Classification of data

STADS is up and running

STADS is once again up and running, and you can register for spring classes and exams. The registration deadline is Thursday 7 November at 23.59.

It’s your responsibility as an AU student to protect the digital information and data you use in your academic work. This means you must process, store and share digital information and data correctly and securely to make sure it doesn’t get lost or misused. Examples include:

The digital information you work with in connection with academic projects and classes
Data about fellow students (such as participant lists for Friday bars and such)

To make sure you manage data securely and correctly, start by categorising the types of data you use. This is what’s known as data classification.

What is data classification?

In a nutshell, data classification means categorising the digital information you use so you know how to store and share the different types of data securely and correctly.

For example, what kinds of digital information is it ok to send by email or sms? What are you allowed to save in Dropbox? To answer questions like this, you need to classify your data.

Why is data classification important?

Data classification is one of the central aspects of information security and GDPR. When you store and send digital information correctly and securely, you minimise the risk that this data will end up in the wrong hands, or get lost or altered.

How do I classify my data?

When classifying data, you need to answer the following questions:

Does the data contain personal data? If so, how sensitive is the data?
Does the data contain business information? And if so, how damaging would it be for the university or an external partner (for example, your internship host organisation, your Master’s thesis host organisation, etc.) if this information were to be leaked, altered or lost?

The four types of data

Level 0: Public data

Public data is information that is available to the public. The publication of this data does not harm AU, private individuals or business partners. Examples include:

AU's websites, e.g. au.dk, studerende.au.dk
Academic regulations and course descriptions
News articles
Books
Research data (open data)
Research reports
Your own personal data or other people's personal data, provided consent for publication has been given. Including:
- Employee master data (name, job title, phone number)
- Affiliation to institutions

Level 1 - internal data

Internal data is information that only staff at AU with a purely work-related need may and can access. Breaches of confidentiality in relation to internal data will have a low-level negative impact on AU, private individuals or partners. Examples include:

General personal data under Article 6 (‘Lawfulness of processing’) of the General Data Protection Regulation, including:

Master data (name, telephone, address, date of birth)
Data on education, references, course certificates and work assignments
Data on salary, tax, pension and payroll account number
Driver's license number and type
Nationality
System user information
Data on absence (confined to the absence itself, not supplementary information, for example treatment, diagnosis or the reason for the absence)
Participation in classes/courses/groups and course level
Typical information
- Teaching materials
- Work rota
- Research data
- Minutes and/or agendas of meetings

Level 2 - confidential data

Confidential data is information that only staff at AU with a purely work-related need may and can access. Breaches of confidentiality will have a medium-level negative impact on AU, private individuals or partners. Examples include:

Personal data classified as confidential at AU, including:

Civil reg. no. (CPR number)
Student/employee home address, private email address, private telephone no. and other private information
Personality tests
Marital status
Adoption details
Grades, grading etc.

Level 3 - sensitive data

Breaches of confidentiality for this type of data will have a high-level negative impact on AU, private individuals or partners. This is information which, due to its personal, technical, business or competition-related nature and sensitivity, must be secured at the highest level against accidental access and publication. Examples include:

Sensitive personal data, including:

Race and ethnic origin
Political opinions, religious or philosophical beliefs
Trade union membership
Genetic data
Biometric data for the purpose of unique identification
Data concerning health
Sexual relationships or sexual orientation
Criminal offences pursuant to Article 10 of the General Data Protection Regulation (‘Processing of personal data relating to criminal convictions and offences')

Storage of data

Regardless of classification, data and information must be processed taking into account information security. No matter whether it is in electronic or physical form.

Data and information classified as confidential or sensitive must be stored securely.
Private devices must not be used for storing or processing information or data classified by AU as confidential or sensitive.

See where you can store different types of information.

TIP: Pseudonymisation and anonymisation of personal data

If you process confidential or sensitive personal data, you must decide whether it should be pseudonymised or anonymised. This also applies to data in physical form such as paper.

Personal data is pseudonymised by removing all directly identifying information (e.g. civil reg. no. (CPR no.), name, address, tel. no.) from the data set. A serial number can be added in pseudonymisation that makes it possible to identify the individual person.
Anonymisation of personal data means that it is not possible to identify the individual person.

There are different requirements for storing data depending on whether you apply pseudonymisation or anonymisation. Read more about pseydonymisation and anonymisation.

Revised 23.09.2024

Jakob Rom Johansen