Data Classification & Management Policy

Introduction

Institutional data is a critical strategic asset of Dublin City University (DCU). It is created, collected, stored, and processed to support teaching, learning, research, and the effective operation of the University.

To protect this information, DCU must ensure that all data is handled with a level of security appropriate to its sensitivity and the risks associated with its loss, misuse, or unauthorised disclosure.

This policy establishes a unified framework for classifying all university data, whether electronic or physical. A consistent classification approach supports effective data management, enables risk based protection, ensures regulatory compliance, and safeguards the financial, legal, and reputational interests of the University and its community.

Purpose

The purpose of this policy is to:

Establish a Standardised Framework for classifying institutional data based on sensitivity and risk
Enable Risk-Based Protection by defining the application of appropriate security controls.
Define Governance Rolesand clarify responsibilities for data management and use.
Ensure Regulatory Alignment with legal, statutory, and contractual obligations, including GDPR.
Foster Shared Responsibility by ensuring all members of the DCU community understand the value and sensitivity of the information they handle.

Scope

This policy applies to all University data, regardless of its format or where it is stored (e.g., on-campus servers, cloud services, personal devices, physical locations).

This policy applies to all units of the University, both academic and professional support departments, including DCU research centres and wholly owned campus companies and 3rd party holders of DCU data, in accord with the contractual obligations for use of university data. It is noted that while the classification and management of data in campus companies are subject to privacy protections aligned with GDPR, campus company data is not subject to Freedom of Information requests. Throughout this policy, these entities are collectively referred to as “the University”.

Policy Statement

All University data must be assigned one of four classification levels. The classification reflects the potential impact on the University or to individuals if the data were disclosed, altered, or destroyed without authorisation.

Level 1- Public Data: Public Data are university data that can be made available for public consumption, including data published by the university, and data made available under governance arrangements, e.g. annual reports. The use or disclosure of public data poses no commercial, reputational or regulatory risk to the institution.

Level 2- Internal Data: Internal data are university data that are intended for internal University use only, however, and unauthorised disclosure outside of the University would result in minor operational inconvenience or reputational embarrassment. Generally, internal data is made available to all staff internally to support their work.

Level 3- Confidential Data: Confidential data are restricted to individuals and teams who require access for the purposes of fulfilling their roles. This information is often central to the university’s operations on university systems and may include information of identifiable individuals, or budgetary information. Unauthorised disclosure of confidential information could result in regulatory penalties, financial loss, or cause reputational harm to the university.

Level 4- Highly Restricted Data: Highly restricted data are the most sensitive data held by the university, including sensitive information about both staff and students. The sensitive nature of highly restricted data means they are held only for specific and necessary purposes and must be treated with the highest levels of protection, including specific protocols on accessing data for specific purposes. Unauthorised disclosure of highly restricted data is deemed to have the potential for significant harm to individuals, and extensive reputational or regulatory damage to the institution.

