. FIPPA imposes additional privacy obligations on the University, so in addition to risks for levels one and two, FIPPA risks also apply.

Examples (not exhaustive):

  • Student numbers, names, marks, records
  • Employee records
  • Video surveillance security footage
  • Research data involving identified living human subjects
  • Research data classified as confidential by funding agencies/research ethics board
Level 2 Data the University has not chosen to make public, but has not been designated by the University as being in another level. This is the default category. In addition to risks for level 1, this data should not be disclosed to the general public or to people other than those the data owner or steward wishes, until/unless the data owner/steward decides to make it public.

Examples (not exhaustive):

  • The U of T advanced directory for faculty and staff
  • Most unpublished research
  • Most course materials
  • Building floor plans
  • Unpublished software source code
Level 1 Data available for broad or general open view. This category is for data that the University has designated as being generally accessible to the public. Privacy and confidentiality of this data is not an issue; the issue is authenticity/integrity of the data (no unauthorized additions/modifications/deletions).

Examples (not exhaustive):

  • The U of T directory
  • Press releases
  • News articles
  • Published annual reports
  • Faculty and staff directory
  • Published research
  • External job postings, distributed
  • Open source software source code

Interpretive guidance on handling of social insurance numbers (SINs)

This guidance clarifies the University’s Information Security Control Standard as it applies to the collection storage, processing and sharing of SINs by the University.