At the University of Waterloo, all records, even short-term or draft versions, need to be classified based on how sensitive they are. This helps us protect information and prevent unauthorized access or sharing.
Records are classified as either public or confidential. Confidential records are further divided into restricted or highly restricted, depending on how sensitive they are and how much protection they need. Consult Policy 46 – Information Management for the approved definitions of these four categories.
Information Classification Levels
Public Information
Public information is explicitly approved for release to the public by an information steward or custodian with the proper authority. It can include:
- University publications
- Websites that do not require authentication
- Social media channels
- University Calendar
- Published Request for Proposals (RFPs)
- Salaries subject to disclosure by the Ontario Public Sector Salary Disclosure Act
This information can be accessed freely without restrictions. If unsure about whether data is public, consult the appropriate information custodian or refer to WatClass records retention schedules.
Confidential Information
Information not approved for public release, such as drafts or internal documents. It does not include personal information, financial data, or content protected by NDAs or legislation. Disclosure is unlikely to cause harm or impact external parties. When in doubt, treat as confidential unless clearly public. To confirm, contact the relevant information custodian, Information Security Services (ISS), or refer to WatClass.
Preliminary drafts are considered Confidential, even if the final version is public, as they may differ significantly from the approved content.
Restricted Information
Restricted information is a subset of confidential data that is subject to legal or contractual obligations to protect. If data is compromised, details of the breach will be required to be disclosed to a third party or may need to notify the Privacy Commissioner of Ontario. Common examples include:
- Supplier information (protected under the Broader Public Sector Procurement Directive)
- Personal information (protected under Freedom of Information and Protection of Privacy Act (FIPPA) or Personal Information Protection and Electronic Documents Act (PIPEDA))). Examples include (non-exhaustive):
- Data that can directly identify a person
- WatIam username
- Student/Employee Number
- WatCard number
- IP Address
- Data that when combined can identify a person
- First and last name
- Contact information (address, phone, email)
- Date of Birth
- Sex/Gender
- Race/Ethnicity
- Academic information - assigned grades, course enrolment information, completed coursework
- Employment history
- Data that can directly identify a person
This information must be handled with greater protection and can only be shared with authorized individuals.
Highly Restricted Information
Highly restricted information is sensitive data that presents significant risks if compromised. It is subject to the highest level of protection and is typically only accessible by authorized personnel. Examples include (exhaustive):
- Social Insurance Numbers (SINs)
- Bank Account Numbers
- Credit Card Numbers
- Driver’s License Numbers
- Personal Health Information (PHI)
- Controlled technology regulated under the Controlled Goods Regulations and technical data defined by the Defense Production Act
- Information related to contracts under Public Services and Procurement Canada's Contract Security Program
Unauthorized access to this kind of information can lead directly to serious personal or financial harm, including identity theft, fraud, or legal violations. Handle it with extreme care.
Access to this information is highly restricted and must comply with strict security measures. Consult with Information Security Services when dealing with this class of data.
Note: For questions about Controlled Goods, Export Control, or the Contract Security Program, please contact the Office of Research – Safeguarding Research Team.
How to Classify Your Data — Ask These Questions:
1. Is this data publicly available on the University’s website or publication?
--->Yes ---> It’s Public
---> No ---> Go to the next question.
2. Is it on the list of Highly Restricted information?
---> Yes ---> It’s Highly Restricted (this list is exhaustive)
---> No ---> Go to the next question.
3. Does it contain personal identifiers, student/employee data, or data governed by a legal contract (e.g., NDA (Non-Disclosure Agreement)) or regulation (e.g., FIPPA or PIPEDA))?
---> Yes ---> It’s Restricted
---> No ---> Treat it as Confidential
When in doubt, treat the information as Confidential and consult WatClass or your Information Custodian or Information Security Services.
Handling and Confirming Data Classification
- Public Information: Freely accessible; can be shared openly.
- Confidential Information: Not for public release; contact the appropriate custodian or consult WatClass for confirmation.
- Restricted Information: Protected due to legal or contractual obligations; shared only with authorized individuals.
- Highly Restricted Information: Extremely sensitive data with the highest level of protection required.
Microsoft 365 Sensitivity Labels
Starting May 12, 2025, sensitivity labels will be enabled automatically for all employee accounts. Sensitivity labels are tools built into Microsoft 365 (OneDrive, SharePoint, Teams, and Outlook) that help you classify and protect University data based on its confidentiality level. These labels help ensure that files and emails are stored, shared, and accessed in ways that align with the University's Information Confidentiality Classification (Public, Confidential, Restricted, Highly Restricted).
How Sensitivity Labels Work
- You will be prompted to choose a sensitivity label when saving or sending files and emails.
- Labels are applied through apps like Word, Excel, PowerPoint, Outlook, OneDrive, SharePoint, and Teams.
- If no label is chosen, existing files will default to Confidential.
Note* The label you choose should match the most sensitive content in the file or email.
Learn more
Visit the Microsoft 365 Sensitivity Labels knowledge base page for guidance on how to use and apply labels appropriately.
Research Data Risk Classification
Research data at the University of Waterloo should be classified using the Research Data Risk Classification Framework.
Mapping Research Risk Levels to Information Classification
The following table shows how research data risk levels align with the University's information confidentiality classification. This mapping ensures consistent application of security controls across institutional and research data.
Information Confidentiality Classification |
Research Data Risk Level |
---|---|
Public |
Low Risk |
Confidential |
Medium Risk |
Restricted |
High Risk |
Highly Restricted |
Very High Risk |
Information Security Safeguards
For guidance on security safeguards for highly restricted records, contact IST’s Information Security Services.
For guidance on the appropriate methods and technologies for sharing and communicating confidential information, see the Guidelines for secure data exchange.
For guidance on security safeguards for restricted records containing personal information, consult the Information & Privacy website.
For Additional Resources
- Cyber Awareness website
- Security policies, standards, and guidelines
- IST (Information Systems & Technology) Service Catalogue: Security
Report a cyber event
To report a suspected cyber event, contact the SOC (Security Operations Centre) as soon as possible after discovery by sending an email to soc@uwaterloo.ca or by calling +1-519-888-4567 ext. 41125.