Classification Level	Description & Impact of Unauthorised Disclosure	Indicative Examples	Access and Data Management
Level 1: Public	Data that is intended for public consumption and is not confidential. Disclosure poses no risk to the University.	University prospectus and high-level programme information Publicly accessible website content, including staff profiles Published research articles and/or associated open access data Press releases Job advertisements DCU data that is published by 3^rd parties, e.g. HEA, QQI	Data is available and accessible to external audiences Data is regularly reviewed for accuracy Data is provided in accessible formats No restrictions are applied to internal use or external sharing of this data
Level 2: Internal	Data is generally available to all DCU staff, but not generally to outside audiences. Data intended for internal University use only and may be considered DCU intellectual property. It is not considered sensitive but is not for public release. Disclosure could cause minor operational inconvenience, reputational embarrassment, or be unhelpful to internal operations.	Non-confidential meeting minutes General internal communications University procedural guidelines not intended for the public Non commercially sensitive or confidential high-level (School level or greater) summary statistical reports based on university data Internal policy documents, SOPs, operating frameworks etc	Electronic data is stored on DCU managed storage resources which require DCU login (e.g. DCU drives, google drive, encrypted laptop) Physical copies in lockable offices, areas of restricted access, or appropriate cabinetry Data should not be shared externally, other than with specific permission by authorised individual and to identified recipients. Internal data must only be used with authorised AI tools and never uploaded to unauthorised tools or used to train external models.
Level 3: Confidential	Sensitive data that is protected by law, regulation, or University policy. Access is restricted to relevant individuals with a legitimate need to perform their duties, based on responsibilities. While access may be broad, access is provided on the basis on legitimate interest as defined by role, or for personal data, within the bounds of Data Privacy and related policies. Disclosure could lead to significant financial loss, loss of IP, legal penalties (e.g., under GDPR), reputational damage, or harm to individuals.	Personal Identifiable Information of students and staff (e.g., names, addresses, ID numbers, personal email) Student academic and financial history Non-public financial records and budgets Pre-publication research data Sensitive or confidential summary statistical reports Pre-exam papers and broadsheets Exam invigilator reports Data relating to philanthropic funding or donor briefings.	Electronic data should be stored on DCU managed storage resources with restricted access Confidential data should be transferred using HEANet file sender, or by email when absolutely necessary, using the “confidential mode” on DCU email. Data should only be printed when necessary and physical copies should be labelled “Confidential”. Physical copies should be retained in locked storage and shredded on placed in confidential waste bins after use. Digital copies should also be purged in line with approved protocols. The uploading of confidential institutional data to AI tools should be avoided other than in circumstances where its use is approved for business purposes.
Level 4: Highly Restricted	The University's most sensitive data, requiring the highest level of security and access control. Disclosure could result in exceptional harm, including significant personal harm to individuals, severe legal penalties, major financial loss, risk to personal safety, or significant reputational damage.	Special Category Personal Data (as defined by GDPR) held for any purpose, e.g., health records, biometric data, racial or ethnic origin, disability status Employee contracts and performance reviews Student disciplinary records Payment Card Industry (PCI) data (credit card numbers) Legally privileged information High-stakes intellectual property or commercially sensitive research Passwords, encryption keys, and system credentials Documentation on staff or student grievances	Electronic data is stored directly purpose-built applications, or within restricted folders and files that are subject to identifiable role-based access Processes are in place within units to eliminate all unnecessary storage of physical copies of highly restricted documentation. Data is never transmitted by email unless absolutely necessary, and when transferred using HEANet File sender and confidential mode in email. The use of AI tools on highly sensitive data is strictly prohibited unless through specifically designed, in-system tools

Roles & Responsibilities

Clear articulation of responsibilities is essential for the effective oversight of university data. The following roles are central to this policy:

Data Trustee: As per the DCU Data Governance Policy, data trustees have ultimate responsibility for the overall oversight of data domains under their executive remit. In the context of this policy, Data Trustees are responsible for,

Ensuring the classifying data assets under their control in accordance with this policy.
- Ensuring existence of process for the approval and regular review of access privileges.
- Ensuring that data are managed in compliance with relevant policies and regulations.
- Delegating the day-to-day management of data to appropriately senior colleagues, including domain-level Data Stewards.

Data Stewards/ Heads of Departments: Data stewards are identified in some university departments and have responsibility for overseeing the implementation of data governance and data quality within their university department or unit. In other cases, this responsibility will lie with heads of department within university departments. In this context of this policy, data stewards or heads of department are responsible for,

Implementing the data classification procedures approved by the Data Trustee.
- Defining and managing data quality, integrity, and business rules.
- Overseeing access controls (including withdrawal of access) and ensuring data is used for its intended purpose.
- Ensuring colleagues within the area are aware of their responsibilities to appropriately manage and protect university data

Data Custodian: Data Custodians are defined in the Data Governance Policy as being responsible for managing and protecting institutional data to ensure its security, accuracy, and compliance with regulatory and institutional policies. Data custodians are typically involved in overseeing technical aspects of data storage, access, integration, and processing. In the context of this policy data custodians may be responsible for,

Implementing and maintaining the technical security controls (e.g., encryption, firewalls, access logs) appropriate for the data's classification.
- Ensuring the data handling and security procedures are followed.
- Managing data backup and recovery.

Data User: Any individual (staff, student, contractor) who accesses, processes, or otherwise handles University data in the performance of their duties.

The Data User is responsible for:

Handling all data in accordance with its classification and the University's policies.
- Using data only for authorised purposes.
- Reporting any suspected or actual data breaches or security incidents immediately.

Sanctions

The unauthorised use of university data, including the failure to comply with this policy, constitutes a violation of this policy. Violation of this policy may result in a revocation of access to university data. Significant and conscious disclosure of internal, confidential or highly restricted data may result in revocation of access privileges and/or disciplinary action.

Policy Name	Data Classification and Management
Unit Owner	Data Governance and Strategic Intelligence
Version Reference	V2.0	N/a
Approved by	DCU Executive	N/a
Effective Date	17^th February 2026	N/a