Data Classification Policy - Legal & HR

The Data Discovery in Data Classification Policy is a process that helps organizations identify and classify data for security and governance. This process can be manual or automated, and it typically involves identifying data sets, determining their sensitivity, and then assigning labels accordingly. Data classification can be a complex and time-consuming task, but it is essential for ensuring that data is properly protected and managed. 


Data Classification procedure

  • Data owners review each piece of data they are responsible for and determine its overall impact level, as follows:

  • If it matches any of the predefined types of restricted information listed in Appendix A, the data owner assigns it an overall impact level of “High”.

  • If it does not match any of the predefined types in Appendix A, the data owner should determine its information type and impact levels based on the guidance provided in Sections 5 and 6 of this document, and NIST 800-600 Volume 2. The highest of the three impact levels is the overall impact level.

  • If the information type and overall impact level still cannot be determined, the data owner must work with the data custodians to resolve the question.

  • The data owner assigns each piece of data a classification label based on the overall impact level:

  • Overall impact level    Classification label

    1. High    Restricted

    2. Moderate Confidential

    3. Low Public

  • The data owner records the classification label and overall impact level for each piece of data in the official data classification table, either in a database or on paper.

  • Data custodians apply appropriate security controls to protect each piece of data according to the classification label and overall impact level recorded in the official data classification table.



Data owner: 

The person who is ultimately responsible for the data and information being collected and maintained by his or her department or division is usually a member of senior management.  The data owner shall address the following:

  • Review and categorization: Review and categorize data and information collected by his or her department or division

  • Assignment of data classification labels: Assign data classification labels based on the data’s potential impact level

  • Data compilation: Ensure that data compiled from multiple sources is classified with at least the most secure classification level of any individually classified data

  • Data classification coordination: Ensure that data shared between departments are consistently classified and protected

  • Data classification compliance (in conjunction with data custodians): Ensure that information with high and moderate impact levels is secured by federal or state regulations and guidelines

  • Data access (in conjunction with data custodians): Develop data access guidelines for each data classification label