Data Classification

Within the research data management remit that the ADMIRe project will cover, my particular interest is research data security.  One aspect of data security that has been growing in significance in recent years has been data classification.  Without some sort of classification schema, it is difficult to define data security without an “all-or-nothing” approach. A classification schema allows security guidance or security policy for researchers to be more granular and directed at those who need it most – those holding the most sensitive data such as personal data (as defined by the Data Protection Act), health information and financial data.

The draft data classification schema being worked on at Nottingham currently defines four categories: Public, Internal, Confidential and Highly Confidential.

Discussions with colleagues at other universities suggest that there has been limited appetite for defining and rolling out data classification schemas. Given the scale of change usually required and the potential impact on organisations, that’s hardly surprising. However, they are  increasingly seen as a necessary step for moving institutions towards international standards for information security such as the ISO 27000 series.

2 thoughts on “Data Classification

  1. Jez Cope

    Hi Paul, thanks for sharing this. Understanding what users mean when they say “secure”, and doing so in a consistent and sustainable way, is something that we’ve been thinking about too. It would be useful to hear more about your criteria for each classification and how you explain them to users to help them make the best decision when classifying their data.

  2. Paul Kennedy Post author

    Hi Jez,

    Thanks for your comments. As noted in the post, the classification schema is a work in progress. However, we’re happy to share with you the broad descriptions for each classification. The intention is to provide a large selection of worked examples for each classification for different types of data from across the organisation. Of course, it’s possible for some data types to fit into all the classifications depending on the context. For example “financial data” could be Public if it’s a financial summary in an annual report, Internal if it’s a purchase order for pencils , Confidential if it’s a school budget prediction and Highly Confidential if it’s a list of employee bank account details. Therefore the context as well as the type is important.

Comments are closed.