1. Scope of Policy Application
The Data Classification Policy applies to all data produced, received, or handled by the university—regardless of whether the data was created or used before or after the adoption of this policy, and regardless of its source or nature. These data and information may exist in various forms, including but not limited to: paper records, meeting documents, emails, data and information stored on computers, audio or video tapes, maps, photographs, manuscripts, handwritten documents, or any other form of electronically or non-electronically recorded and publishable information.
2. Core Principles of Data Classification
Jouf University adopts the following principles for data classification:
Principle 1: Data is by default accessible
As a default, data should be made accessible (in the developmental domain), unless its nature or sensitivity requires higher levels of classification and protection. Conversely, data is considered highly confidential (in the political and security domains), unless its nature or sensitivity necessitates lower levels of classification and protection.
Principle 2: Necessity and proportionality
Data shall be classified into levels according to its nature, sensitivity, and potential impact, taking into account a balance between its value and the degree of confidentiality required.
Principle 3: Timely classification
Data must be classified at the time of its creation or upon receipt from other parties, and classification should occur within a defined time frame.
Principle 4: Highest level of protection
When a dataset contains a combination of data with varying classification levels, the highest classification level shall apply to the entire set.
Principle 5: Separation of duties
The duties and responsibilities of personnel—related to classifying, accessing, disclosing, using, modifying, or destroying data—must be clearly separated to prevent overlap in roles and to avoid dilution of accountability.
Principle 6: Need-to-know basis
Access to and use of data shall be restricted based on actual need-to-know, and limited to the smallest possible number of personnel within the university.
Principle 7: Least privilege
Permissions granted to university personnel shall be limited to the minimum level of access necessary to perform their assigned tasks and responsibilities.