Background
Grasslands Public Schools creates, collects, stores, and transmits information of varying sensitivity on a daily basis, from publicly available school calendars to highly confidential student records and legal files. Without a systematic approach to classifying this information, the Division cannot ensure that appropriate safeguards are applied proportionate to the risk of unauthorized disclosure.
This Administrative Procedure establishes a data classification framework that assigns sensitivity levels to all Division information, defines handling requirements for each level, and integrates with the Division's Microsoft Purview and Google Workspace sensitivity labeling systems.
Scope
This procedure establishes the Division's security classification system for all personal information, data derived from personal information, and non-personal data in the custody or control of Grasslands Public Schools. The classification framework applies to all information created, collected, stored, processed, or transmitted by the Division, regardless of format or storage location. This includes:
- Electronic records in Division systems, cloud services, and email
- Physical documents and records
- Information shared with or received from third parties
- Information on portable devices and removable media
This procedure applies to all employees, contractors, volunteers, and any other individuals who handle Division information.
Definitions
Terms not defined in this procedure have the meanings assigned in Policy 310 – Information Security Charter and Policy 311 – Privacy and Access to Information.
Classification: The process of assigning a sensitivity level to information based on its content, context, and the potential impact of unauthorized disclosure.
Data Custodian: An individual responsible for the technical management and security of information assets, typically for digital assets that is the Technology Department. For paper records this is often the principal.
Data Owner: The individual or department responsible for determining the classification of information and authorizing access. For student records, the school principal is typically the Data Owner. For administrative records, the department head is typically the Data Owner.
Handling Requirements: The security controls and procedures that must be applied to information at each classification level.
Sensitivity Label: For digital information assests this is usually a metadata tag applied to electronic documents and emails through Microsoft Purview or Google Workspace that identifies the classification level and can enforce protection policies. For paper this is typically a document header or footer.
Secure Printing: A method of printing that prevents unauthorized access to printed material. Secure printing requires either pull printing (print jobs held at the queue and released only after authentication at the printer) or confidential print (a PIN entered at the printer before the job releases). Routine "retrieve immediately" practices, while important, do not constitute secure printing.
Responsibilities
Data Owners
- Determine the appropriate classification for information under their responsibility.
- Authorize access to Restricted and Confidential information.
- Review and approve external sharing requests for Restricted information.
- Ensure staff understand classification requirements for information they handle.
Data Custodians
- Implement technical controls to enforce handling requirements.
- Configure and maintain Microsoft Purview and Google Workspace classification labels and policies.
- Monitor for classification policy violations.
- Provide guidance on classification decisions when requested.
Director of Technology
- Hold overall responsibility for classification system implementation for digital information assets.
- Approve storage locations for Confidential information.
- Review Microsoft Purview and Google Workspace classification label policy effectiveness and recommend updates.
- Coordinate with the Access and Privacy Coordinator on privacy-related classifications.
Access and Privacy Coordinator
- Ensure the classification framework aligns with POPA requirements.
- Advise on classification of personal information.
- Review classification decisions involving privacy considerations.
All Staff
- Apply appropriate classification to information they create or receive.
- Apply sensitivity labels to electronic documents and emails.
- Handle information in accordance with the requirements for its classification level.
- Report suspected classification errors or policy violations to their supervisor or the Technology Department.
Procedures
1. Classification levels
Grasslands Public Schools uses four primary classification levels, with sub-classifications to provide additional specificity. All Division information must be assigned one of the following classifications. When in doubt, apply the higher classification level.
a. Public Information
- Information that is intended for public release or that would cause no harm to the Division, its students, or staff if disclosed.
- Examples include published policies and procedures (Board-approved versions), school calendars, event schedules, public announcements, press releases, Division website content, job postings, and annual reports intended for public distribution.
- Information is not public unless explicitly designated as such.
b. Internal
Information intended for internal Division use that is not suitable for public release. Unauthorized disclosure could cause harm if disclosed beyond the intended audience, including reputational impact, breach of staff or community trust, or operational disruption.
This category includes internal operational information that does not contain personal information (such as internal communications, draft policies, operational plans, training materials, and system documentation), and routine personal information collected in the normal course of operations (such as student and parent contact information, class lists, enrollment and attendance records, and routine correspondence). Even seemingly routine personal information can cause significant harm if disclosed beyond its intended audience.
c. Restricted
Sensitive information that requires enhanced protection. Unauthorized disclosure could cause significant harm to individuals or the Division, including privacy breaches, reputational damage, or regulatory consequences.
