What is data classification?

Published: December 22, 2025

Dear 404: What is data classification

Dear 404,

I don’t work in IT. I keep hearing about ‘data classification’ in meetings, especially when we’re looking into vendors or new systems. What exactly is data classification, and why does it always come up during these conversations?

— Baffled by Buzzwords

Dear Baffled by Buzzwords

Great question — and yes, you’re not imagining it, data classification shows up in every procurement meeting like it’s trying to earn loyalty points and for good reason. Think of data classification like sorting your files by how risky they would be if they leaked or got lost.

U of T groups information into four levels based on importance, sensitivity, and how much harm would happen if it were exposed.

Here’s your Coles Notes version:

Level 1 – Public Data: Totally safe for the world to see. No secrets here.

  • This includes institutional and departmental policies, directory information, course materials like syllabi and schedules, and published research.
  • If it’s already out on a website somewhere, it’s probably Level 1.

Level 2 – Internal (Non-Public) Data: This is U of T’s default “internal use only” bucket.

  • The stuff that isn’t sensitive but isn’t meant for the outside world either.
  • Think: non-public aggregated data, de-identified information, most unpublished research, course materials, building floor plans, and custom code someone proudly built in-house.
  • It’s all useful… just not public facing.

Level 3 – Confidential Data: Level 3 is your “handle with care” category.

  • Not top secret, but definitely not for broad distribution — only to be shared with specific individuals on a ‘need-to-know’ basis.
  • It includes your everyday office records — emails, internal business paperwork, and admin information that’s meant for specific eyes only.
  • It also includes personal information about applicants, students, faculty, staff, or donors. If it can identify someone and they didn’t sign off on sharing it, it lands here.
  • And for extra caution points: Security event logs, vulnerability and risk assessment records, detailed building and facilities plans.

Level 4 – Highly Sensitive Data: Ah yes — the “do not mess around with this” tier.

  • Level 4 includes the big stuff.
  • Social Insurance Numbers, bank account and financial data, personal health information, sensitive research, passwords, credentials, and anything else that could cause major harm if exposed.
  • This tier needs much stronger protection than everything else — think Gandalf’s warning to Frodo to “Keep it secret. Keep it Safe”.

If you’re looking for even more information, you have come to the right place… You can access the Classification Standard on the Information Security’s website.

Sincerely,
4[0‿0]4

More answers from 404