Data Classification and Handling Standard

All Western University data stored, processed or transmitted on or through the University resources or where University business occurs must be treated as either confidential, sensitive or public; and protected accordingly using appropriate security measures consistent with the University’s Data Handling Standard.

What is data?
Any information recorded in any format such as logs, files or records, emails, documents, research, etc.

How do I classify data?

Public data is any data that is readily available to any member of the University or general public. There is no legal restriction to the access and use of such data. Unauthorized disclosure poses little or no risk to the University or concerned individual. It may include personal information collected with consent from individuals or any data that has been publicly published through official channels. Other examples of such data include but are not limited to press release, newsletter, maps, faculty and staff directory, financial statements.

Confidential data is any data about an individual or University which cannot be shared publicly or accessed by just any individual. Exposure or any compromise of such data without approval or authorization can lead to a significant loss or negative impact on the reputation of the concerned individual or University.

Please find below some questions that will guide in distinguishing between confidential data and sensitive data. If the answer to any of the listed questions is Yes, then the data should be classified as confidential data.
  • Does it contain banking information, personal health information, students’ grades, and other information of similar nature?
  • Does it contain any information classified as confidential based on University policy?
  • Will the impact to the University or concerned individual be high if there is an unauthorized modification, alteration or exposure of the data?
  • Does it contain information relating to critical infrastructure such as network infrastructure design?
Sensitive data is any data that does not fall into the confidential data or public data category. Unauthorized exposure or compromise of such data has minimal impact on the University or concerned individual.
 

How do I protect Western data?

Western data either in paper or electronic format should be handled carefully. See below for ways of handling each data category.

Confidential Data

Paper

  • File cabinets housing confidential data must be always locked and kept in secure location.
  • Access records must be maintained to track record of usage.
  • Whenever the data is in use, it must not be left unsupervised.
  • If data is sent by post, registered mail must be used for the purpose and the internal/inner envelope must have “confidential” written on it while the external/outer envelope should just carry the address.

Electronic

  • Data must not be stored on a personal device rather a dedicated computer system can be provided for the purpose.
  • Additional security measures listed below must be put in place to safeguard the computer system storing the confidential data.
    • Data stored must be encrypted or password-protected.
    • Two-factor authentication (2FA) is required for the computer system storing the confidential data.
    • Access to the computer system storing the confidential data must be restricted. 
  • Data can be stored on Western University's OneDrive.
  • Read/write access must be reviewed and audited regularly.
  • Access to the data should be revoked when it is no longer needed.
  • Data must be transmitted using an encrypted communication channel (HTTPS).
  • Data must not be sent with external e-mail accounts such as yahoo, gmail etc.

After Western data is no longer needed, it is expected to be archived (See MAPP 1.30 – University Records and Archives Policy) or destroyed (See Disposal Guidelines and Best Practices). 

Sensitive Data

Paper

  • Data should not be kept or placed where other unauthorized users can have access to it.
  • File cabinets housing sensitive data must be always locked and kept in a secure place.
  • If data is being sent by post, the internal/inner envelope should have “sensitive” written on it while the external/outer envelope should just carry the address.

Electronic

  • Data can be encrypted or password protected.
  • In case portable drives are used in storing the data, it should be stored in file cabinets which must be always locked. 
  • Data should not be placed where unauthorized users can have access to it.
  • Data may be stored on personal devices that have additional security measures such as two-factor authentication (2FA) put in place to safeguard the device storing the sensitive data. 
  • Data can be stored on Western University's OneDrive.
  • Data must be transmitted using an encrypted communication channel (HTTPS). 
  • If data is to be sent through e-mail, it may be encrypted or password-protected.
  • Data should not be sent with external e-mail accounts such as yahoo, gmail etc.

 

After Western data is no longer needed, it is expected to be archived (See MAPP 1.30 – University Records and Archives Policy) or destroyed (See Disposal Guidelines and Best Practices). 

Public Data

No restriction on how data is used, stored and shared.

After Western data is no longer needed, it is expected to be archived (See MAPP 1.30 – University Records and Archives Policy) or destroyed (See Disposal Guidelines and Best Practices). 

Published on  and maintained in Cascade.