Skip to content

Data Classification Based on Content and Considerations for the Processing of Personal Data

Author: Anna-Liisa | Published: 22.4.2026
Keywords: , , , ,

This guideline is related to the Guidelines for Processing Information in Different Environments of the University of Oulu and Oamk.

Considerations Related to the Processing of Personal Data

Special care must always be exercised when processing personal data.
If an organisational unit or faculty needs to deviate from this guidance with regard to the processing location of information, a separate data protection pre‑assessment or a data protection impact assessment (DPIA) in accordance with the General Data Protection Regulation should be carried out for the planned processing of personal data.

Additional information:

Based on the results of the pre‑assessment or DPIA, the responsible party may decide whether the information asset may be processed in the service in question.

Data Classification Based on Content

Classify information according to the highest‑level data type present in the information asset.

Once a class has been selected, assess whether the information contains personal data at the level of that class. If it does, classify the information using the personal‑data subclass.

Examples

  • If a Confidential, Restricted (2A) information asset contains Confidential, Restricted (2A) personal data, it is classified as:
    Confidential, Restricted (2A), Personal Data
  • If a Secret (1R) information asset contains Confidential (3Y) personal data, it is classified as:
    Secret (1R), Other Information

The Restricted Access subclass is used only when the file must be protected by encryption or when access rights must be defined at the document level.

Content determines the classification, not the type of material (memo, draft, etc.).

 Secret (1R) – Other Information

Information whose disclosure would cause serious harm, including:

  • Business secrets requiring special protection
  • Contractually protected information as specified by the owner
  • Documentation related to exceptional situations and organisations
  • Internal security information of the higher education institution
  • Protection and security arrangements related to persons and buildings
  • IT system protection and security arrangements:
    • Information security documentation
    • Network documentation
    • Detailed technical documentation of information systems
    • Technical documentation of access control
  • Security‑classified information from authorities

 Secret (1R) – Personal Data

Personal data whose processing may pose significant risks to an individual’s fundamental rights and freedoms, including:

  • Special categories of personal data (e.g. ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health data, sexual orientation or behaviour, genetic and biometric data used for identification)
  • Medical certificates for sick leave
  • Data relating to salary, financial situation, economic status, and payments
  • Assessments of personal characteristics
  • Results of psychological tests or aptitude assessments
  • Student welfare data or data relating to exemption from education
  • Protected educational materials
  • Social welfare client data
  • Personal data relating to criminal convictions and offences

Secret (1R) – Restricted Access

Secret (1R) other information or personal data that is protected and for which access rights are defined at the document level, for example:

  • Secret (1R) information processed in research collaboration requiring special protection

 Confidential – Restricted (2A) – Other Information

Confidential information for which access must be more strictly restricted than for 3Y‑class data to reduce risk, including:

  • Information confidential under the Act on the Openness of Government Activities when confidentiality or long‑term storage involves high risk
  • System portfolios, project portfolios, information management model
  • NDA material
  • Complaints documents before case resolution
  • Trade or professional secrets of third parties
  • The university’s own trade or professional secrets
  • Protected intellectual property rights (IPR)
  • Preparedness for accidents and exceptional circumstances, civil defence
  • Documents concerning ongoing civil or criminal cases
  • Procurement materials prior to publication
  • Accounting and financial materials
  • Data provided to statistical authorities for compiling statistics

 Confidential – Restricted (2A) – Personal Data

Personal data subject to special requirements and stricter access controls than 3Y‑class data, including:

  • National personal identity number
  • Data relating to a minor
  • Payment contact details and payment card information
  • Information on secret phone numbers, contact details marked with a non‑disclosure order, and other contact details whose confidentiality has been requested for justified reasons
  • Information on participation in associations or leisure activities, family life, or comparable personal circumstances
  • Student examination and test results
  • Student personal study plans
  • Thesis and scientific research plans, (technical) development work

 Confidential (3Y) – Other Information

The default classification for produced information, automatically applied by the M365 classification system in document metadata. Includes:

  • Information accessible only to staff and restricted internally (e.g. by role, authorisation, or right to process information)
  • Notes and drafts
  • Information received from third parties without specific handling instructions
  • Internal working documents
  • Project information
  • Working memoranda of leadership teams, working groups, project groups, or preparatory groups not mentioned in the institution’s statutes
  • Extensive or nationally long‑term research datasets, regardless of content

 Confidential (3Y) – Personal Data

Includes:

  • Basic personal data
  • User‑identifying identifiers: name, email address, phone number, work address
  • Other staff‑only personal data not subject to special requirements as in classes 2A and 1R
  • Unique user identifiers such as an AD account
  • Other data relating to a person collected directly from/about the person (e.g. purchase history, service usage history, usage logs, consent data)
  • Data that does not directly identify a person but can do so when combined with other data (e.g. IP address linked to a device and then to a person)
  • Basic employment relationship data

Internal (4G) – Other Information

Information freely available to all members of the community, such as:

  • Internal training materials
  • Content published on the intranet
  • Internal news
  • Internal instructions
  • Teaching materials not intended for anonymous sharing

Internal (4G) – Personal Data

Personal data freely available to all members of the community, including:

  • Personal data designated as internal by the organisation or the individual
  • Contact details published on the intranet

Open (5W) – Other Information

Information freely available to the general public, including:

  • Information designated as open by the organisation or individual
  • Website content, announcements, publications, documents, public instructions, social media communications
  • Teaching material shareable via anonymous links

Open (5W) – Personal Data

Open personal data, including:

  • Personal data designated as public by the organisation or individual
  • Contact details published on public websites

Personal

Personal information for private use.

Limited private use of IT services is permitted in accordance with ICT service terms of use.

« Back

This article was published in categories English version available, All instructions, Oamk , for Oamk staff, for the University of Oulu staff, Saavutettava ohjeartikkeli, UniOulu and tags , , , , . Add the permalink to your favourites.