data classification and storage

At AAU, we want to protect our information against accidental access, disclosure and the risk of data being compromised in any way and to ensure compliance with all relevant security regulations, ISO standards and applicable legislation governing, among other things, the protection of personal data.

In order to ensure the confidentiality of our information, a classification model is applied which defines the correct handling of data and the labelling of information, as required. Regardless of the classification level, systems may be in existence for controlling access to information at several levels.

Data owners are responsible for specifying the classification level of their information.

By loss is meant financial loss and/or loss of reputation.

AAU’s data classification model is applicable for all new systems and data. For existing systems and data, the system and data owners are responsible for preparing a plan for improvements based on a documented risk assessment.

Information which is in the public domain, and where disclosure is not harmful to AAU. For example, study descriptions, news articles and employee master data (name, title, telephone no.). There are no requirements for labeling, access, storage and sending of documents, emails and websites with public information.

More about level 0 in the data classification model

Information which only users with a purely work-related need may and can have access to, and where a breach of confidentiality will have no or a low impact for AAU, private individuals or partner(s). For example, agreements, budgets, minutes, teaching materials and personal information in connection with employment or study.

• Internal information must be labeled. Documents must as a minimum be marked on the front page. If labeling is not possible, classification must appear by file or folder name.
• The electronic access to internal information must be password protected.
• Electronic storage is possible on AAU network drives or other AAU-approved solutions. Physically, internal information must be stored behind lock.
• When sending, it is recommended that internal information is encrypted.
• Internal information can be sent internally by internal mail or externally as ordinary letter mail.

More about level 1 in the data classification model

Information which only users with a purely work-related need may and can have access to, and where a breach of confidentiality will have semi-serious impacts for AAU, private individuals or partner(s). For example, research and employees' private personal information.

• Confidential information must be labeled. Documents must be labeled on each individual page or field of view and must have a frontpage (cover sheet) without confidential information. Confidential information that cannot be labeled must be stored in systems where the system clarifies the classification.
• The electronic access to confidential information must be password protected with AAU's Access Control. 
• Electronic storage of confidential information can be done on AAU network drives or other AAU-approved solutions. For external hard drives, USB sticks or similar, confidential data must be encrypted. Physically, confidential information must be kept behind lock.
• Use 'Follow-You' printing when printing confidential documents. Upon disposal, confidential documents must be shredded.
• Confidential information may only ever be forwarded/disclosed to business partners when a legal basis for such transfer exists, eg in the form of a data processing agreement. Confidential information can be sent electronic unencrypted internally. Externally electronic confidential information must be encrypted. Physically, confidential documents may be sent internally in a sealed envelope with "att. recipient" or transferred in person, however, they may not be carried in public transport such as bus and train.

More about level 2 in the data classification model

This is information which, by virtue of its personal, technical, commercial or competitive nature and sensitivity, must be protected against unintentional access and disclosure. For example, administration and research involving sensitive personal information.

• Sensitive information must be labeled. Documents must be labeled on each individual page or field of view and must have a frontpage (cover sheet) without sensitive information. Sensitive information that cannot be labeled must be stored in systems where the system clarifies the classification.
• The electronic access must be password protected with AAU's Access Control as well as a 2-factor validation outside AAU's network.
• Electronic storage can be done on AAU network drives or other AAU-approved solutions. For external hard drives, USB sticks or similar, confidential data must be encrypted. Physically, documents must be kept in a cover, from which the classification level appears, and behind lock.
• Use 'Follow-You' printing when printing sensitive documents. When disposing of, sensitive documents must be shredded.
• Sensitive information may only ever be forwarded/disclosed to business partners when a legal basis for such transfer exists, eg in the form of a data processing agreement. Electronic transmission of sensitive information must be encrypted. Physically, sensitive documents must sent in a sealed envelope, either by registered mail or by courier.

More about level 3 in the data classification model 

Secure storage of data