Back to Top
 
Information Technology
Contact IT Support
 

#InsideIT

The KAUST Information Technology Department blog

Your Data Has a Classification. Do You Know What It Is?

10 June, 2026

Think about the last file you shared with a colleague. A report, a spreadsheet, a research document, a form response. Did you stop to think about how sensitive it was before you hit send?

Most of us don't. We share files quickly, conveniently, and without much thought about who might end up with access. That's understandable. But KAUST runs on data. Research data, student data, financial data, operational data, HR data, intellectual property. The choices we make about who can access it, how it is protected, and where it is stored have real consequences.

KAUST's Data Classification Procedure defines four levels for classifying information and data. Understanding them is one of the most practical things you can do as a member of this community, whether you are a researcher, an administrator, a student, or a faculty member.

Here's what each level actually means.

Public

Public data is information that is either already available to the world, or whose disclosure would have minimal impact on KAUST, individuals, or the wider community.

Examples include published research papers and presentations, press releases, job postings, course information, and anything already available on the public KAUST website.

If you would be comfortable seeing it on kaust.edu.sa today, it is likely Public.

Internal

Internal data is intended for the KAUST community. It is not highly sensitive, but it is not meant for general public distribution either.

This is where most day-to-day working information sits: meeting minutes, internal policies and procedures, planning documents, internal communications, working drafts, and contact directories used for work purposes. Anything that is appropriate to share with a KAUST colleague, but that would not belong on a public website.

If it is fine for any KAUST colleague to see but is not meant for public distribution, it is Internal.

Restricted

Restricted data covers information whose unauthorized disclosure could cause real harm, to individuals, to KAUST, or both. The category is broader than many people expect.

It includes personal data such as passport numbers, national IDs, and HR records. It covers contracts, RFPs, and procurement documents; research involving human subjects; financial information; legal records; and sensitive administrative decisions.

If you work in HR, finance, research administration, or legal services, a significant part of your daily work is Restricted. If you are a researcher collecting data from human participants, that data is Restricted. If you are handling a contract or MOU with an external party, those documents are Restricted.

A useful way to think about it: if you would be uncomfortable seeing this information forwarded to someone outside its intended audience, treat it as Restricted.

Highly Restricted

Highly Restricted is the highest level of classification at KAUST, reserved for information whose unauthorized disclosure could cause severe damage to the university, to individuals, or to the Kingdom of Saudi Arabia.

Most people will not encounter Highly Restricted data in their regular work. If you do work with it, you will know, and there will be clear guidance on how it must be handled.

This is the highest level of protection KAUST applies to any information.

What does this mean for you in practice?

When you create or receive something, consider what level it is.

You do not need to formally label every email or draft. But taking a moment to ask "how sensitive is this?" helps you make better decisions about where it goes and who sees it.

Let the classification guide how you share.

Public information can be shared freely. Internal data stays within KAUST. Restricted data should only reach people who genuinely need it, through appropriate access controls. Highly Restricted data comes with stricter requirements still.

When you are not sure, treat it as the higher level.

The Data Classification Procedure is clear: any information that has not been formally classified is treated as Internal until it is. If you are unsure whether something is Internal or Restricted, treat it as Restricted until you know.

Classification applies to more than files.

The same principles apply to emails, messages, shared links, and forms. A document shared via an open link carries the same implications as sending it to the wrong person directly.

KAUST's work, from research and teaching to the daily operations that keep this place running, depends on data being handled with care. Understanding these four levels is a small investment of time that makes a meaningful difference.

Read the full procedure

The full KAUST Data Classification Procedure, including detailed examples and security controls for each level, is available on the KAUST Policy site.

View on the KAUST Policy Site