Data Classification & Retention

Data is a valuable asset to OISE. From student, faculty, and staff information to research data containing intellectual property, every piece of information is digitized. Some data is more sensitive and critical than others, and mishandling it can lead to significant consequences, including reputational and financial damage. Adopting data classification, retention, and disposition standards is essential to ensure that each type of data receives the appropriate level of security and is retained or disposed of in accordance with its classification and legal requirements.

Highly sensitive data, such as employees' Social Insurance Numbers (SIN), research data containing intellectual property, and student admission records and scores, require stricter protection and retention practices compared to less critical information, such as press releases, newsletters, student names, or class schedules.

The risks associated with poor data classification, retention, and disposition, as well as best practices to mitigate these risks, are outlined below.

Risks to Avoid

Inadequate Protection

Without data classification, it’s challenging to identify and protect sensitive information. Data should be labeled with a classification level from the time it is created to ensure it is protected throughout its lifecycle. For example, sensitive data like SIN numbers need to be protected and disposed or retained only for a specific time. Inappropriate handling of sensitive data such as Personally Identifiable Information (PII) can result in civil penalties, identity theft, financial loss, invasion of privacy, and jeopardize the peace of individuals.

Data Exposure

Without proper labeling, data is more likely to be accidentally shared with the public or fall into the wrong hands.

What to Do

Classify Data at Creation

Data should be classified according to the University's Data Classification Standard from the moment it is created to ensure it remains protected throughout its lifecycle.

Avoid Storing Sensitive Information on Personal Devices

Never store sensitive information on laptops, USBs, smartphones, or emails.

Secure Paper Records

Store paper records in locked file cabinets or storage rooms with controlled access. To safely dispose of paper records that have met their retention obligations, they should be shredded or placed in designated secure bins according to the University's record destruction procedure

Follow Information Retention Schedules

Only retain information for as long as necessary, following the University’s record and data retention schedules When information has reached the end of its retention period, ensure it is securely destroyed in accordance with proper destruction procedures to reduce the risk of unauthorized disclosure.

Use Secure Sharing Platforms

Utilize OneDrive or SharePoint’s “Share” function to securely share documents, as these platforms offer better control over who can access and edit your files. To further reduce security risks, avoid sending email attachments; using shared links is considered best practice for document sharing.

Set Appropriate Permissions

Configure permissions when sharing documents to ensure that only authorized individuals can view or edit the content, preventing unauthorized access and data leaks.

Monitor Document Access

Use the tracking features available in OneDrive and SharePoint to monitor who accesses your documents and what changes are made. When projects end or employees leave, it’s a good time to review access to folders and ensure that only the appropriate individuals still have access. Conducting periodic access reviews, such as quarterly, is also a best practice to maintain data security and compliance.