Data classification

On this page: BIV classificatie, CIA triad, data classification, information security, IT system
Date of last review: 2023-04-18

In order to determine which IT solutions are suitable for processing personal data (e.g., storage or analysis platforms), a classification of your data is needed. That data classification can then be paired to the classification given to IT solutions. Institutes will determine for which data classification certain IT solutions are suitable. For example, at Utrecht University (UU), the classification levels are: low, basic, sensitive or critical. If your data are classified as “critical”, you are not allowed to use an IT solution that is only suitable for “sensitive” data.

To classify data, you determine how important it is to keep the data Confidential, correct (Integrity), and Available. Below you can find some guidance on determining the risk level for each of these. Note that this guidance is based on the UU data classification, but your institute may adhere to a different form of the classification.

Data classification can be done for all types of data, not only personal data. Personal data would simply score “higher” on the Confidentiality aspect.

Classification levels

Confidentiality

How confidential are the data?

  • Low:
    • Anonymous data, or data that are already publicly available, from less than 50 people.
    • Direct colleagues.
    • No third parties and software involved.
    • No reputation loss when data are lost.
  • Basic:
    • Non-public basic personal data such as name, (email)address, etc.
    • Personal data obtained directly from data subjects.
    • Personal data from a moderate number of data subjects (> 50 - 200).
    • Sensitive personal data from a small number of individuals.
    • Third parties are involved but they are located inside the EEA.
  • Sensitive:
    • A data leak would lead to reputation damage to you and the university.
    • You are bound to patents or contractual agreements.
    • Sensitive personal data from a moderate number of data subjects (e.g., personality data, financial data).
    • Non-sensitive personal data from a large number of data subjects (> 10.000).
    • Personal data enriched with external resources.
    • Far-reaching process automation.
    • Non-targeted monitoring.
    • Relatively new technology.
  • Critical:
    • Any project that carries high risks for data subjects or others:
      • Highly sensitive personal data (e.g., biometric identification data, genetic data).
      • Personal data from a very large number of data subjects (> 50,000).
      • Vulnerable subjects (e.g., minors, disabled, undocumented, persecuted groups).
      • Processing happens (partly) outside of the EEA without an adequacy decision.
    • Life-threatening research.
    • There are far-reaching contractual obligations.
    • A data leak would lead to exclusion from future grants.
Integrity

How important is it that the data are correct and can only be modified by authorised individuals?

  • Low: Incorrect data would be an inconvenience and/or require some rework.
  • Basic: Incorrect data would invalidate research and/or require significant rework.
  • Sensitive: Incorrect data would invalidate multiple research projects, could cause reputational damage to you and the university, or lead to significant contractual violations.
  • Critical: Incorrect data could have far-reaching contractual obligations, exclusion from future grants or life-threatening research.
Availability

How important is it that the data are available? When would it be a problem; if the data are not available for an hour, a day, a week…?

  • Low: Losing (access to) the data would be inconvenient and/or lead to rework.
  • Basic: Losing (access to) the data would invalidate research and/or require significant rework. Not having access to the data would cause significant delays and could incur costs up to 250.000 EUR.
  • Sensitive: Losing (access to) the data would terminate or hugely delay multiple research projects, could cause significant reputational damage to you and the university, lead to significant contractual violations or individuals not being able to access their sensitive personal data.
  • Critical: Inaccessible data could have far-reaching contractual obligations, cause damages in excess of 1.500.000 EUR, including exclusion from future grants or losing/not being able to access potentially life-threatening data.

Please note that a classification may be lower or higher than indicated in the examples, depending on your specific context. Please contact your privacy officer to help you classify your data. You can also contact Information Security for questions about data classification and security measures.