Date and Instance of Approval:
June 29, 2016
Administration Committee
Amendments:
October 23, 2024
May 26, 2026
Responsible Service:
Office of the Secretary General
PURPOSE
1. This policy describes the system used to classify University information according to sensitivity. It also sets out obligations and safeguards to protect University information.
APPLICATION
2. This Policy must be read in conjunction with Policy 116 - Use and Security of Information Technology Assets; Policy 90 - Access to Information and Protection of Privacy; and Policy 23 – Policy on Information Management and any other University policy, procedure or other directive relevant to the handling of University Information.
3. This policy applies to all University information and to all information systems and resources that are used by or on behalf of the University to create, input, process, communicate, transport, disseminate, store or dispose of University information. It also applies in situations where University information is created, inputted, processed, transmitted or stored by third-party service providers and their subcontractors.
DEFINITIONS AND INTERPRETATION
4. For the purposes of this policy and any procedures established pursuant to it:
a) “Information custodian” means a University staff member or any other entity hired by the University who is responsible for safeguarding University information based on its sensitivity classification.
b) “Research data” means data that are used as primary sources to support technical or scientific enquiry, research, scholarship or creative practice, and that are used as evidence in the research process and/or are commonly accepted in the research community as necessary to validate research findings and results. Research data can be experimental data, observational data, operational data, third-party data, public-sector data, monitoring data, processed data or repurposed data. The definition of relevant research data is very often contextual, and the determination of what counts as such should be guided by disciplinary norms (reference).
c) “Information owner” means the University staff member who holds a University position with the highest level of managerial decision-making authority of a unit and who is the final authority and decision maker with respect to the sensitivity classification of the University information created by their unit. In the context of research, an information owner is the researcher responsible for the research and for the management, protection and use of data resulting from such research (for example, the principal investigator).
d) “Information users” means those persons who are authorized to receive or have access to University information for the purposes of their employment at the University or for otherwise fulfilling their mandate at, or their obligations to, the University.
e) “University information” means a wide range of information, regardless of format or medium, that supports the University’s teaching, research, administrative and other activities, and is created, received or held by or on behalf of the University, whether stored, in transit or in use.
f) “Unit” means a University faculty, school or other academic unit, administrative service or office.
5. The Secretary-General is responsible for the interpretation of this policy.
UNIVERSITY INFORMATION SENSITIVITY CLASSIFICATION
6. University information is grouped according to its sensitivity level into one of the following four classifications: public, internal, confidential or highly confidential.
| Classification | Definition | Category | Examples (not exhaustive) |
| PUBLIC | Information intended for unrestricted public access. No anticipated risk or harm arising from disclosure. | Institutional | • Open or freely accessible data, such as the content of public websites • University calendars • Final press releases • Pre-enrolment course information (e.g., curriculum, fees, learning outcomes, course descriptions and schedules) • Openly disseminated institutional statistics • Blank resources, templates, forms and applications • Compensation plans and benefit programs • Identifiable information for which the data subject has explicitly consented to public disclosure or for which they have no expectation of privacy |
| Research | All the above examples, plus: • Published open-access articles and datasets • Plain language summaries • Research products deposited in public institutional repositories (with consent) • Open-source code and models • Published research data not subject to embargo or beyond embargo period • Publicly available data, including from databases (e.g., Statistics Canada, PHSA Community Health Atlas) • Identifiable information which the research subject (individual or organization) has explicitly consented to make public | ||
| INTERNAL | Information not intended to be made public, whose unauthorized access or disclosure could cause damage or harm individuals, groups and/or the University. | Institutional | • Internal operational procedures and guides • Reports, planning documents and contracts • Internal memos and working drafts • Budget documents and strategic planning material • Staff lists containing professional contact details • Network, architectural and technical drawings and plans • Technical configurations • Contracts and Memoranda of Agreement (MoA) • System logs and transactional diagrams • Anonymous information (e.g., from a survey) where no identifiers were collected |
| Research | All the above examples, plus: • Unpublished or embargoed research results (e.g., draft manuscripts, grant applications, patent applications) • Confidential documents for peer review (excluding personal information) • Laboratory notes, models under development • Presentations on current research • Research data that is Research Ethics Board-exempt and has no contractual obligations for additional protections – low-risk research data not requiring ethics review and not contractually or legally restricted • Non-identifiable human information with low sensitivity and low risk of re-identification (e.g., anonymized, coded or de-identified information) • Anonymous survey data where no identifiers were collected and the risk of re-identification is very low | ||
