AAU logo

Classification of data

AAU Data Classification Model

At AAU, we want to protect our information against accidental access, disclosure and the risk of data being compromised in any way and to ensure compliance with all relevant security regulations, ISO standards and applicable legislation governing, among other things, the protection of personal data.

In order to ensure the confidentiality of our information, a classification model is applied which defines the correct handling of data and the labelling of information, as required. Regardless of the classification level, systems may be in existence for controlling access to information at several levels.

Data owners are responsible for specifying the classification level of their information.

By loss is meant financial loss and/or loss of reputation.

AAU’s data classification model is applicable for all new systems and data. For existing systems and data, the system and data owners are responsible for preparing a plan for improvements based on a documented risk assessment.

Any security breaches must be registered via the AAU online form: Reporting of security incident.

AAU Data Classifcation Model

  • +

    Level 0 - Public

    Description and examples

    Information which is in the public domain, and where disclosure is not harmful to AAU.

    Typical information:
        - AAU’s website, www.aau.dk etc.
        - Study descriptions
        - News articles
        - Books
        - Research data (open data)
        - Research reports

    General personal data, including:
        - Employee master data (name, title, telephone no.)
        - Affiliation with institutions

    Typical information:
        - Rotas
        - System configuration
        - Departmental budget
        - Purchase agreements
        - Teaching materials
        - Research data
        - Minutes of meetings and/or agendas

     

    Labeling

    No requirements

    Access

    Electronic and physical

    No requirements


    Storage

    Electronic

    No requirements

    Physical

    No requirements

    Sending

    electronic

    No requirements

    Physical

    No requirements

  • +

    Level 1 - Internal

    Description and examples

    Information which only users with a purely work-related need may and can have access to, and where a breach of confidentiality will have no or a low impact for AAU, private individuals or partner(s).

    - Non-sensitive personal data, including:
        - Master data (name, telephone no., address, date of birth)
        - Information on education, statements, course certificates and work tasks
        - Information on salary, tax, pension and current account number
        - Driving licence no. and type
        - Nationality
        - System user information
        - Information about illnesses and absences (periods of absence only, not treatment, diagnosis or reason for absence)
        - Participation in classes/courses/groups and subjects 

    Typical information:
        - Rotas
        - System configuration
        - Departmental budget
        - Purchase agreements
        - Teaching materials
        - Research data
        - Minutes of meetings and/or agendas

     

    Labeling

    Information must be labelled so that it is protected against unintentional disclosure.
     
    Documents must be labelled, as a minimum, on the cover sheet.

    Where labelling is not possible, the classification must appear from the file or folder name.

    Access

    Electronic and physical

    Electronic access to information must be protected by a password, PIN etc. (e.g. fingerprint, facial recognition) on the device and must be needed for work-related purposes.

    System access to the device must be locked after five minutes of inactivity. 


    Storage

    Electronic

    On AAU-approved solutions and hardware, such as network drives etc., or approved via AAU-approved data processing agreement, AAU non-disclosure agreement or equivalent.

    Physical

    Stored so that no unauthorised persons can view or access the content. For example, in a locked office, a locked cabinet, box or the like.

    Sending

    electronic

    It is recommended that internal data be encrypted before transmission. In addition, senders must ensure that the recipient is aware of the rules governing the processing of the information received. 

    Physical

    May be sent internally in an internal circulation envelope or by ordinary mail (sealed envelope).

    Ensure the recipient is aware of the rules governing the processing and disposal of AAU information.

  • +

    Level 2 - Confidential

    Description and examples

    Information which only users with a purely work-related need may and can have access to, and where a breach of confidentiality will have semi-serious impacts for AAU, private individuals or partner(s).

    This is information which, by virtue of its personal, technical, commercial or competitive nature and sensitivity, must be protected against unintentional access and disclosure.

    Examples:
    - Inventions and research which can be exploited commercially with a value in excess DKK 1,000,000.
    - Research applications with a value for AAU in excess of DKK 1,000,000.
    - Research data with potential negative impacts

    - Personal data, including:
       - Civil registration (CPR) numbers
       - Employees’ home address, private email, private telephone no. and other private information
       - Driving licence photograph

    Labeling

    nformation must be labelled so that it is protected against unintentional disclosure.

    Physical documents must be labelled on each page/field of view and must have a cover sheet which does not contain any confidential information.

    Information that cannot be labelled must always be stored in systems which clearly display its classification.

    In so far as is possible, electronic labelling must take place at metadata level.

    Access

    Electronic and physical

    Electronic access requires authentication with AAU account information and must be needed for work-related purposes.

    System access must be locked after 5 minutes of inactivity. 

    System access must be logged.

    Data exports from the system must be logged.


    Storage

    Electronic

    Storage may only ever take place on AAU-approved hardware or by partners with whom an AAU-approved data processing agreement for the storage of confidential data has been made.

