Data classification and handling
Principles for classifying and handling data at Tampere University
The management of data risks is integrated into overall risk management and quality assurance at Tampere University. From a financial perspective, the management of data risks requires the classification and proper management of data. Processing activities are governed not only by data protection laws and agreements but also the preferences of data subjects.
Data is assessed based on its value for the University’s activities and the severity of risks associated with unauthorised use. The following points must be considered:
- confidentiality, integrity and accessibility of data, and
- the extent of damages that may be incurred due to non-compliance with relevant requirements.
The requirement to classify and appropriately handle data applies to all the activities undertaken by the University, such as teaching education, research, the procurement of services and systems, project management, HR management, employment contracts, staff training and enterprise architecture.
Data must be classified as public, internal, confidential or restricted. These categories are based on the severity of the risk of unauthorised disclosure. In addition, when processing documents that fall under the scope of the Finnish Act on the Openness of Government Activities or other legislation, you must adhere to the applicable requirements and regulations. The University’s records management plan governs the processing of these documents. The importance of data accessibility must be assessed and considered from the perspective of the University’s obligations (such as archiving) and the continuity of operations. Data is classified based on the risk of unauthorised disclosure as follows:
- Public: disclosure would benefit the University.
- Internal: disclosure would not benefit the University.
- Confidential: inappropriate disclosure would be likely to cause a negative impact on the University or its customer, student or employee
- Restricted: inappropriate disclosure would be likely to cause serious damage to the University or its customer, student or employee.
At the University, the head of records management, data security coordinator and information security manager are responsible for providing instructions for classifying and handling data.
The guidelines for data classification and handling are integrated into the existing policies and training documents.