Do you know your data? The fundamentals of data classification
No matter your role at OISE, you likely handle information and data every day. Our work is full of data. From student applications to course materials, and financial records to research documents, the data we handle comes in many forms.
Data Classification
The different types of data we handle can be classified into different categories of sensitivity. Data classification can help, by providing a schema for labelling data according to its type, sensitivity, and value so that informed choices can be made about how it’s managed, protected, and shared.
Why not protect everything at the highest level and not worry about classifications?
Not all data is the same. We want to make sure we provide the right level of protection; not enough protection can put confidential data at risk, but too much protection on less sensitive data can make it difficult to accomplish our daily tasks and would waste time and resources.
How data is classified
At the University of Toronto, a Data Classification Table has been created that outlines the four levels of data. Level 1 data is public information, and level 4 is non-public sensitive information. The higher the level, the higher the risks.
Level 1
This category is for data that the University has designated as being generally accessible to the public. Examples include:
- Data from the U of T Directory
- Press releases
- News articles
Level 2
This is the default category. It includes data that the University has chosen not to make public but has also not been designated in another level. Examples include:
- U of T Advanced Directory for faculty and staff
- Most unpublished research
- Most course materials
Level 3
This category is for non-public data that contains personal information (as defined by Freedom of Information and Protection of Privacy Act [FIPPA] for which appropriate permission to disclose has not been received) and other data that the University has designated as being level 3. Examples include:
- Student information and records
- Employee records
- Video surveillance security footage
Level 4
This category is for non-public data that is highly sensitive such that its disclosure poses substantially greater risk of harm to the University and to the data subject than level 3 data. Examples include:
- Personal health records as defined by Personal Health Information Protection Act (PHIPA)
- Customer payment card information when the University is in a merchant capacity.
Why is it important?
Data is all around us. Data classification helps us to understand the most appropriate ways of handling and protecting it – who can see or use it, where to store it and for how long, whether it can be shared and what protective measures are most appropriate. Whether it is for a research project, as part of data collection, or a day to day data use and its sharing for academic and administrative purposes, data classification is a very important step as we continue to strengthen data security. - Julia Duncan, Director, Education Commons
Assisting OISE with data classification
It can be challenging to determine what level of data a file may be and how to store it correctly.
To assist OISE with data classification and secure data storage practices, Education Commons is currently exploring solutions to improve the ease and process of data classification.
One of the most promising solutions is the Sensitivity label, which is offered through a Microsoft program called Microsoft Purview Information Protection. Sensitivity labels are customizable, unambiguous text identifiers that tag files and emails based on sensitivity levels. Sensitivity labels can control who has access to specific data and even add additional protection through encryption. Education Commons, with collaboration from Information Security and Enterprise Architecture (ISEA), is planning to pilot this classification system as a trial in winter term.
Resources
https://isea.utoronto.ca/policies-procedures/standards/data-classificat…
https://www.microsoft.com/en-ca/security/business/information-protectio…