Data Classification Policy

Definitions

  • Data: A set of facts in raw form or unorganized such as numbers, letters, images, videos, audio recordings, or emojis.
  • Personal Data: Any data that can identify an individual directly or indirectly, such as name, ID numbers, addresses, contact details, and photos.
  • Sensitive Data: Data that, if lost, misused, or accessed unlawfully, may cause severe damage to national interests or personal privacy.
  • Authentication: The process of verifying the identity of a user, operation, or device to permit access to resources.
  • Data Availability: Ensuring reliable and timely access to data when needed.
  • Data Confidentiality: Maintaining authorized restrictions on access and disclosure.
  • Data Integrity: Protecting data from unauthorized modification or destruction.
  • Data Access: Logical and physical access to data and technical resources for use.
  • Data Access Level: Permissions that limit data access based on responsibilities.
  • Data Disclosure: Allowing any person to obtain, use, or view personal data by any means.

Objective

This policy aims to classify data based on its sensitivity level to determine handling methods and ensure confidentiality, integrity, and availability. It is issued by the National Data Management Office.

Scope

This policy applies to all forms of data managed by the university, including paper records, digital data, emails, recordings, and photographs.

Classification Principles

  • Default Availability: Data is considered available unless otherwise required by sensitivity.
  • Necessity and Proportionality: Classification depends on nature, sensitivity, and impact.
  • Timely Classification: Data must be classified upon creation or receipt.
  • Highest Level of Protection: Applied when data sets contain mixed classifications.
  • Segregation of Duties: Tasks and responsibilities are separated to avoid conflict.
  • Need to Know: Access is restricted to only those who need the information.
  • Minimum Privileges: Access rights are limited to the least necessary to perform duties.