Within the research data management remit that the ADMIRe project will cover, my particular interest is research data security. One aspect of data security that has been growing in significance in recent years has been data classification. Without some sort of classification schema, it is difficult to define data security without an “all-or-nothing” approach. A classification schema allows security guidance or security policy for researchers to be more granular and directed at those who need it most – those holding the most sensitive data such as personal data (as defined by the Data Protection Act), health information and financial data.
The draft data classification schema being worked on at Nottingham currently defines four categories: Public, Internal, Confidential and Highly Confidential.
Discussions with colleagues at other universities suggest that there has been limited appetite for defining and rolling out data classification schemas. Given the scale of change usually required and the potential impact on organisations, that’s hardly surprising. However, they are increasingly seen as a necessary step for moving institutions towards international standards for information security such as the ISO 27000 series.