Office of the CIO

Queen's University
Search Type
Office of the CIO and Associate Vice-Principal (Information Technology Services)
Office of the CIO and Associate Vice-Principal (Information Technology Services)

Data Classification Scheme

Data classification is one of the building blocks for information security at Queen’s University. Data owners and custodians need to classify data within their domain of responsibility to ensure the level of information protection and privacy is commensurate with the sensitivity and value of that data. The purpose of this document is to establish a data classification framework to guide members of the Queen’s community in using and managing data in the scope of information technology-related activities. Compliance with University policy and federal and provincial legislation, such as FIPPA and PHIPA, is an additional goal for a University data classification scheme.

Data Classification Categories

Sensitivity Labels




  • Any information given or used in confidence that may be disclosed only to authorized individuals on a need-to-know basis.

  • Information that is consolidated for regulatory purposes, used as part of legal proceedings, or used for education purposes.

  • Agreements related to business operations such as employee agreements, student applications, and contracts.

Confidential information requires high level of protection with varying degrees of access control.

  • Research data and intellectual property

  • Patent applications, trademarks and trade secrets

  • Drafts of strategic plans, annual reports and financial statements

  • Contracts and other legal documents and material

  • Internal audit reports and working papers and files

  • Actuarial information for benefits

  • Payroll information and data

  • Certain management information

  • Some security response plans

  • Network diagrams, IP addresses and data about sensitive network segments and systems

  • Proprietary software source code

  • Locations of hazardous material storage and animal care facilities


  • Any information that can identify an individual, such as name, gender, date of birth, Social Insurance Number, OHIP number, student number, home address, medical information.

  • Other information considered and protected as personal under FIPPA and PHIPA.

  • Employee information such as performance reviews and resumes.

Personal information is a specific type of confidential information and should only be shared and used on a need-to-know basis. It requires high levesl of protection with varying degrees of access control.


Note: Some information will be classified only as confidential. If, however, information is classified as personal, i t is also considered confidential under this data classification scheme.

  • Name, gender, date of birth, Social Insurance Number, student number, employee number, home address and phone number, medical information

  • Employment records including performance evaluations, appointment letters, and disciplinary documents

  • Applications for employment, resumes

  • Credit card numbers, statements and billings

  • Employee benefits information such as policy information

  • Tax information such as T4 and T5

  • Information about current students, including grades and transcripts

  • Information about prospective students or students applying for admission

  • Donor or donor prospect information

Operationally Sensitive

Information that is used in the day-to-day operations of the University or a department will have a defined level of “sensitivity”, ranging from sensitive to very sensitive. The level of sensitivity depends on the degree to which Queen’s could be affected, as determined by its “value” and “criticality”.

The security level required will be commensurate with level of risk and is intended for internal use only.

  • Administration procedures

  • Draft marketing information

  • Vendor or service provider contracts

  • Internal communications regarding projects etc.

  • Departmental policies and procedures

  • Floor plans, access codes, etc.

  • Employee lists

  • Teaching material

  • Planning documents


Information that Queen’s has published for general or public consumption, or publicly known information that Queen’s has received from other organizations.


Basic security is needed to ensure the integrity of University information.


  • Queen’s and departmental websites

  • Brochures, campus maps, etc.

  • Published marketing information

  • Course descriptions

  • Published annual reports, strategic plans and financial statements

  • Queen’s policies

  • Rates and fees

  • Certain contact information (telephone, email, etc.)