This category covers information accessible only to those with a defined legitimate need to know, including student academic and assessment records, Individual Education Plans, student medical and behavioral information, staff personnel files, performance evaluations, hiring documentation, legal matters, Board in-camera materials, labour relations documentation, and detailed security incident reports. The audience for any specific Restricted record is determined by the Data Owner.
d. Confidential
The most sensitive information requiring the highest level of protection. Unauthorized disclosure could cause severe harm to individuals or the Division, including significant legal liability, regulatory penalties, or irreparable reputational damage.
This category includes information received from or shared with third parties under formal confidentiality agreements, proprietary vendor information, security vulnerability assessments and penetration test results, cybersecurity incident details during active investigations, authentication credentials and encryption keys, information subject to legal privilege, and whistleblower reports.
e. Sub-classifications
Sub-classifications may exist within these four levels for operational refinement, particularly within Microsoft Purview and Google Workspace where label hierarchies support more granular handling. These sub-classifications are tools for data organization rather than additional handling tiers; they refine but do not alter the protection standards established in Section 3 (Handling requirements). Sub-classifications may be added or adjusted by the Director of Technology in consultation with the Access and Privacy Coordinator as operational needs emerge.
2. Classification decision framework
When classifying information, Data Owners shall consider the factors outlined in the following table:
| Factor | Higher Classification Indicated When… |
|---|---|
| Personal Information | Contains personal information, especially sensitive PI (health, financial, children) |
| Regulatory Requirements | Subject to POPA, ATIA, or other legislative requirements |
| Contractual Obligations | Subject to NDA or vendor confidentiality requirements |
| Audience | Intended for limited internal audience only |
| Impact of Disclosure | Disclosure could cause harm, embarrassment, or liability |
| Aggregation | Combined with other data, creates a sensitive profile |
| Data Derived from PI | Contains or was created from data derived from personal information through data matching |
When in doubt, apply the higher classification level.
3. Handling requirements
The following matrix summarizes the handling requirements for each classification level. Detailed requirements follow the summary table.
| Requirement | Public | Internal | Restricted | Confidential |
|---|---|---|---|---|
| Sensitivity Label | Recommended | Yes | Yes | Yes |
| Encryption at Rest | No | Recommended | Required | Required |
| Encryption in Transit | No | Required | Required | Required |
| External Sharing | Permitted | With caution | Approval required | Prohibited without NDA |
| Removable Media | Permitted | Encrypted only | Prohibited | Prohibited |
| Personal Devices | Permitted | Division-managed apps only | Prohibited | Prohibited |
| Printing | Permitted | Retrieve immediately | Retrieve immediately | Secure printing only |
| Disposal | Recycle | Shred / secure delete | Shred / secure delete | Shred / secure delete with verification |
a. Public Information
- No special handling requirements apply.
- May be shared externally without restriction.
- Sensitivity labels are recommended to confirm deliberate classification and prevent accidental escalation when content is repurposed.
b. Internal Information
- Must be stored in Division-managed systems. Personal cloud storage and local drives are not permitted.
- A sensitivity label must be applied to electronic documents and emails.
- May be shared internally without restriction.
- External sharing is permitted with appropriate caution.
- Must not be stored on removable media unless encrypted.
- Physical documents must be secured when not in use, consistent with Policy 310.
- Documents printed to shared printers shall be retrieved immediately and not left unattended in output trays.
c. Restricted Information
- Must be stored in Division-managed systems with appropriate access controls.
- A sensitivity label must be applied; encryption shall be enforced through Microsoft Purview or Google Workspace.
- Access is limited to individuals with a legitimate business or educational need.
- External sharing requires approval from the Data Owner. For Restricted information accessible only to Senior Administration or the Board, external sharing approval comes from Senior Administration.
- Must not be stored on removable media or personal devices.
- Must not be accessed on public or unsecured networks without VPN.
- Physical documents must be stored in locked cabinets or offices.
- Printing shall be minimized; printed copies must be retrieved immediately and secured.
- Must be disposed of via shredding (physical) or secure deletion (electronic).
d. Confidential Information
- Must be stored only in designated secure systems approved by the Director of Technology.
- A sensitivity label must be applied; Microsoft Purview or Google Workspace shall enforce encryption and access restrictions.
