Data Classification Standard

All Western University data stored, processed or transmitted on or through the University resources or where University business occurs can be classified as either confidential, sensitive or public, and must be protected accordingly using appropriate security measures consistent with the University’s Data Handling Standard.

To classify Western University data appropriately, specific provincial/federal legislations such Personal Health Information Protection Act (PHIPA), and Freedom of Information and Protection of Privacy Act (FIPPA) are considered. It is also important to consider the impact to the reputation of the University or individual concerned, if there is an unauthorized alteration, disclosure or destruction of the data.

Please find below the various categories of data.

Confidential Data

Data is strictly protected by the provincial or federal regulations (FIPPA, PHIPA, PIPEDA), University policy, or contractual agreement and must be protected from unauthorized access, modification, distribution and use. It should not reside on general purpose computers as it requires highest level of security controls and access management. If this data is compromised, it can cause significant or lasting impact to the reputation of an individual or University. This may include but not limited to

  • Patient Medical/Health Information Record
  • Student Records including grades and financial information
  • Research information (Granting Agency Agreements, Contracts, Applications, TCPS, Tri-Agency Framework)
  • Employee information
  • Critical infrastructure details such as network topology, security apparatus etc
  • Any other Personally Identifiable Information (PII) as described in the above regulations

Sensitive Data

Data is protected by proprietary, ethical or privacy regulations and must be protected from unauthorized access, modification, distribution and use. Data is available for use by members of the University community who have legitimate access to the data. If this data is compromised, it can cause a minor, short-term impact to the individual or University. This includes but not limited to

  • Draft planning documents
  • Internal internet websites
  • Official meeting minutes before approval
  • Research awards notifications (time sensitive)
  • Research data that is NOT identifiable or protected under a Confidentiality Agreement
  • Employee / student email messages and network usage information
  • Sensitive accounting information
  • Internal project reports
  • Department budget information

Information considered as sensitive could potentially become classified as confidential if when aggregated, can reveal personally identifiable information.

Public Data

Data is readily available to any member of the University community or general public. There is no legal restriction to access and use. It may include personal information collected with consent from individuals. Little or no impact to the reputation of individual or University, if data is compromised. This includes but not limited to

  • Any data that has been publicly published through official channels such as press release, newsletter, maps, faculty and staff directory, financial statements.
  • Any information that does not comply with confidential or sensitive classification standard.

Published on  and maintained in Cascade.