| CONFIDENTIAL | Information that, if compromised, would cause serious harm to individuals, groups or the University, and information subject to ethical, legal, contractual or regulatory obligations. | Institutional | • Personally identifiable information as defined by the Freedom of Information and Protection of Privacy Act (FIPPA) or other applicable access and privacy legislation • Student numbers and files • Student academic status and grades • Human resource records: compensation, performance appraisals, grievances • Internal investigation reports on sensitive allegations, incidents or misconduct • Unpublished financial data • Audit or assessment findings and mitigations • Information on location or ownership of hazardous goods or materials • Security camera recordings • Confidential data, documents or know-how provided by a company under a confidentiality agreement • Staff numbers and records • Intellectual property that belongs to the University • Legal or disciplinary records |
| Research | All the above examples, plus: • Sensitive de-identified participant data (e.g., trauma studies, traumatized subjects) • Research governed by the Research Ethics Board or by data use agreements • Proprietary industrial data (protected by non-disclosure agreements) • Research data involving Indigenous communities (with restrictions) • Research with commercial potential (before patenting) • Intellectual property, disclosure of inventions and patent applications before publication • Confidential information received for peer review of publications or grant applications • Research data requiring strong security controls by external partners or funding agencies | ||
| HIGHLY CONFIDENTIAL | Information that, if compromised , would cause serious to catastrophic harm to individuals, groups, the University, governments, major public agencies or matters of national interest. | Institutional | • Government-issued ID (e.g., health card, driver’s license, passport, social insurance number) • Personal health information as defined under the Personal Health Information Protection Act (PHIPA) • Payment card information • Information that could compromise the safety of individuals or the security of University buildings, systems or protective measures • Biometric data |
| Research | All the above examples, plus: • Genetic data • Research involving national defence, critical infrastructure or national security • High-risk data from clinical trials or dual-use research (AI/biology) • Research data with confirmed dual-use potential • Research data subject to export controls or the Controlled Goods Program • Research data under classified government contracts, subject to strict restrictions and whose disclosure could compromise national security or government interests |
7. Some University information may have little-to-no sensitivity on its own or in isolation but may be highly sensitive when associated with other information or when in aggregate (e.g., a student ID number combined with identifying information). Generally, the classification “confidential” should be assigned to University information that could be aggregated.
8. A collection of University information within which University information sensitivity classification levels vary—whether stored, in transit or during electronic transfer (such as files, databases, emails and attachments, filing cabinets, backup media, electronic memory devices, sensitive operation logs, or configuration files)— must be classified collectively at the highest sensitivity level present within that collection. If any subset of University information within such collection is separated from the original collection of University information and has been assigned its own sensitivity classification level, it should be protected according to that classification. If no classification is assigned to such subset, the subset retains the sensitivity classification level assigned to the collection of University information.
INDIGENOUS RESEARCH DATA
9. The University recognizes the sovereignty of Indigenous research data. It affirms that research data created in the course of work conducted with and for First Nations, Inuit and Métis communities, groups and organizations must be governed according to the terms established jointly with the Indigenous governance authorities or Indigenous partners concerned, in accordance with their data governance protocols and the Tri-Council Policy Statement: Ethical Conduct for Research Involving Humans (TCPS 2), Chapter 9.
Where Indigenous data governance protocols establish specific requirements for the classification, management, access, storage or disclosure of research data, these requirements shall be observed and incorporated into institutional practices.
INFORMATION OWNER RESPONSIBILITIES
10. The information owner is responsible for assigning one of the four sensitivity level classifications set out in this policy to University information created within their unit. The sensitivity level classification should be assigned as soon as possible. University information maintains its initial sensitivity classification until the Information owner reclassifies it, as needed.
11. The Information owner is also responsible for the following:
a) ensuring that the use and protection of University information is consistent with the sensitivity classification level assigned to the University information and to all applicable University policies, standards, administrative procedures, regulations, and applicable laws;
b) establishing, in relation to the processing and protection of University information used by their unit, guidelines, administrative procedures or other rules that set requirements equivalent to or stricter than those of this policy (and any method adopted pursuant to it);
c) consulting users about the types of University information they handle regularly, to ensure that University information maintains the appropriate sensitivity classification and that control measures remain aligned with the classification assigned by the information owner;
d) working with information custodians, University IT staff and others involved on University projects related to creating, maintaining and using or otherwise handling University Information;
e) authorizing access to University information classified as “highly confidential,” “confidential” or “internal”;
f) ensuring that those persons who are authorized to access University information classified as “highly confidential,” “confidential” or “internal” agree in writing to maintain the confidentiality or any other limitations on access to the University information;
g) assigning operational responsibility for University information to at least one Information custodian;
h) ensuring that information custodians provide reasonable security controls to protect the University information and automated systems, and that information users comply with procedures established for such protection;
i) documenting variances from IT general control practices and promptly initiating corrective action.
