In terms of data protection and information security, we refer to different types of data (classifications). We classify from two different perspectives: Whether the data reveals something about identified persons (personal data) and what importance the data has for SDU.
Data is considered personal data if it says something about at person that is identified in the data, or could be identified by comparing the data you have with other sources. Depending on the type of data, personal data are considered either “non-sensitive”, “confidential” or “sensitive” to the persons they concern.
Business data is data that is relevant to SDU. It covers almost all the data that we process or use at SDU. Depending on the importance of the data to SDU, and the consequences if the data are unintentionally revealed, business data can be either “public”, “internal”, “confidential” or “sensitive/secret”
Data can be both personal data and business data at the same time. For example, data about students will be both personal data (because they reveal information about at student) and business data (because we rely on them for student administration). Data can be classified at different levels to the registered persons and to SDU. For example, information about employees on sdu.dk will be public business data but also non-sensitive personal data.
You need to be aware of what types of data you are working with, because it changes the security requirements you need to live up to.
SDU’s classification of data is governed by our guidelines for data classification (only available in Danish): SDU's data classification
If data does not reveal anything about an identifiable person (because the data is not about people, or because it is anonymized), it is not personal data. In that case, there are no GDPR-requirements to how the data can be used.
Public business data is data that is either public, or which is intended to become public. For example, publicized research articles or content on sdu.dk is considered public.
Non-sensitive personal data is personal data that is neither confidential nor sensitive. It could be basic data about employee data or data about the users of an IT system.
Internal business data is data where it would cause less significant harm to SDU if the data were to be publicized. It could be internal communication between employees, or copyrighted teaching materials.
Confidential personal data is data that SDU is generally expected to take special care of. It could be CPR-numbers, or it could be information that is given to an SDU researcher under condition of confidentiality. Individual student grades are also confidential.
Confidential business data is data where it will cause significant harm to SDU if the data is revealed. It could be data covered by confidentiality agreements in research cooperation, information about patentable inventions or minutes from closed meetings.
Sensitive personal information is personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation. At SDU, we also classify information about criminal offences as sensitive/secret – they are covered by different GDPR rules than sensitive data, but the conclusion is the same: We need to take particular care of them.
Sensitive (or “secret”) business data is data that could cause great harm to SDU if it was made known to unintended recipients. It could be internal consultation about economic problems or other vulnerable business issues, or it could be research data that can be used for warfare or cyber-attacks.
Special protection of personal data applies when it concerns children. You must therefore, among other things, remember that
- All information must be written in a simple and understandable way - especially if it is aimed at children
- Both children cand parents must be aware of how personal data is processed (consent, duty to inform etc.)
Would you like additional data classification examples?
You can access the full list of data classification examples here.