Data Classification
Data classification is the process of labelling each column in your Snowflake account with a privacy level and, where applicable, a PII type. These labels determine which masking policy applies and which Snowflake roles can see the unmasked data.
Under Rime’s masked-by-default model, every column starts masked. Classification is how you move a column from “invisible to everyone” to “visible to the right roles with the right masking.”
Privacy levels
Every classified column receives one of four privacy levels, ordered from least to most sensitive:
| Level | Description | Typical content |
|---|---|---|
| Public | Data that can be shared without restriction | Product names, public identifiers, country codes |
| Internal | Data intended for internal use only | Internal project codes, department names, non-sensitive metrics |
| Confidential | Sensitive business or personal data | Customer names, email addresses, transaction amounts |
| Restricted | Highly sensitive data subject to regulatory requirements | IRD numbers, NHI numbers, bank account numbers, health records |
The privacy level controls the default masking policy applied to the column and which roles can be granted visibility. Higher sensitivity levels require more restrictive default masking and limit which roles can be granted access.
PII types
Columns that contain personally identifiable information receive a PII type in addition to their privacy level. Rime recognises these PII types:
| PII type | Description | Default privacy level |
|---|---|---|
| Name | Personal names (first, last, full) | Confidential |
| Email addresses | Confidential | |
| Phone | Phone numbers (any format) | Confidential |
| Address | Physical or mailing addresses | Confidential |
| IRD number | New Zealand Inland Revenue Department number | Restricted |
| NHI number | New Zealand National Health Index number | Restricted |
| Date of birth | Birth dates | Confidential |
| Bank account | Bank account numbers | Restricted |
| Passport | Passport numbers | Restricted |
| Driver licence | Driver licence numbers | Restricted |
When a column is classified with a PII type, Rime assigns the PII type’s default privacy level unless you override it. The PII type also determines the specific masking policy applied — for example, phone numbers use partial masking by default while IRD numbers use full masking.
The column browser
Navigate to Governance > Classifications to open the column browser. This view lists every column across all tables and schemas in your Snowflake account, along with its current classification status.
The column browser shows:
- Database / Schema / Table / Column — the fully qualified column path
- Data type — the Snowflake data type (VARCHAR, NUMBER, DATE, etc.)
- Privacy level — the assigned level, or “Unclassified” if the column has not been classified
- PII type — the assigned PII type, if any
- PII detection — whether the automatic scanner flagged this column, with the confidence level
- Last classified — when the classification was last modified
You can filter the column browser by:
- Database, schema, or table
- Classification status (classified, unclassified, flagged by PII detection)
- Privacy level
- PII type
- Data type
Classifying a column
To classify a single column:
- Open the column browser and locate the column
- Select the column row to open the classification panel
- Choose a privacy level from the dropdown
- Optionally select a PII type if the column contains personal information
- Select Apply
The classification takes effect immediately. Rime updates the Snowflake tag on the column, which changes the masking policy applied. If no roles have been granted visibility for this privacy level, the column remains masked but is now tracked as classified.
Bulk classification
To classify multiple columns at once:
- In the column browser, use the checkboxes to select multiple columns. You can select all columns in a table by checking the table header, or use filters to narrow the list first.
- Select Classify Selected from the toolbar
- Choose the privacy level and optional PII type to apply to all selected columns
- Review the summary showing how many columns will be updated
- Select Apply
Bulk classification is useful when onboarding a new data source where many columns share the same sensitivity level, or when reclassifying columns after a policy change.
Classification inheritance
Rather than classifying every column individually, you can set default classifications at the schema or table level. Inheritance works as follows:
- Schema-level default — all new tables and columns created in the schema inherit this classification unless overridden at the table or column level
- Table-level default — all new columns in the table inherit this classification unless overridden at the column level
- Column-level override — always takes precedence over schema and table defaults
To set a default classification:
- Navigate to the schema or table in the column browser
- Select Set Default Classification from the context menu
- Choose the privacy level and optional PII type
- Select whether to apply the default to existing unclassified columns or only to future columns
Inheritance is especially useful for raw landing schemas where most columns should start at the same sensitivity level. For example, setting a schema-level default of “Confidential” on your customer data schema ensures that new columns from schema changes are classified automatically rather than remaining unclassified.
Unclassified column reports
The compliance reporting dashboard includes a classification coverage report that shows:
- Total columns across all schemas and tables
- Percentage classified vs. unclassified
- Breakdown by database, schema, and table
- Columns flagged by PII detection that have not yet been reviewed
Under the masked-by-default model, unclassified columns are still masked — they are not a security risk. However, they represent a governance gap: you do not yet know what the column contains, and no role has been granted appropriate visibility. The goal is to drive unclassified columns toward zero so that every column has a deliberate classification decision behind it.
Reclassification
Classifications are not permanent. To change a column’s classification:
- Locate the column in the column browser
- Open the classification panel
- Change the privacy level or PII type
- Select Apply
Reclassification updates the Snowflake tag immediately. If the new privacy level has a more restrictive default masking policy, roles that previously saw the column unmasked may lose visibility until their grants are updated. Rime shows a warning when reclassification would reduce visibility for existing roles.
Tier availability
Data classification is available at Business tier and above. Free/Trial and Small Business tiers display the column browser in read-only mode but cannot assign classifications. See Masked by Default for full tier details.
Next steps
- Configure PII Detection to automatically flag columns for classification
- Set up Masking Policies to control how masked data appears
- Review Compliance Reporting to track classification coverage