- Access is strictly limited to named individuals authorized by Senior Administration.
- External sharing is prohibited unless authorized by the Superintendent and covered by an appropriate legal agreement (NDA or equivalent).
- Must not be transmitted via standard email; encrypted channels approved by the Technology Department shall be used.
- Must not be stored on removable media or personal devices, or printed without explicit authorization.
- Must not be discussed in public areas or on unsecured communication channels.
- Disposal requires verification and documentation.
e. General handling practices
The following practices apply to all information classified as Internal or above:
- Clear Desk: Personal, confidential, or sensitive information in physical form shall not be left unattended in open view. Documents containing such information shall be secured when not in active use.
- Clear Screen: Workstations shall be locked (Windows+L or equivalent) when leaving a workspace, even briefly. Screens displaying sensitive information shall be positioned to prevent viewing by unauthorized individuals.
- Secure Printing: Documents containing personal or confidential information sent to shared printers shall be retrieved promptly and not left unattended in output trays.
- Records in Vehicles: Personal information in any format (paper records, laptops, tablets, USB drives) shall not be left in unattended vehicles. Where vehicle transport of records or devices containing personal information is necessary, items shall be stored in a locked trunk or locked compartment out of sight. Transport of Restricted or Confidential records by vehicle shall be minimized and limited to situations where electronic transmission is not feasible.
- Secure Disposal: Physical documents containing personal or confidential information shall be shredded or placed in designated secure disposal bins. Electronic media shall be disposed of in accordance with Technology Department procedures. For step-by-step data sanitization and disposal procedures for IT assets, see IM-016 – Hardware Asset Management and Secure Disposal.
- Personal Information Storage: Personal information shall be stored in designated Division-managed information systems, not in personal storage folders, removable media, or unapproved applications. Retention requirements for personal information, including statutory minimums for information used in decision-making, are defined in IM-009 – Records Retention Schedule.
4. Labeling requirements
a. Electronic Documents
- All electronic documents containing Internal, Restricted, or Confidential information must have a sensitivity label applied (Microsoft Purview or Google Workspace) before saving or sharing.
- Labels shall be applied at the time of document creation. If the classification level changes, the label must be updated.
- The Technology Department shall configure label policies to prompt users to apply labels to unlabeled documents and to prevent sharing of unlabeled documents containing detected sensitive content.
- Users must not remove or downgrade sensitivity labels without authorization from the Data Owner.
b. Email
- Emails containing Internal, Restricted, or Confidential information must have the appropriate sensitivity label applied.
- Sensitivity labels shall automatically apply encryption to labeled emails based on the classification level.
- Users should apply labels before composing the email body to ensure protection is in place.
c. Physical Documents
- Physical documents containing Restricted or Confidential information shall be clearly marked with the classification level on the first page or cover.
- Marking may be by stamp, header or footer notation, or handwritten notation.
5. Exceptions
- Exceptions to handling requirements may be granted by Senior Administration.
- Exception requests must document the business need, the specific requirement to be excepted, any compensating controls to be applied, and the duration of the exception.
- Approved exceptions must be documented and reviewed at least annually.
6. Review
This procedure shall be reviewed every three years or following:
- Significant changes to the Division's information security environment
- Changes to applicable legislation (POPA, ATIA)
- Significant changes to Microsoft Purview or Google Workspace capabilities or deployment
- Direction from Senior Administration or the Board of Education
Cross reference
- Policy 310 – Information Security Charter
- Policy 311 – Privacy and Access to Information
- A.P. 312 – Technology Acquisition and Use
- A.P. 314 – IT Asset Management
- A.P. 320 – Information Access Control
- A.P. 321 – Information Security Incident Response
- A.P. 322 – Third-Party and Vendor Risk Management
- A.P. 323 – Privacy Management
- A.P. 325 – Chain of Custody
- A.P. 326 – Technical Security Controls
- CG-002 – Privacy Management Program Overview
- FORM-IM-001 – Staff Technology User Agreement
- FORM-IM-002 – Student Technology User Agreement
- IM-009 – Records Retention Schedule
- IM-015 – Encryption and Key Management
- IM-016 – Hardware Asset Management and Secure Disposal
Legal reference
- Protection of Privacy Act, SA 2024, c P-28.5
- Access to Information Act, SA 2024, c A-1.4
- Education Act, SA 2012, c E-0.3