Princess Nourah bint Abdulrahman University seeks to protect the confidentiality and integrity of its data, ensure its availability, and classify it in accordance with regulatory standards and requirements, based on defined principles and primary levels of data classification. This policy aims to enhance integrity and transparency, support secure integration and data exchange with government entities, improve operational quality, and contribute to achieving the University’s strategic objectives.
 
Data Classification Guiding Principles
The University adopts the following guiding principles for data classification:
1. Openness by Default
The default principle is that data shall be made available within the development domain, unless its nature or sensitivity requires higher levels of classification and protection, in which case it shall be classified as highly confidential. Conversely, data shall not be assigned higher classification levels where its nature or sensitivity warrants lower levels of classification and protection.

2. Necessity and Proportionality
Data shall be classified according to its nature, impact, and level of sensitivity, while taking into consideration the balance between its value and the required degree of confidentiality.

3. Timely Classification
Data shall be classified at the time of its creation or upon receipt from other entities. Such classification shall be implemented within a specified and defined timeframe.

4. Highest Level of Protection
The highest classification level shall be applied when a dataset comprises an integrated collection of data with varying classification levels.

5. Segregation of Duties
The roles and responsibilities of University personnel related to data classification, access, disclosure, use, modification, or destruction shall be segregated to prevent conflicts of interest, avoid overlap of responsibilities, and ensure clear accountability.

6. Need-to-Know
Access to and use of data shall be restricted based on actual need-to-know, and limited to the smallest possible number of University personnel.

7. Principle of Least Privilege
The management of access privileges for University personnel shall be restricted to the minimum level of permissions necessary to perform their assigned duties and responsibilities.