INFORMATION CUSTODIAN RESPONSIBILITIES
12. An information custodian is responsible for the oversight and implementation of appropriate safeguards necessary to protect the University information at the classification level assigned to the University information by the information owner.
13. An information custodian is also responsible for the following within the context of the sensitivity classification assigned to the University information:
a) understanding and complying with this policy (and any procedures adopted pursuant to it) and any other applicable University policy, procedure or applicable laws for the appropriate use and protection of University information;
b) understanding the flow of University information in relevant operational processes, both manual and automated;
c) implementing and maintaining physical and logical controls to enforce University policies and administrative procedures;
d) granting and revoking access to University Information, under the direction of the information owner;
e) enabling the timely detection, reporting and analysis of incidents where circumvention, or attempted circumvention, of controls related to University information takes place;
f) following the information owner requirements regarding the handling of University information.
INFORMATION USERS’ RESPONSIBILITIES
14. Information users are responsible for handling University information in a way that is appropriate to the University information sensitivity classification and in accordance with the responsibilities outlined in Procedure 20-12 – Handling Confidential and Internal Information.
CHIEF INFORMATION SECURITY OFFICER RESPONSIBILITIES
15. The University’s Chief Information Security Officer (“CISO”) is responsible for the coordination, development, implementation and maintenance of a University-wide information security program.
16. The CISO is also responsible for the following:
a) defining the University’s overall approach to information risk management and ensuring that the security measures in place are adapted to protect University information according to its level of sensitivity;
b) determining the risk tolerance to threats that affect the security of University information;
c) developing, maintaining and circulating policies, standards, guidelines and administrative procedures relating to information security;
d) designing and implementing secure computing environments;
e) coordinating and assisting with the response to breaches involving unauthorized use of University information.
INFORMATION SAFEGUARDS
17. This section outlines a list of non-exhaustive and minimum information safeguards for protecting University information classified as “highly confidential,” “confidential” or “internal” or has varying classifications, in order to mitigate the risk of its potential loss, theft, unauthorized disclosure, access or use.
a) University information classified as “internal:”
i. must, when stored in a physical location, be protected by access control measures that are sufficient to detect and prevent unauthorized access by members of the public, visitors or other unauthorized persons;
ii. must not be published or posted on any website or otherwise made publicly available without the prior written consent of the Information owner.
iii. must be securely destroyed in accordance with Procedure 20-4 – Disposition of Information, Schedule J – IT Asset Disposal, or, if in hardcopy format, must be securely shredded or incinerated and in accordance with the University’s records retention schedule.
b) In addition to the above measures applicable to information classified as “internal,” University information classified as “confidential:”
i. may only be disclosed to those who need the University information in the performance of their University duties and where disclosure is necessary and proper in the discharge of the University’s functions, as determined by the Information owner;
ii. must, when stored in electronic format, be protected with strong passwords, in compliance with Schedule K – Acceptable Encryption and stored on servers or databases that have appropriate protection measures;
iii. must, if transmitted in electronic format, be encrypted in accordance with Schedule K – Acceptable Encryption
c) In addition to the above measures applicable to information classified as “confidential,” University information classified as “highly confidential” must:
i. not be communicated using communication tools or platforms not approved by the University (e.g., email, chat, texting, social media);
ii. not be stored on personal computers, devices not managed by the University or general-purpose computer systems not expressly dedicated to it;
iii. be subject to centralized access control and monitoring, and access logs must be kept for a period that complies with applicable requirements;
iv. have its location and accessibility verified to ensure compliance with applicable legal and institutional requirements, including data residency (e.g., in Canada).
APPROVAL AND AMENDMENTS
18. The Secretary-General is responsible for reviewing this policy from time to time and for recommending to the Administration Committee any amendments that may be needed.
19. Amendments to this policy require the approval of the Administration Committee.
20. Subject to Section 20, the Secretary-General of the University may establish, amend or abrogate procedures for purposes of the effective implementation of this policy, provided that such procedures are consistent with the provisions of this policy.
21. The Vice-President, Research and Innovation, in consultation with the Secretary-General, may establish, amend or abrogate procedures for purposes of the effective implementation of this policy, provided that such procedures are consistent with its provisions.
22. Notwithstanding paragraph 18, the Secretary-General may amend this policy without the need to submit such amendment to the Administration Committee for approval if such amendment is required to:
a) Update or correct the name or title of a position, unit, law, regulation, policy, procedure or authority;
b) Correct punctuation, grammar, typographical errors, formatting or other technical elements where necessary, if the correction does not change the meaning of a provision, or make such other correction if it is patent both that an error has been made and what the correction should be;
c) correct the form of expression of a provision in English or in French to make it more compatible with its form of expression in the other language; or
d) make consequential amendments to conform with or arising from another University by-law, resolution, policy or procedure.