POLICY STATEMENT
DATA CLASSIFICATION POLICY
Purpose:
This Data Classification Policy provides a framework for classifying administrative data according to their
level of sensitivity and defining the roles and responsibilities for safeguarding the privacy, security,
availability, and integrity of the data.
Scope:
This policy applies to all data contained in Memorial University’s Administrative Information Systems, and
to all organizational units and users of that data.
Excluded from this policy are the data gathered, stored, processed and transmitted on Memorial systems
for research purposes, for the University Library`s collections, and teaching and learning materials stored
on University systems (e.g. faculty computers, the University Learning Management System, etc.). Also
excluded are personal data stored on University systems.
Definitions:
DATA
Administrative Data
Data in any form or media which are related to the administration of Memorial
University and its community including but not limited to personal, health,
employment, student, donor, vendor, funding, competitive and financial
information.
Data Availability
Timely and reliable access to data and information systems for authorized users.
Data Confidentiality
Assurance that information is not disclosed to unauthorized parties.
Data Integrity
Authenticity and reliability of the data and the assurance of this by protection
against unauthorized modification or destruction of data.
Data Sensitivity
Level of protective measures needed to safeguard the availability, confidentiality,
value and integrity of the data.
DATA MANAGEMENT
Data Owner
Memorial University, who has primary executive authority and decision-making
responsibility for data.
Data Steward
An individual or organizational unit that manages the content and use of a subset
of Memorial Administrative data and who has been formally delegated the
responsibility of stewardship.
Data Custodian
An individual or organizational unit that provides technological services for
Memorial Administrative data and apply the rules, policies and safeguards
required by the Data Steward.
Data User
An individual or organizational unit with authorized access to use University
administrative systems and data.
Organizational Unit
Any division, department, office, program or other collective entity of the
University.
Version 2013-10-16
POLICY STATEMENT
RELATED POLICIES/STANDARDS
ATIPPA
Access to Information and Protection of Privacy Act (ATIPPA), the provincial
statute of Newfoundland and Labrador which requires all provincial public sector
organizations to prevent the unauthorized collection, use or disclosure of
personal information by these organizations.
PCI DSS
Payment Card Industry Data Security Standards (PCI DSS), the standards used
by the credit card industry to protect cardholder data.
PHIA
Personal Health Information Act (PHIA) is the provincial privacy law specific to
the health sector which establishes the rules for collection, use, and disclosure of
confidential individual health information.
PIPEDA
Personal Information Protection and Electronic Documents Act (PIPEDA) is the
federal law that governs how private and public sector organizations may collect,
use or disclose personal information for business outside the province.
Policy:
All Memorial University administrative data must be protected and managed according to the minimum
standards set out by the policy and in accordance with related security, privacy, data access, records
retention policy and standards.

To determine how to manage administrative information assets, data must be assigned to one of
the four data classes defined in the Data Classification Scheme (see table below).

Data Stewards must identify and classify the data that are used by their business operations and
processes.

Aggregates of data of mixed classification (e.g., reports, data files) must be classed at the highest
level of protection applicable to the information contained within.

Data which have not been classified should be considered Sensitive until a different class is
determined.
This policy is informed by the following legal statutes and standards:
Access to Information and Protection of Privacy Act (ATIPPA) of Newfoundland and Labrador
Personal Health Information Act (PHIA)
Personal Information Protection and Electronic Documents Act (PIPEDA)
Payment Card Industry Data Security Standard (PCI DSS)
Version 2013-10-16
POLICY STATEMENT
Data Classification Scheme
Data Class
Examples
Highly Sensitive
Memorial University administrative data which are
governed specifically by law, contract or University policy to
be treated as highly confidential, protected at the highest
level of security and accessed by a very small subset of
explicitly authorized users.



Loss or unauthorized disclosure will have a serious adverse
impact on the operation, reputation, safety, or financial
stability of the University or individuals.

