Data classification guides the protective measures used in the handling of information to ensure secure use. Technical implementations support the guidelines, but user’s responsible actions are the key. Together, this framework forms the foundation for secure, lawful, and well‑controlled information processing at Oulu’s higher education institutions.
Data Classification and Class‑Related Restrictions
This guide explains how information is classified at Oulu’s higher education institutions and how the secure, lawful, and controlled handling of classified information is ensured.
Table of Contents
- Background and purpose
- The goal: data classification that enables automatic protection in the M365 environment when needed
- User responsibilities
- Data classification model
- Classification in practice
- What kind of information belongs to which class?
- Sensitivity labeling (classification) in different M365 products
- The role and purpose of technical handling rules
- What is automatically controlled based on classification, and how?
- Continuous development of classification and controls
Background and Purpose
During 2026, Oulu’s higher education institutions will introduce the national data classification model for staff use, in accordance with the mandate of the Arene and Unifi Rectors’ Councils (10/2024). The work is coordinated by a joint national coordination group for higher education institutions, which includes representatives from the IT directors’ networks of universities and universities of applied sciences (AAPA and FUCIO) as well as trusted networks of information security experts (AMK‑Sec and YO‑ISAC). The group is responsible for developing the model, producing support materials, and communicating with various stakeholder groups.
Communication between higher education institutions on this topic primarily takes place in Eduuni Teams, in the KOKKO team’s Tiedonluokittelumalli channel (joining the channel requires membership in the staff of a Finnish higher education institution; see information on joining the KOKKO team (only in Finnish)). Public materials are available to everyone via the Eduuni service.
The purpose of classifications and their related handling rules (so‑called controls) is to ensure the security, efficiency, and legality of the organization’s information management. Each classification has its own role, and the handling rules support their appropriate use. Staff at Oulu’s higher education institutions must understand why classifications are used, how they affect day‑to‑day work, and what practical actions are required to comply with them.
The Goal: Data Classification Enables Automatic Protection in M365
The first step is to identify which class the information being handled belongs to. This may mean, for example, that the information is:
- public
- internal
- confidential, or
- secret.
The classification is determined based on:
- the content of the information,
- its intended use, and
- an assessment of the associated risks.
It is important that every employee pauses to consider whether the information being handled could fall into the wrong hands and what the consequences would be.
Once the user has classified the information, the rules related to its handling come into effect. These rules may include procedural guidelines.
Organizational guidelines concern:
- sharing information,
- archiving, and
- disposal.
In addition, emails, files in M365 office applications, and PDFs can be classified using the M365 classification tool (sensitivity labeling). Based on the assigned sensitivity label, technical restrictions (so‑called controls) may be applied automatically by the system, such as:
- restricting access rights,
- encrypting documents, or
- creating automatic backups.
The goal of handling rules (both procedural guidelines and technical restrictions) is to ensure that information moves only between those for whom it is intended and that it is handled responsibly throughout its entire lifecycle.
As a member of staff at Oulu’s higher education institutions, you are required to comply with common rules for information handling. This includes, for example, ensuring that only information classified as public is shared in public channels, and that internal information remains within internal services. We aim to foster an open culture of discussion about data classification within the work community. In unclear situations, we encourage you to seek advice from supervisors or colleagues at a low threshold. Help is also available from ICT Services at tiedonluokittelu@oulu.fi. In matters related to the processing of personal data, at the University of Oulu you can consult your unit’s or faculty’s data protection support persons, the University of Oulu’s Data Protection Officer, and at Oamk, Oamk’s Data Protection Officer. In this way, we prevent human errors and strengthen trust within Oulu’s higher education institutions.
The purpose of classifications, handling rules, and the resulting automatic technical restrictions is not to unnecessarily restrict the flow of information, but to enable secure and smooth work. When practices are clear and you follow them, you can focus on your work with confidence. Through guidelines and regular training, you maintain your competence and help ensure that classifications and handling rules serve the entire higher education consortium in the best possible way.
User Responsibilities
Every user is responsible for:
- identifying the nature of the information they handle,
- choosing the correct classification, and
- acting in accordance with the requirements of that classification.
Use the following guidelines to support classification:
- Guidelines for handling information assets of the University of Oulu and Oulu University of Applied Sciences in different operating environments
- Classification of information assets based on content and notes on the processing of personal data
- Applying Sensitivity Labels in M365 (File Classification)
See also:
If necessary, expert support is available at tiedonluokittelu@oulu.fi.
Data Classification Model
The data classification model used at Oulu’s higher education institutions is a risk‑based, general‑purpose model that applies to all information regardless of format or system. Risk refers to the possibility that a threat materializes and causes harm.
Classification in Practice
As a general principle, classification is always based on content, not on storage location or tool. The need for classification applies to files, emails, and information assets. Materials printed on paper are also classified information assets.
Classification information is:
- a sensitivity label, an attribute assigned to a file in various Microsoft M365 products, visible in the file’s metadata. To improve accessibility, it is recommended to also add information about the classification to, for example, a cover page.
- in systems where classification is not stored in metadata, it can be added to the document’s cover page.
In M365 if the class is not selected manually, the default classification is Confidential. If a file shared with editing rights does not previously have a classification, the default class is applied even when the file is owned by someone else and a user with editing rights opens an unclassified file.
What Kind of Information Belongs to Which Class?
The purpose of the information handling guidelines is to support correct classification in everyday situations, ensuring that information is handled properly throughout its entire lifecycle. See also the guidelines for handling information in different operating environments, as classification also restricts where information may be stored and processed.
Classification in Different M365 Products
You can classify a file in Office applications by adding a sensitivity label to the file either when saving the file, from the menu in the title bar, or via the Sensitivity button in the tool ribbon.
See the detailed instructions on Applying Sensitivity Labels in M365 (File Classification)
The Role and Purpose of Technical Handling Rules
Technical handling rules (controls) are classification‑based technical and functional restrictions that ensure information is handled correctly.
At Oulu’s higher education institutions, automatic technical handling rules currently apply only to emails and files processed in the M365.
The basic principle of controls is that the higher the classification, the stricter the controls. In environments such as Linux, where automatic controls are not yet available, users must themselves handle information and files according to the rules described in the Guidelines for handling information assets of the University of Oulu and Oulu University of Applied Sciences. See also the guidance on classifying information assets based on content and notes on personal data processing.
What Is Automatically Controlled Based on Classification, and How?
Based on the applied classification, controls automatically regulate:
- sharing of information within and outside the organization,
- access rights and role‑based access to information,
- processing of information in the Microsoft 365 environment, and
- access of Copilot AI used by staff to information.
Controls are implemented in M365 using Microsoft Purview, which applies them across applications such as Office products, SharePoint, OneDrive, Teams, and PDF processing in both Adobe products and PDF‑XChange.
Through these controls, classification technically guides the use of information in a consistent and proactive manner.
Continuous Development of Classification and Controls
Classification and controls:
- will be rolled out to all staff and so‑called “UFO users”,
- will evolve based on cooperation within national working groups and improvement suggestions raised by users, and
- require:
- training,
- updates to guidelines, and
- consideration of user feedback.
The goal is for classification to be a natural part of everyday work, not a separate administrative burden.