Data Classification System

԰�� Data Classification System

The ԰�� Information Security Classification Standard establishes a framework for classifying all data and information assets into four security classification levels based on sensitivity:

Level 1: Public
Data and information in the public domain, the disclosure or loss of which would result in no risk of harm, financial loss of reputational damage. This includes personal information that is publicly available, public communications, or published website content, reports or research data.
Level 2: Protected
Data and information not approved for general publication, the disclosure or loss of which could result in inconvenience or a low risk of harm, financial loss or reputational damage. This includes personal information that is not publicly available but would still not result in an unreasonable invasion of personal privacy, any de-identified or anonymized non-personal business or research data which cannot be used to re-identify individuals, and internal records, communications or business assets that do not contain confidential or restricted information.
Level 3: Confidential
Data and information that is confidential and available only to authorized individuals, the disclosure or loss of which could seriously impede operations, result in an unreasonable invasion of personal privacy or result in moderate risk of harm, financial loss or reputational damage. This includes personal information that is confidential or sensitive and would result in an unreasonable invasion of personal privacy, confidential or privileged business records, material protected by intellectual property rights or subject to contractual requirements, or passwords, login credentials or other authentication verifiers.
Level 4: Restricted
Data and information that is highly confidential and available only to authorized individuals, the disclosure or loss of which could significantly impede operations, require mandatory reporting, and result in an unreasonable invasion of personal privacy and a real risk of significant harm, financial loss or reputational damage. This includes highly sensitive personal information, such as biometric, financial, health or demographic information, or information subject to special contractual, regulatory or government requirements.

This standard applies to all ԰�� business, scholarly and health information assets and establishes the security controls under which all information assets may be handled, stored, accessed, and protected in accordance with the applicable security classification level.

Classifying data and information assets

The ԰�� Information Asset Management Policy establishes the overall framework for information and records management at ԰�� and the roles and responsibilities of information stewards who are required to assign a security classification to business, scholarly and health information assets that fall within their respective areas of responsibility.

Business Information Assets are institutional records relating to ԰��'s administrative functions, including its services, operations, finances, transactions, facilities and students. ԰�� senior leadership team members are designated “information stewards” for these records and are responsible for assigning data security classification levels to all information assets in their area of responsibility and implementing appropriate security controls.

Scholarly Information Assets are records that relate to teaching, scholarly, research or clinical activities. ԰�� academic staff members, appointees or postdoctoral scholars are designated “information stewards” for records that are created by them or under their direction.

Health Information Assets are records that relate to the delivery of health services on campus within the custody or control of a custodian under the Alberta Health Information Act. Each custodian is a designated “information steward” for records that are created by them or under their direction and ԰�� may be responsible for managing those records as an information manager under the Health Information Management Policy.

Information stewards are responsible for assigning an information security classification level in consultation with the Access and Privacy Office. Refer to the Information Security Classification Standard for specific examples of data elements and how they should be classified. For guidance, please contact UService, which will direct inquiries to the appropriate subject matter experts, including ԰�� IT or the Access and Privacy Office, or contact the Access and Privacy Office directly at accessandprivacy@ucalgary.ca.

Administrative, technical and physical security safeguards

The Information Security Classification Standard Appendix A establishes the security controls and required administrative, technical and physical safeguards for the protection of information assets based on the assigned security classification level. It also outlines requirements for the acceptable use of automated systems (including artificial intelligence systems) where personal information is input to generate content or make decisions, recommendations or predictions.

These access and security requirements are consistent with ԰��’s Acceptable Use of Electronic Resources and Information Policy and . ԰�� will engage in proactive monitoring of managed information systems and will update these requirements from time to time consistent with prevailing industry standards. Software applications being used to process or store information assets must be reviewed by ԰�� IT following the ԰�� and, where information assets are stored on a server managed by a third party, the software vendor must enter into a written agreement with ԰�� containing approved conditions relating to security and confidentiality.

New requirements under Alberta privacy legislation

As of June 11, 2026, ԰�� was required to update the Information Security Classification Standard to comply with the newly introduced Protection of Privacy Act (POPA). Changes were made to specifically classify personal information, data derived from personal information and non-personal data, establish when a Privacy Impact Assessment (PIA) is required, and establish requirements for the responsible use of emerging technologies, including automated systems and artificial intelligence (AI) tools.

These changes reflect ԰��’s ongoing commitment to the protection of information assets and compliance with applicable legislative requirements. These updates form part of ԰��’s broader Privacy Management Program (PMP), an institution-wide framework designed to ensure that ԰�� meets its legal obligations while supporting accountability, transparency, and fairness in the management of personal information.

Frequently Asked Questions (FAQs) - Researchers

Does the ԰�� data classification system apply to researchers?

Yes. Researchers are responsible as information stewards for managing their research data in accordance with ethical or professional standards (including the ), contractual obligations, Research Ethics Board requirements and University policies, procedures, operating standards and guidelines relating to information security, including the Information Security Classification Standard. This includes classifying and securing research data in accordance with the applicable security classification level based on sensitivity.

How should my research data be classified?

Research data should be classified based on sensitivity, especially where personal information is being collected from research participants. As a general rule, we recommend classifying research data involving personal information as follows (from high to low risk):

Level 4 – identifiable human participant research data that falls within the Level 4 category (health information, financial information, status as a minor, senior or vulnerable individual, sensitive demographic information, or sensitive/special category GDPR data under the General Data Protection Regulation Compliance Standard)
Level 3 – identifiable human participant research data that falls within the Level 3 category (essentially, all identifiable personal information that is not high risk/restricted Level 4 information)
Level 2 – de-identified/anonymized human participant research data where there is no material risk of re-identification (either alone or in combination with other avaialable data).

