What is Data Classification?

Do you know the sensitivity level of data which you can access in UM? Are you paying extra attention and take necessary security measures while handling sensitive data? Data classification is the tool for you to assess the sensitivity of data and help you effectively answer the above questions.

Why do You Need to Classify Data in UM?

Disclosure of sensitive data may cause damage to the reputation of the University or may have certain legal implications. To manage the risk of losing valuable data assets and to help you understand the sensitivity of data, ICTO is going to develop a data classification framework according to the risk or impact if such data is inadvertently exposed. Data classification provides guidance on the different levels of data sensitivity and help you focus on protecting sensitive data.

What Data in UM are to be Classified?

All the electronic data in ICTO data center, excluding individually owned data.

Who are Responsible for Data Classification?

Proposed Data Classification Levels

ICTO proposes four levels of data classification to indicate the degree of sensitivity. These levels are listed from the most sensitive to the least sensitive:

LevelClassificationDescriptionExamples
1Restricted· Highly-sensitive information

·Access is restricted to a small number of named individuals, roles, positions and authorized third parties

· Certificate of criminal record

· Medical certificate or sick leave certificate

· Unpublished research data

2Confidential· Sensitive information

· Intended for use by a specific group, organizational unit, named individuals, roles, positions within the University and authorized third parties

· Student personal information (e.g. ID card No., bank information, address)

· Biometric data

3Internal· Non-sensitive information that is not released to public

· Intended for use within the University and authorized third parties

· UM staff phone book

· Internal web pages, policies, user guides

4Public· Information has been approved for public access

· Intended for public disclosure

· Job vacancy

· Academic calendars

· News and events

· Data provided by Open Data API Platform

Data Classification Levels and Confidential Information

There are Guidelines for Handling Confidential Information for handling confidential information according to the obligations on confidentiality for the data/information accessible/obtained from the University IT systems. So, what’s the relation between information labelled by the four data classification levels introduced in this article and the confidential information mentioned in the guidelines? Please find the following mapping for the answer.

LevelClassificationIs the confidential information mentioned in guidelines?
1RestrictedYes
2ConfidentialYes
3InternalNo
4PublicNo

Therefore, Guidelines for Handling Confidential Information are applicable for information classified as level 1 (Restricted) or 2 (Confidential).

What’s Our Next Step

Data classification is our first step in data protection. ICTO needs your support in classifying data. We will introduce how to determine the data classification level in future issues of ICTO Newsletter.

* Reference information

  1. Guidelines for Handling Confidential Information, UM
  2. Office for Personal Data Protection, Macao
  3. Personal Data Protection Act, Macao
  4. Privacy Policy, UM
  5. What you need to know about EU General Data Protection Regulation?
  6. Data Privacy in an Era of Compliance
  7. Other Information Security Tips