Umm Al-Qura University

Umm Al-Qura University

Data Classification Policy

- 2019/04/09

Data Classification Policy:

This policy defines data classification in various business areas of UQU according to its degree of sensitivity and risk.


This policy is applied to any user who may access or manage any academic or administrative information system in the university.


Building and developing integrated e-systems internally and externally.

Automating all services and transactions.

Strategic Objective

Ensuring that UQU has appropriate means to protect its electronic data accessed through any academic or administrative system and that all community members appreciate the importance of data protection and act in a way that ensures appropriate data use.

Detailed Objective



  1. UQU information assets are crucial to its operations. This data classification policy framework has been established to protect UQU data and to minimize any risk that could negatively impact university operations or its ability to fulfill its mission. Data classification is a method of identifying the sensitivity and risk levels of data.
  2. The data used in any academic or administrative system can be classified into four categories:
  • A. Level 1 - Confidential (Restricted):

Restricted data is defined as highly sensitive data. Disclosure of such data may have a severe negative impact on UQU. The highest level of control should be applied to data classified in this category. Some examples of such data include financial information, protected student information, staff and faculty personal information, and file encryption keys.

  • B. Level 2 - Private:

Private data is defined as moderately sensitive data; disclosure of such data may seriously impair UQU's operations. Such data would not normally include information considered "confidential." Private data includes research results and some financial transactions.

  • C. Level 3 - Sensitive (Internal Use Only):

Sensitive data is not approved for distribution outside UQU; however, disclosure of this information is considered to be low risk and unlikely to damage or inconvenience UQU.

  • D. Level 4 - Public:

Public data is defined as data that can be readily accessed by the public. The disclosure of such data has either a neutral or a positive impact on UQU. Some examples include media and press statements, class schedules, UQU maps, and newsletters.

Operational Policies and Procedures:

  1. It is the responsibility of each data custodian to define the data classification for their business area. Users who have access to any UQU academic or administrative systems must verify the data classification of the data they access with the data custodian before sharing such data internally or externally.
  2. The designated data custodians for any academic and administrative systems are responsible for reviewing and evaluating data within their domain and labeling such data based on the categories described above.
  3. The data custodians are responsible for applying all necessary controls to ensure adequate protection of UQU data within their assigned responsibilities.
  4. The Information Technology Director is responsible for enforcing this policy.
  5. The academic or administrative systems officer is responsible for coordinating and working with UQU data custodians to assist in applying controls to data, based on definitions and labels provided by the data custodians.
  6. The systems’ end-users are responsible for usage of data following the definitions and classifications provided by the data custodians.