You are here: Information Security Classification of data

Classification of data


On this page, you can find information on how to classify data as public data, internal data, sensitive data or confidential data.  The classification of data is a key aspect of information security at Aarhus University. If we do not classify our data and treat data in relation to their respective classifications, we risk compromising personal data or having to withdraw patent applications.

Public data

Defined as data to which anyone who so wishes has or can have access. This can be data on public websites, educational leaflets etc. Such data does not usually require any special protection, but it must be ensured that only authorised persons are allowed to edit it.

Internal data

Defined as data which must only be used and communicated internally, and which users need in order to do their jobs. This can be minutes of meetings, forms, invoices etc. Internal data requires a certain degree of protection. As a minimum, it must be ensured that only authorised persons have the access that allows them to read and change data.

Sensitive data

Defined as data covered by the Danish Act on Processing of Personal Data. Sensitive data requires a particularly high level of protection. Access must be limited to as few authorised people as possible, and encryption should be considered. Sensitive data must never be stored or processed on private equipment, and encryption must be used if data is transferred to external media. Please also note that it may be necessary to enter into data-processing agreements and to notify the Danish Data Protection Agency. Find more information under Data protection (GDPR).

Confidential data

Defined as the data that only specially entrusted users can access in order to exercise their work functions, and for which a breach of confidentiality may be detrimental to AU or its collaborating partners. This can be applications, contracts, accounting data etc. Confidential data requires a high degree of protection. Access must be restricted to authorised persons, and use of encryption should be considered, particularly in the event of transfer to external media or services. Confidential data must never be stored or processed on private equipment.

1443008 / i40