Ώμ²₯ΚΣΖ΅

Skip to main content Skip to local navigation
UIT
Home » Faculty & Staff Services » Microsoft 365 for Faculty and Staff » Handling University Data in Microsoft 365

Handling University Data in Microsoft 365

Data Classification Definitions

Data that is intended for public access and does not require protection. Sharing this information poses no risk to individuals or the institution.

Information that is intended for internal university use only. While not highly sensitive, unauthorized disclosure could cause disruptions or reputational damage.

Sensitive university data that should only be accessible to authorized personnel. Unauthorized access or exposure could lead to reputational harm, legal issues, or policy violations.

  • Examples:
    • Faculty performance evaluations and tenure review documents
    • Internal financial reports and budgeting documents
    • Internal research data that has not been published
    • Legal documents and contracts
    • Non-public grant proposals

Sensitive recorded information about an identifiable individual as defined by the Freedom of Information and Protection of Privacy Act (FIPPA), including:

Ethnic origin, race, religion, age, sex, sexual orientation, marital status, etc.; information regarding educational, financial, employment, medical, psychiatric, psychological or criminal history; identifying numbers, e.g., S.I.N., student number; home address, telephone number; employee files, grievances; student coursework, grades.

Highly regulated data that falls under legal or compliance frameworks, such as Personal Health Information (PHI) and Payment Card Industry (PCI) data. This data requires strict security measures, including encryption, restricted access, and compliance with privacy laws such as FIPPA (Freedom of Information and Protection of Privacy Act).

  • Examples:
    • Student academic records (grades, transcripts, student IDs)
    • Student Health & Counselling Records
    • Payroll & Banking Information
    • Financial Transactions & Payment Data
    • Research involving sensitive participant data
    • Government-issued IDs
ServicePublic
(Low Risk)		Internal
(Medium Risk)		Confidential
Non-PCI/PHI*
(High Risk)		Regulated
Non-PCI/PHI*
(High Risk)		Regulated
PCI/PHI*
(High Risk)
Outlook
(email and calendar to internal @yorku.ca accounts)		βœ”βœ”βœ”βœ–βœ–
Outlook
(email and calendar to external non-York accounts)		βœ”βœ”βœ–βœ–βœ–
Teamsβœ”βœ”βœ”βœ–βœ–
SharePoint
(Default templates)		βœ”βœ”βœ”βœ”βœ–
SharePoint
(Custom templates)		βœ”βœ”With approvalβœ–βœ–
OneDrive for Businessβœ”βœ”βœ”βœ”βœ–
Formsβœ”βœ”βœ”βœ–βœ–
Loopβœ”βœ”βœ–βœ–βœ–
Vivaβœ”βœ”βœ–βœ–βœ–
Copilot Free
With Enterprise Data Protection		βœ”βœ”βœ–βœ–βœ–
Copilot Premiumβœ”βœ”βœ”βœ–βœ–
Power Platform (Power Apps, Automate, BI)βœ”βœ”βœ–βœ–βœ–

*Payment Card Industry (PCI), Personal Health Information (PHI)

Additional Resources

Classification Procedures >>
Classification Standards >>
Additional Policies and Guidelines >>