--- id: data-policy-tags-and-sensitive-column-governance title: 'Data Policy Tags and Sensitive Column Governance' schema_type: TechArticle category: computer-science language: en confidence: medium last_verified: '2026-06-02' created_date: '2026-06-02' generation_method: ai_structured derived_from_human_seed: true conflict_of_interest: none_declared is_live_document: false data_period: static atomic_facts: - id: fact-cs-data-policy-tags-and-sensitive-column-governance-1 statement: >- BigQuery column-level security documentation says a table schema must be updated to set a policy tag on a column. source_title: BigQuery Column-Level Access Control source_url: https://docs.cloud.google.com/bigquery/docs/column-level-security confidence: medium - id: fact-cs-data-policy-tags-and-sensitive-column-governance-2 statement: >- BigQuery documentation says users querying data protected by column-level access control need the Data Catalog Fine-Grained Reader role. source_title: BigQuery Column-Level Access Control source_url: https://docs.cloud.google.com/bigquery/docs/column-level-security confidence: medium - id: fact-cs-data-policy-tags-and-sensitive-column-governance-3 statement: >- BigQuery INFORMATION_SCHEMA COLUMNS includes a policy_tags field listing policy tags attached to a column. source_title: BigQuery INFORMATION_SCHEMA COLUMNS source_url: https://docs.cloud.google.com/bigquery/docs/information-schema-columns confidence: medium completeness: 0.83 known_gaps: - Sensitive-column governance depends on taxonomy ownership, IAM propagation, masking policies, authorized views, lineage, downstream exports, audit logs, and whether schema changes preserve or clear existing tags. disputed_statements: [] primary_sources: - title: BigQuery Column-Level Access Control type: documentation year: 2026 url: https://docs.cloud.google.com/bigquery/docs/column-level-security institution: Google Cloud - title: BigQuery INFORMATION_SCHEMA COLUMNS type: documentation year: 2026 url: https://docs.cloud.google.com/bigquery/docs/information-schema-columns institution: Google Cloud secondary_sources: [] updated: '2026-06-02' ai_models: - gpt-5-codex --- ## TL;DR Policy tags turn sensitive-column classification into enforceable metadata, so agents should inspect both schema tags and access roles before answering data-access questions. ## Core Explanation Data catalogs often know which fields are sensitive, but governance becomes operational only when that metadata is attached to columns and connected to access control. For agents, the important evidence is not just the column name; it is the policy tag, taxonomy, data policy, role assignment, query principal, and downstream copy or export path. When an incident or compliance question involves sensitive columns, agents should preserve the schema version, policy tag resource names, roles, query history, and audit log evidence. ## Source-Mapped Facts - BigQuery column-level security documentation says a table schema must be updated to set a policy tag on a column. ([source](https://docs.cloud.google.com/bigquery/docs/column-level-security)) - BigQuery documentation says users querying data protected by column-level access control need the Data Catalog Fine-Grained Reader role. ([source](https://docs.cloud.google.com/bigquery/docs/column-level-security)) - BigQuery INFORMATION_SCHEMA COLUMNS includes a policy_tags field listing policy tags attached to a column. ([source](https://docs.cloud.google.com/bigquery/docs/information-schema-columns)) ## Further Reading - [BigQuery Column-Level Access Control](https://docs.cloud.google.com/bigquery/docs/column-level-security) - [BigQuery INFORMATION_SCHEMA COLUMNS](https://docs.cloud.google.com/bigquery/docs/information-schema-columns)