Classification of Data at NIH

Rules for storage of different categories of data - examples of classification of data at NIH.

    The owner of the data (for research projects, usually the Project Manager) is responsible for:

    • ensure that the data is placed in the correct category based on the rules below;
    • make an assessment if the data changes category;
    • ensure that all storage, processing and processing of the data takes place on solutions that are approved for this - see our guidelines for storage;
    • regularly check that storage comply with any updated requirements.

    Categories and risk level

    NIH operates with four categories/color codes for data The different categories refer to different levels of risk - how big the damage can be if the information goes astray.  The system of categorisation is also meant for data without private information.

    Black: Strictly confidential

    Black: strictly confidential

    "Strictly confidential" is used if it could cause significant damage to public interests, NIH, an individual or a partner if the information becomes known to unauthorized parties.

    Black data must be stored in NIH's secure zone. SurveyXact cannot be used for processing of black data.

    Examples of black data:

    • Large amounts of personal data in special categories (previously called sensitive personal data), including health
    •  Research data and data sets of great economic value, e.g. a database that has taken many years to build up.

     Red: Confidential

    Red: confidential

    "Confidential" is used if it will cause damage to public interests, NIH and an individual or partner if the information becomes known to unauthorized parties.

    The project manager must ensure to set up two-factor identification when using Survey-Xact for processing of red data.

    Examples red data

    • information that contains special categories of personal data (previously called sensitive personal data), including health data
    • personnel folders
    • data subject to export control
    • some information about e.g. securing buildings and IT systems

    Yellow: Limited

    Yellow: Limited

    The information must have a certain level of protection. Can be accessible to external and internal, with controlled access rights. May cause some damage to the institution if the information becomes known to unauthorized persons.   

    Examples of yellow data: 

    • Personal information that is not categorised as red or black.
    • Grades
    • Exam answers. 

    Green: Open

    Green: open

    This category is used if it does not cause any damage to the institution, or partner if the information becomes known to unauthorized parties.

    The integrity of the data must nevertheless be ensured by ensuring that only persons and users with the correct rights have access to change the information. Note that even though the data may be open, you are not free to choose what you do with it.

    Examples of green data:

    • Freely available research data that does not need any protection (the researcher is responsible for this assessment) 
    • Teaching materials that do not need any protection (the teacher is responsible for this assessment).
    • Pre-prints 
    • Information pages for institutes, laboratories, employees, etc.