Data Classification Standard

All Western University data stored, processed or transmitted on or through the University resources or where University business occurs can be classified as either confidential, sensitive or public, and must be protected accordingly using appropriate security measures consistent with the University’s Data Handling Standard.

To classify Western University data appropriately, specific provincial/federal legislations such Personal Health Information Protection Act (PHIPA), and Freedom of Information and Protection of Privacy Act (FIPPA) are considered. It is also important to consider the impact to the reputation of the University or individual concerned, if there is an unauthorized alteration, disclosure or destruction of the data.

Please find below the various categories of data.

Confidential Data

What is Confidential Data?

Confidential Data refers to information that is protected by provincial or federal regulations (e.g., FIPPA, PHIPA, PIPEDA), University policies, or contractual agreements. This data must be safeguarded against unauthorized access, modification, distribution, or use due to its sensitive nature and potential for harm if compromised.

 

Why It Matters

If Confidential Data is exposed or misused, it can lead to:

  • Legal consequences under privacy laws
  • Reputational damage to individuals or the University
  • Operational disruptions, such as halted research or compromised infrastructure
  • Financial loss, including fines or ransom payments

 

Where to Store Confidential Data

Confidential Data must not reside on general-purpose computers or unsecured systems. It requires:

  • Advanced security controls (e.g., encryption, access restrictions, Endpoint Detection and Response (EDR) software)
  • Strict access management (e.g., role-based permissions, audit trails, Multi-Factor Authentication)
  • Monitoring tools like DLP (Data Loss Prevention) systems to track data at rest, in use, and in motion

Review Western’s published Data Handling Standards for more guidance on storing Confidential Data.

 

Examples of Confidential Data

Here are some examples to illustrate what qualifies as Confidential Data. Note that these are just examples and not a complete definitive list.

Health & Medical Records

  • Patient diagnoses, treatment plans, lab results
  • Mental health assessments
  • Insurance claims and billing details

 

Student Records

  • Grades, transcripts, disciplinary actions
  • Financial aid applications and tuition payments


Research Data

  • Grant applications and contracts
  • Pre-publication findings and patentable ideas
  • Sensitive datasets used in human subject research (e.g., TCPS, Tri-Agency Framework)

Employee Information

  • Employee Numbers
  • Performance evaluations

Infrastructure & Security Details

  • Network topology maps
  • Firewall configurations and access control lists
  • Security incident reports and threat assessments

Personally Identifiable Information (PII)

  • Government-issued IDs (e.g., driver’s license, passport, Social Insurance Number)
  • Credit card numbers and banking details
  • Login credentials and encryption keys

Sensitive Data

What Is Sensitive Data?

Sensitive Data is information that, if accessed or altered without authorization, could cause minor or short-term harm to individuals or the University. It is protected by ethical standardsprivacy regulations, or internal policies, and is only accessible to members of the University community with a legitimate need.

Unlike Confidential Data, which requires the highest level of protection, Sensitive Data still demands strong safeguards but the consequences of compromise are typically less severe and more contained.

Information considered as sensitive could potentially be reclassified as confidential if when aggregated, it can reveal personally identifiable information.

 

Why It Matters

Even though the impact of a breach may be short-term, Sensitive Data can still:

  • Disrupt operations (e.g. delays in planning or budgeting)
  • Cause reputational damage (e.g. premature release of unapproved minutes)
  • Lead to privacy concerns (e.g. exposure of internal emails or usage logs)

 

Where to Store Sensitive Data

Sensitive Data may reside on University-managed systems with appropriate access controls. It should be:

  • Protected by role-based access
  • Stored in encrypted formats when feasible
  • Monitored for unauthorized access or changes

Review Western’s published Data Handling Standards for more guidance on storing Sensitive Data.

 

Examples of Sensitive Data

Here are some examples to help clarify what qualifies as Sensitive Data. Note that these are just examples and not a complete definitive list.

Draft Planning Documents

  • Strategic plans, budget drafts, or policy proposals not yet approved

Internal Websites


  • Intranet pages with operational updates or internal-only resources

Meeting Minutes (Pre-Approval)


  • Notes from governance or committee meetings before formal sign-off

Research Award Notifications


  • Time-sensitive communications about grant approvals or funding decisions

Non-Identifiable Research Data


  • Data sets that do not contain personal identifiers and are not under confidentiality agreements

Email and Network Usage


  • Logs of employee or student email activity, bandwidth usage, or login patterns

Sensitive Accounting Information


  • Internal financial forecasts, departmental spending reports, or pending transactions

Internal Project Reports


  • Status updates, risk assessments, or performance metrics for ongoing initiatives

Department Budget Information

  • Allocations, expenditures, and projections not yet publicly disclosed

Public Data

What Is Public Data?

Public Data refers to information that is freely accessible to anyone, whether they are part of the University community or the general public. It is not subject to legal restrictions and does not require special permissions to view, use, or share. This data may include personal information that individuals have consented to share publicly, such as names in a staff directory.

 

Why It Matters

Although Public Data is low-risk, it still plays a vital role in:

  • Transparency (e.g. financial statements)
  • Community engagement (e.g. newsletters)
  • Operational efficiency (e.g. published maps or schedules)

If compromised, the impact is typically minimal or short-term, with little to no reputational damage.

 

Where It Can Be Stored

Public Data can be stored on:

  • General-purpose computers
  • Public websites

No encryption or access controls are required, but accuracy and integrity should still be maintained.

 

Examples of Public Data

Here are some examples to illustrate what qualifies as Public Data. Broadly speaking, this will include any information that is not covered by the definition of confidential or sensitive data.

Published Materials

  • Press releases
  • Newsletters
  • Event announcements

Directories and Listings


  • Faculty and staff contact information
  • Departmental office hours

Financial Transparency Documents


  • Annual financial statements
  • Budget summaries for public review

Campus Resources


  • Maps and building directories
  • Public transportation schedules

Approved Meeting Minutes


  • Once formally approved, minutes from governance or committee meetings


Research Outputs


  • Published papers and datasets that are not under confidentiality agreements

Published on  and maintained in Cascade.