Has there been changes to the data classification levels?

The existing classification levels—Public, Protected, Confidential, and Restricted—remain largely unchanged. However, the definitions and associated examples have been changed and refined to promote consistent interpretation and application across all faculties, departments, administrative units, and the overall research enterprise in alignment with ԰��’s Privacy Management Program requirements.

The updated standard now classifies personal information of research participants into either the Level 3 or Level 4 category based on sensitivity of the information. In particular, health information, financial information, status as a minor, senior or vulnerable individual, sensitive demographic information, or sensitive/special category GDPR data are explicitly recognized as requiring enhanced Level 4 protection, while all other identifiable data may be treated as Level 3. All de-identified research data may be treated as Level 2 provided there is no material risk of re-identification (either alone or in combination with other avaialable data).

Note that existing projects, operational activities, and information technology services are not being discontinued. These updates are intended to strengthen governance, accountability, and risk management practices across the institution, not unduly disrupt operations. Where required, additional steps may be implemented to ensure alignment with the updated standard and other applicable ԰�� policies and procedures.

Am I required to complete a privacy impact assessment (PIA) for my project?

԰�� is only required to complete a PIA for any new, or a substantial change to an existing, administrative practice, program, project or service for institutional initiatives which support an operating program or activity of ԰�� carried out for the purposes of institutional research, planning or program quality assurance, evaluation or improvement.

A PIA is not required for research projects caried out by academic staff members intended to develop or contribute to generalizable knowledge. However, researchers may be required to complete a Research Data Management Plan (DMP) in specific circumstances where required under certain Tri-Agency grants or where required by other funders or research partners. Researchers may also be required to complete a Data Protection Impact Assessment (DPIA) where carrying out personal data processing activities within the European Economic Area or otherwise falling within the territorial scope of GDPR in accordance with the General Data Protection Regulation Compliance Standard.

For more information regarding whether your initiative is being carried out for an institutional or research purposes, see the Guidelines for Researchers/Project Leads: Use of Student and Institutional Data.

Learn more

Can I use an AI tool for my research project?

Automated systems/AI may only be used for research in accordance with ethical or professional standards (including the ), contractual obligations and University policies, procedures, operating standards and guidelines relating to the conduct of research, including the Research Integrity Policy.

Appropriate consent must also be obtained from research participants in accordance with applicable Research Ethics Board requirements and adherence to applicable research security policies and guidelines. Researchers should only use institutionally approved automated systems/AI tools such as the secure version of . If you intend to use or acquire another AI platform for your research, please follow the ԰�� .

Learn more

What happens if I suspect that a privacy incident/breach has occurred?

If you suspect that a privacy incident/breach has occurred involving the loss of, unauthorized access to or unauthorized disclosure of research data, please immediately report the incident to the Access and Privacy Office by completing the Privacy Breach Incident Report form and sending it to accessandprivacy@ucalgary.ca. The Access and Privacy Office will engage in a risk assessment and determine what mitigation steps may be recommended or required under the applicable research or data disclosure agreement.

If the incident involves ԰�� electronic resources, then the incident must also be reported to IT Cybersecurity Operations Team at abuse@ucalgary.ca.

If the incident involves theft or other illegal activity, then the incident must also be reported to Campus Security at campus.security@ucalgary.ca.

Learn more

How do I access personal information held by ԰�� for my research project?

Records containing personal information held by ԰�� (e.g., student or staff records being stored in existing information systems) may only be used or disclosed in accordance with POPA and applicable ԰�� policy.

If you would like to access institutional personal information for your project, please complete the Request to Access Institutional Personal Information Form and submit to accessandprivacy@ucalgary.ca. The Access and Privacy Office will review the request with the Information Steward to determine whether access to the existing institutional data is permitted.

Learn more

How does the standard treat de-identified or anonymized personal data?

Personal information that has been de-identified or anonymized such that individuals can no longer reasonably be identified will continue to be treated as Level 2. This includes de-identified or anonymized human participant research data.

De-identified or anonymized non-personal data will be treated as Level 3 or Level 4 where it carries a material risk that a person could be identifiable or re-identified from the data, either alone or in combination with other available information. In simple terms, if the data cannot reasonably be traced back to an identifiable individual, it is Level 2; if there is still a meaningful chance that it could be, it is Level 3 or Level 4 (depending on the content of the information).

How do I de-identify my research data to minimize risk of re-identification?

Researchers are responsible as information stewards for the research data that they collect or create to ensure that it is sufficiently de-identified or anonymized.

For additional guidance, the Access and Privacy Office has developed a in accordance with the ԰�� Data Matching, De-Identification and Data Quality Assurance Standard to assist faculties, departments and administrative units in ensuring that personal information has been de-identified or anonymized in accordance with generally accepted best practices. It is important to understand that this form is only required for institutional data and not required for research projects caried out by academic staff members intended to develop or contribute to generalizable knowledge. However, the form provides guidance on how to de-identify personal information in accordance with best practices and how to adequately assess the risk of re-identification.

Learn more

How does data classification apply to IT services?

All electronic resources and information systems used at ԰�� must align with the classification levels assigned to the information assets they support. Administrative, technical, and physical safeguards must be implemented in a manner commensurate with the sensitivity of the information.

These requirements align with ԰��’s Acceptable Use of Electronic Resources and Information Policy and . New or substantially modified systems may be subject to review under the ԰�� to confirm compliance with ԰�� policies, procedures and operating standards.

԰������ Data Classification System

Frequently Asked Questions (FAQs) - Researchers

԰�� Data Classification System