Data Classification
Identify and classify your data
In preparation for GDPR you may find it useful to identify and classify all the personal data that you are working with and then to document the appropriate technical security measures that you are putting in place to protect the data as in the table below:
Examples of critical, sensitive, internal and public data and how to store, access and transfer
Column one identifies the type of data, column 2 gives examples, column 3 is how to store, access and transfer this type of data
| Data Classification |
Data Example |
Security controls for storing, accessing and transferring data
|
| Critical/sensitive |
- Biometric data
- Personal medical data
|
- Stored in encrypted format in agreed storage location e.g. SharePoint
- Backed up weekly to secure local drive held in locked fireproof safe
- Transferred in encrypted format
- Not to be transferred by email unless encrypted
- Accessed by username and password by authorised researchers only
|
| Sensitive |
- Names, addresses, dates of birth of living individuals (subject to GDPR)
|
- Stored in encrypted format in agreed storage location e.g. SharePoint
- Backed up weekly to secure local drive held in locked fireproof safe
- Transferred in encrypted format
- Not to be transferred by email
- Accessed by username and password by authorised researchers only
|
| Internal |
- Research project communication
|
- Stored in agreed storage location e.g. Email, OneDrive etc.
- Accessed by username and password
- Can be transferred by email to authorised staff
|
| Public |
- Staff names, job titles and work contact details
- Project public website
|
- Authorised for public use on Research Project website etc.
- Encryption not necessary
- Backed up weekly
|
