Skip to main content
People Departments Maps Buildings Rooms A-Z
University
of Victoria
Apply Library
Sign in Online tools Sign out
Research Computing Services

Research information security classification

 We recommend that researchers classify the data they collect, store, use, and share during their research. This can help ensure compliance with university policies and relevant applicable regulations. It also helps ensure that appropriate security measures are in place to protect information and systems, reducing the risk of data breaches and misuse.

Considerations

  • Consider classifying information, or data, at every stage- when it's collected, used, shared, stored, or disposed.
  • The classification of the information may vary based on its stage in the life cycle.
  • The code/keys used to decode or de-identify data for the purposes of re-linkage should be classified at the same level as the original, uncoded data.
  • With different types of information, the most sensitive information should define the classification level for the whole. 
  • For larger amounts of information, use a higher classification level since more data means higher risk.

How to classify research information

  1.  Identify the type of information involved at all steps of the research process. (For example, personal information, health information, intellectual property etc.).
  2. Determine legal, ethical and privacy obligations by reviewing relevant laws, regulations, contracts, data sharing agreements, institutional policies that may apply to the information. (For example, GDPR, FIPPA, etc.)
  3.  Assess the risk posed by the amount of information by estimating the number of records.
  4. Consider the potential impacts in the event of data breach.
  5. Use the information gathered in the above steps to choose a classification label as per UVic's Information Security Policy, IM7800. These research examples may help you choose the appropriate label.
  6. Document the classification label. You can also use this to select the appropriate information security controls.

Information classification levels

 Here are some examples of research information in the classification levels defined in UVic's Information Security Policy, IM7800.

Description

Unauthorized access, disclosure, modification, unavailability, or destruction of research information is unlikely to harm research participants, the researcher, University, and/or its affiliates.

Examples

  • Published research presentations or papers.
  • Publicly available data or datasets.
  • Published research data not subject to embargo or beyond embargo period.
  • Identifiable information which the research subject explicitly consented to make public.
  • Published open-source software source code.

Description

Unauthorized access, disclosure, modification, unavailability, or destruction of research information could possibly harm research participants, the researcher, University, and/or its affiliates.

Examples

  • Unpublished research manuscripts.
  • Information associated with intellectual property unless requirement of higher classification.
  • Published research information under embargo.
  • Deidentified information that has low risk of being identified, anonymized information.
  • Anonymous information where no identifiers were collected.
  • Information from instruments and imaging systems, sensors, detectors, recorders that do not contain identifiable or re-identifiable information.
  • Research information that does not require additional security controls by partners, funding agencies, Research Ethics Board (REB), or any contracts, agreements, legislation or regulations.

Description

Unauthorized access, disclosure, modification, unavailability, or destruction of research information could moderately harm research participants, the researcher, University, and/or its affiliates. This information is subject to regulatory obligations.

Examples

  • Directly identifiable information excluding sensitive information. (Video/audio recordings of interviews and focus group(s), name, addresses, etc.)
  • De-identified information that can be re-identified including re-identifiable human genetic data.
  • Administrative records or information used whose original classification was Confidential (Student Information, Employee Information, Alumni Information, business information, or other FIPPA-covered data).
  • Personal data from the EU not classified as “extra sensitive” under General Data Protection Regulation (GDPR)
  • Research information requiring strong security controls by partners, funding agencies, Research Ethics Board (REB), or any contracts, agreements, legislation or regulations, without notification to research subjects in the event of breach.

Description

Unauthorized access, disclosure, modification, unavailability, or destruction of research information could critically harm research participants, the researcher, University, and/or its affiliates. This information is subject to strict regulatory obligations.

Examples

  • Personal/Protected Health Information (even de-identified health datasets)
  • Sensitive identifiable personal information (ethnicity, criminal history, etc.)
  • Biometric data
  • Identifiable human genetic data
  • Biospecimens, biological agent and toxin biosecurity, including security sensitive biological agents (SSBA).
  • Data containing information involving at-risk participants or culturally sensitive groups.
  • Data subject to export controls or the Controlled Goods Program
  • Confirmed dual-use (military, intelligence applications)
  • National security/strategic implications.
  • Personal information classified as “extra sensitive” or similar under General Data Protection Regulation (GDPR) or equivalent privacy legislation.
  • Research information requiring strong security controls by partners, funding agencies, Research Ethics Board (REB), or any contracts, agreements, legislation, or regulations, with notification to research subjects in the event of breach.