Secure your data with the new government classification model

Protecting sensitive data is a top priority for all organizations wishing to reduce information security risks. Threats such as privacy breaches, fraud, identity theft, hacking, phishing and the sale of personal data are multiplying, compromising business continuity and stakeholder confidence.

To guard against these risks, organizations are deploying a variety of security solutions and measures: firewalls, data encryption, multi-factor authentication (MFA), anonymization and de-identification of sensitive data, physical access controls, among others. However, their implementation raises fundamental questions:

• Should the same security measures be applied to all data?

• How can we determine the appropriate level of security for each type of data?

Data classification is an essential approach. It enables organizations to assess the specific risks associated with each category of data, and to adopt proportionate security measures.

Very recently, the Government of Quebec adopted the new Government Digital Data Security Classification Model, which aims to strengthen the security of digital data held by public organizations (GAZETTE OFFICIELLE DU QUÉBEC, December 26, 2024, 156th year, no. 52). This new classification model replaces the Guide de catégorisation de l'information, issued by the Conseil du trésor in July 2016.

The classification model introduces new concepts compared to the categorization approach:

• Classification of data into two categories: classified data / protected data.

• Distinction between structured and unstructured data.

• Profile of security measures to be assigned to each structured data item to cover the three security objectives (confidentiality, integrity, availability).

• Marking applied to each piece of unstructured data to cover the confidentiality objective.

• Determination of the level of prejudice for each type of prejudice. Whereas the analysis of the categorization approach was more oriented towards the consequences for the organization, the classification model focuses instead on the harm to citizens, businesses and the state.

Application of the model is mandatory under the Loi sur la gouvernance et la gestion des ressources informelles des organismes publics et des entreprises du gouvernement (LGGRI). This classification model brings several improvements:

• Uniformity: Establish a common classification for all public bodies subject to the LGGRI.

• Security: Reduce risks to data confidentiality, integrity or availability.

• Interoperability: Enable effective collaboration with national and international partners. This model is inspired by the methods used by the Government of Canada, which are based on American standards developed by the National Institute of Standards and Technology (NIST).

Methodology and stages

The model is based on a risk analysis and includes the following steps:

• Data identification : Differentiation between structured data (databases) and unstructured data (office documents). At this stage, it is important to specify the granularity chosen, which represents the desired level of precision when identifying the objects to be classified.

• Classification: Data is classified into two categories:

  • Classified : Sensitive data affecting state security or intergovernmental relations.

  • Protected: Personal data or data with the potential to harm entities or individuals.

• Sub-categorization: Based on the level of potential harm (very low to very high). There are 28 sub-categories.

• Application of security measures: Assignment of security profiles (structured data) or appropriate markings (unstructured data).

• Keeping a register: Monitoring and updating throughout the data lifecycle. The organization must record classification decisions, such as classification objects, assigned categories and sub-categories, associated types and levels of harm.

An important element to consider is the direct and relevant link between the obligation to keep a security classification register and that of maintaining an inventory of government digital data under the LGGRI (section 16.4 of Ministerial Order 2024-05).

Application and deployment

The ministerial decree sets specific deadlines for application by public bodies.

• Classification of structured data must be completed by December 31, 2025.

• Marking of unstructured data must be implemented by March 31, 2028.

In conclusion, data classification plays a central role in data governance, particularly in the government context where confidentiality, integrity and availability of information are essential. By assigning categories and levels of sensitivity to data, public bodies can align their practices with robust, standardized security frameworks.

This approach :

• Reduces risk: Rigorous classification allows critical data to be identified and proportionate security measures to be implemented, thereby reducing the risk of cyber-attacks, data leakage or loss.

• Reinforces trust: By categorizing data according to its sensitivity, we ensure that personal and confidential information is properly protected, helping to reinforce citizens' confidence in government management.

• Optimizes resource management: By establishing a common methodology, public bodies adopt consistent practices, facilitating interoperability and secure information exchange within the government ecosystem and with external partners.

• Promotes legal and regulatory compliance: It ensures that data is managed in compliance with privacy laws, such as those relating to access to information and the protection of personal information.

By integrating data classification into a comprehensive data governance approach, public sector organizations not only protect their information assets, but also maximize their strategic value. This promotes efficient and secure use of information resources, while contributing to a modern, resilient and citizen-centric administration.