Data classification: Using a risk-based approach for data protection

Data classification schema at U of T helps in protecting University data

Most of us work with data on a day-to-day basis; the data we handle range from blog posts, course material and internal reports to personal information and health records. Not all data are created equal – while press releases and blogs are meant for public consumption, personal information and health records are extremely sensitive and need to be protected accordingly. Knowing the criticality of data and their risks helps us make informed decisions on how best to protect our data.

To appropriately protect data, we need to identify how sensitive the data are and the risk to the University and its people if the data are lost, stolen or exposed. This is where data classification helps – it allows users to classify data into separate categories. These categories indicate the value and sensitivity of the data and determine the level of protection needed for the data. This is akin to putting a “Fragile, handle with care!” label on a box of valuable crystal.

We want to provide the right level of protection to our data. While under-protecting data puts them at risk, overprotecting data wastes valuable resources that could be better utilized elsewhere. Just like we wouldn’t put a “Fragile, handle with care!” label on a box of pillows, it doesn’t make sense to apply the same level of protection to less sensitive data as that applied to highly sensitive data such as personal information.

To help protect University data, the University of Toronto (U of T) has released a data classification schema, endorsed by the Information Security Council. This data classification schema applies to everyone at U of T who produces, defines or uses University data, along with those who govern the access, use, storage and deletion of University data.

Hear more about the data classification schema from U of T staff

“Data classification is essential for effective data governance, privacy, risk management, security program development and operations. Protecting our data is a shared responsibility. We want to educate the community about U of T’s data classification schema and how it can be applied to make risk-based decisions about protecting data.” – Kalyani Khati, Associate Director, Information Security Strategic Initiatives.

“A long-term objective of the Institutional Data Governance Program is to create a culture in which everyone who collects, manages or uses institutional data follows good data governance principles and practices. The U of T data classification schema is an effective tool that helps us better understand our data so we can meet this objective.” – Jeffrey Waldman, Manager, Institutional Research and Data Governance.

Understanding U of T’s
data classification schema

Level 1

This category is for data that the University has designated as being generally accessible to the public. Examples include:

  • Data from the U of T Directory
  • Press releases
  • News articles

Level 2

This is the default category. It includes data that the University has chosen not to make public but has also not been designated in another level. Examples include:

  • U of T Advanced Directory for faculty and staff
  • Most unpublished research
  • Most course materials

Level 3

This category is for non-public data that contains personal information (as defined by Freedom of Information and Protection of Privacy Act [FIPPA] for which appropriate permission to disclose has not been received) and other data that the University has designated as being level 3. Examples include:

  • Student information and records
  • Employee records
  • Video surveillance security footage

Level 4

This category is for non-public data that is highly sensitive such that its disclosure poses substantially greater risk of harm to the University and to the data subject than level 3 data. Examples include:

  • Personal health records as defined by Personal Health Information Protection Act (PHIPA)
  • Customer payment card information when the University is in a merchant capacity.

Find out more about data classification at

This article is part of a series for Cyber Security Awareness Month (CSAM). To learn more about how to stay safe online, visit the CSAM resources page.