Sensitive
University administrative data which must be treated as
confidential and protected for legal, ethical, proprietary or
privacy reasons to ensure a controlled release to authorized
users with a legitimate business need.
Loss or unauthorized disclosure may have a moderate or
short-term adverse impact on the operation, reputation,
safety or financial stability of the University or individuals.
Internal Use
Data to be treated as moderately sensitive and protected
for business reasons against loss and unauthorized
disclosure even where no policy or legal requirement exists.
These data are generally not available to external parties.
Loss or unauthorized disclosure would be an inconvenience,
having little or no permanent adverse effect on the
operation, reputation, safety, or financial stability of the
University or individuals.
Public Use
Publically posted information with no legal restrictions on
access, and no protection required for access, availability,
integrity or confidentiality. Available to the general public.
Disclosure will have a little to no adverse effect on the
operations, reputation, safety, or financial stability of the
University or individuals.
Data sealed by court order
Data governed by contracts or non-disclosure agreements
Personal information governed by ATIPPA, PHIA, PIPEDA, PCI
DSS
o Name/Birthdate/Social Insurance Number
o Name/Social Insurance Number
o Name/Credit Card Number
o Name/Bank Account Number
o Name/Driver's License Number
o Name/Medical Insurance Number
System Passwords and private encryption keys that permit
access to Highly-Sensitive Data











Personnel and payroll information
Personal medical information
Personal financial data and tax information
Prospect, admissions and student data
Donor and funding agency data
Security logs and file encryption keys
Financial and billing statements
Library transactions
Health and safety data
Facilities management information
System Passwords and private encryption keys that permit
access to sensitive data



Internal directory listings
Non-confidential meeting minutes
Competitive information, e.g., admission averages, graduation
rates, scholarship winner rates
Internal websites
Internal file directories
Memorial University partner or sponsor information where no
more restrictive confidentiality agreement exists









Marketing material
Press releases, newsletters, newspapers, and magazines
Annual reports
Course catalog and class schedule
MUN website, maps and public directories
Department web pages
Version 2013-10-16
POLICY STATEMENT
Data Management Roles and Responsibilities
Data Owner –
The University
Role: Govern Memorial University administrative data.
Responsibilities: Hold ultimate executive responsibility for the data. Determine
appropriate use of the data. Establish policy and procedures to ensure good data
management across the University. Appoint and oversee data stewards and
custodians. Authorize access to highly-sensitive data.
Data Steward –
Organizational Units
Role: Manage Memorial administrative data.
Responsibilities: Ensure good data management across the University.
Interpret and confirm compliance with legal and University policy requirements.
Classify a subset of data, determine risk tolerance to threats, specify controls
required to secure data, and communicate needs to owners, custodians and
users. Develop and implement data quality and data definition standards. Verify
that controls exist to ensure the accuracy, authenticity and integrity of the data,
and confirm compliance with controls. Educate users on appropriate use and
protection of data. Delegate responsibility for responsibility to trained University
administrators. Authorize access to sensitive and internal data.
Data Custodian –
Role: Safeguard Memorial administrative data.
Responsibilities: Implement and maintain the technologies, infrastructure and
controls that support the care of and access to administrative data.
Data User -
Role: Access Memorial administrative data.
Responsibilities: Comply with rules, procedures and controls. Make every
reasonable effort to protect data from threats to tampering, loss and
unauthorized disclosure. Define data requirements for business needs.
Related Policies






Appropriate Use of Computing Resources
Data Removal
Electronic Data Security (EDS)
Information Request
Privacy
Records Management
Procedures

To be determined with each C&C Unit
e.g.
Requesting Data Access
Protecting Sensitive Data
Version History
SLT Approval Date: 16 Oct 2013
Effective Date: 16 Oct 2013
Review Date: 31 Mar 2014
Authority: Director of Computing & Communications
Sponsor: Senior Leadership Team
Contact: Director of Computing & Communications, (709) 864-4554
Version 2013-10-16