    Where the data storage medium is publicly accessible, for example in the case of portable media, the medium must be encrypted with strong encryption.
    In connection with workflows involving recording devices, for example, the data must be transferred to encrypted devices as soon as possible and always within seven working days at the latest.
    Approved forms of encryption are determined by CISO.

    Where the storage medium is physically protected in, for example, a server room, administrator access and access to the server room must be logged.

    Physical

    Stored so that no unauthorised persons can view or access the content in a locked office, a locked cabinet, box or the like.

    All materials to be disposed of must be security shredded.

    Use the ‘Follow You’ print system to print documents.

    Sending

    electronic

    Information may only ever be forwarded/disclosed to business partners when a legal basis for such transfer exists (data processing agreement, disclosure, etc.).

    Information may be sent unencrypted in AAU networks.

    Information may be sent via encrypted channels where encryption is guaranteed end-to-end, outside the AAU networks.

    Data sent on portable media must be encrypted.

    CISO maintains a list of permissible forms of communication and lays down tunnel encryption requirements.

    Physical

    May be sent internally in a sealed envelope for the attention of the named recipient or delivered by hand; however, must not be taken on public transport such as buses and trains.

  • +

    Level 3 - Sensitive

    Description and examples

    Information which only users with a purely work-related need may and can have access to, and where a breach of confidentiality will have serious impacts for AAU, private individuals or partner(s).

    This is information which, by virtue of its personal, technical, commercial or competitive nature and sensitivity, must be protected against unintentional access and disclosure.

    Examples:
    - Inventions and research which can be exploited commercially with a value in excess of DKK 5,000,000
    - Research applications with a value for AAU in excess of DKK 5,000,000
    - Research documentation involving sensitive data
    - Confidential personal data, including:
       - Personality test
       - Divorce
       - Adoption
       - Alcohol and drug testing
       - Registration of cheating at exams
       - Grades, marking etc.
       - Significant social problems and family matters
    - Sensitive personal data:
       - Race or ethnic origin
       - Political/religious or philosophical beliefs
       - Data concerning health
       - Sexual relations or orientation

    Labeling

    Information must be labelled so that it is protected against unintentional disclosure.

    Physical documents must be labelled on each page/field of view and must have a cover sheet which does not contain any sensitive information.

    Information that cannot be labelled must always be stored in systems which clearly display its classification.

    Access

    Electronic and physical

    Electronic access requires authentication with AAU account information as well as two-factor validation outside the AAU network.

    System access must be locked after 5 minutes of inactivity. 

    The account must be protected against brute force/password-guessing attacks through locking of the account after 10 failed login attempts within 10 minutes.

    Access to the system must be logged (including administrator access).
    Access (display) to information must be logged at field level (both electronic and physical).

    Changes to data must be logged.

    The exporting of data must only ever be to systems with explicit integration and where a defined purpose of such exports exists, approved by CISO.

    Information must not be visible to anybody but the processors, who must consider the physical environment, including other people being able to see their monitor(s).

    Information access must be checked every six months. Inspection reports must be filed in the ISMS system.

    Processing must be performed by users who are specially entrusted and trained in the processing of the information.


    Storage

    Electronic

    Storage may only ever take place on AAU-approved hardware or by partners with whom an AAU-approved data processing agreement for the storage of confidential data has been made.When stored on portable media, data must be encrypted with strong encryption.

    Sensitive information must not be stored on desktop media with public access, and access to the storage media must be physically restricted to authorised personnel. Access to the area must be logged. This applies, for example, to server rooms.

    When stored on portable media, data must be encrypted with strong encryption. In connection with workflows involving recording devices, for example, the data must be transferred to encrypted devices as soon as possible and always within seven working days at the latest.Approved forms of encryption are determined by CISO.

    Information may only ever be stored in dedicated systems specifically designed for handling sensitive information.

    The system must be updated with the latest security updates within 14 days of such security updates being made available at the latest.

    The system must be supported by the manufacturer or supplier.

    Administrator access to the system must be subject to the same logging requirements as for access.

    In connection with the discarding of media, electronic wiping and shredding must take place in such a way that the information cannot be recovered.

    Physical

    Must be stored in a physical folder, which clearly states the classification level.

    Stored so that no unauthorised persons can view or access the content in locked security cabinets/boxes or the like at AAU locations.

    All materials to be disposed of must be security shredded. Disposal must be logged.

    Use the ‘Follow You’ print system to print documents.

    Sending

    electronic

    Information may only ever be forwarded/disclosed to business partners when a legal basis for such transfer exists (data processing agreement, disclosure, etc.).

    Data must be sent via encrypted channels, where confidentiality is guaranteed by AAU or the recipient.

    Data sent via open channels, or channels owned by third parties, must be data-encrypted.

    Data transported on portable media must be encrypted.

    Approved forms of encryption are determined by CISO.

    Physical

    nformation may only ever be forwarded/disclosed to business partners when a legal basis for such transfer exists (data processing agreement, disclosure, etc.).

    Sensitive documents must sent in a sealed envelope, either by registered mail or by courier. Receipt and dispatch must be logged.