Information Classification
Defining the University’s approach to information asset classification
Page Components
Contents
Policy statement
This control procedure defines the University’s approach to asset classification, and directly supports the following policy statement from the Information Security Policy:
All information assets will be classified according to their legal requirements, business value, criticality and sensitivity, and classification will indicate appropriate handling requirements. All information assets will have a defined retention and disposal schedule.
Audience
The Information Classification Scheme is intended to be read and understood by all individuals who have access to University information and technologies, including external parties that provide information processing services to the University.
Control statements
- Principles
- Classifications
- Storage
- Responsibilities
- Aggregation
- Mapping to the HMG Classification Scheme
- Annex A - Classifications
- Annex B - Handling requirements
1. Principles
All University records, regardless of their storage location, are subject to the University’s Retention and Disposal schedule.
Where personal data is being collected and stored we shall adopt a data protection by default and design approach, subject to the University Data Protection Assessment Procedure (internal staff only).
Handling requirements must be proportionate and reflect the sensitivity of the data.
2. Classifications
The Information Classification Scheme applies to all information used at the University, in all formats. This includes information processed by other organisations in their dealings with the University. All information will be classified according to the following distinctions, which are fully explained and illustrated in the supporting guidance:
- PUBLIC – information that is intended for public distribution and requires no specific security handling. For example, marketing material or information that has already entered the public domain via a Freedom of Information request.
- INTERNAL – information that would have minimal impact if disclosed, but where it is prudent to maintain a need-to-know approach. This covers the majority of University information.
- SENSITIVE – information that has a clear elevated sensitivity due to its legal, contractual or business value. For example, information containing sensitive personal data according to the GDPR definitions; information relating to ongoing commercial projects where disclosure could jeopardise the project; information that could identify a security vulnerability; large data sets containing personal data.
For further information about the definitions under this procedure, please see Annex A. Annex B provides comprehensive guidance on how a specific classification affects handling requirements.
Applying too high a marking can inhibit sharing and lead to unnecessary and expensive protective controls; applying too low a marking may result in inadequate controls and potentially put sensitive assets at greater risk of compromise.
A file, or group of sensitive documents or assets, must carry the highest marking contained within it. For example, a paper file or an e-mail string containing INTERNAL and SENSITIVE material must be covered by the higher marking (i.e. SENSITIVE).
A system must carry the highest marking of the information it processes.
3. Storage
The most secure storage locations for University information are:
- the University’s central information systems, such as for Finance, HR or student records
- University-approved storage linked to a University identity such as Microsoft OneDrive or SharePoint online, dedicated research storage, Moodle
If you have a requirement that appears not to be met by University systems, please contact IT & Digital.
Users should avoid processing business critical data on their local computer using programs such as Access or Excel. Data stored locally does not benefit from complete IT management including managed access control. This could significantly impact your ability to maintain the confidentiality, integrity and availability of the locally stored data.
Users should avoid storing information on their local computer where possible. Although the desktop folder on a Windows computer can be written to, these are not included in the staff profile or backed-up, so there is a high likelihood of data loss should the device suffer any corruption. The same applies for local storage locations on Apple Mac computers.
Microsoft OneDrive is intended for very limited usage – for staff this means personal documents only (personal development reviews, contracts, early draft documents, etc).
Personal cloud storage – such as Dropbox or Google Drive – should only be used where University-provisioned storage fails to address a business requirement. Such storage should not be used for information classified as SENSITIVE, or for any personal data.
Research data storage - a principal investigator will be responsible for ensuring good research data management including data storage requirements. Research data will be stored to agreed standards throughout the research data lifecycle and according to funder requirements. See Research Governance requirements for further guidance. Research staff and principal investigators should consult with IT & Digital staff if further storage is required, or existing storage does not meet their specific requirements.
4. Responsibilities
Information Asset Owners are responsible for ensuring the classification of information within their business area and for putting in place appropriate processes to ensure that information is handled according to this scheme, reflecting the potential impact from compromise or loss. They are also responsible for considering any privacy issues at the outset of projects, processes or systems, which involve the processing of personal data and identify measures to mitigate risks to individuals’ privacy rights. A Data Privacy Impact Assessment (DPIA) should be completed to identify the privacy risks and to put in place plans to mitigate any identified risks.
Where information has been received from a third party and already has a classification, this should be retained, and mapped to the University classification scheme so that the appropriate handling arrangements can be made. Some third parties may specify handling requirements for their information, which should be respected.
5. Aggregation
Aggregated data sets should be considered to be within the same classification level. For example, multiple student records should be considered to attract the same classification as an individual student record. However where the impact of compromise or loss has increased as a result of aggregation, these aggregated data sets may require additional controls. See Annex A and B for examples.
Major ICT infrastructure (e.g. large aggregated data sets, payments systems, etc.) may require enhanced controls to effectively manage associated confidentiality, integrity and availability risks – determined on a case-by-case basis following risk assessment.
6. Mapping to the HMG Classification Scheme
The most likely third party classification scheme to be encountered is that in use within HMG Departments. This has three information classification levels: OFFICIAL, SECRET and TOP SECRET. This scheme has also been adopted by some other public sector bodies.
Because all HMG information falls in to the OFFICIAL classification by default if it has not been given a higher classification, this means that it can contain a range of sensitive or public material. As such, OFFICIAL information should be handled in the same way as the University’s INTERNAL classification. Information marked as OFFICIAL and caveated SENSITIVE should be handled in the same way as the University’s SENSITIVE classification.
The University’s systems are not secured to the necessary level to process SECRET or TOP SECRET information. If you receive any information with these classifications, please notify the Information Security Team as soon as possible, and do not distribute the information further.
7. Annex A – Classifications
Classification |
PUBLIC |
INTERNAL |
SENSITIVE |
Definition |
Information that is intended for public distribution and requires no specific security handling. |
Information relating to routine business operations and services, where it is prudent to maintain a need-to-know approach. This covers the majority of University-generated information. |
Information that has a clear elevated sensitivity due to its legal, contractual or business value. |
Impact if compromised |
Minimal or no risk to our operations, service delivery or reputation No discomfort or embarrassment to individuals. No breach of statutory obligations |
Minor reputational risk Technical breach of duty of confidence Possible breach of a statutory obligation (such as Data Protection) Short-term discomfort or embarrassment to an individual Commercial disadvantage or loss Short-term disruption to our operations and service |
Serious reputational risk Danger to personal safety Major breach of a statutory obligation (such as Data Protection) Prolonged distress, discomfort or embarrassment to an individual Distress, discomfort or embarrassment to a group of individuals Serious commercial disadvantage or loss, including financial or legal penalties Long-term disruption to our operations and service |
Examples |
Marketing material Published prospectus information on public website vacancy details anonymised statistical information Any information disclosable or already disclosed under the Freedom of Information Act 2000. |
Internal correspondence Committee papers and minutes Policies and procedures Working documents Personal data on staff and students but not meeting the GDPR definition for Special Category Data |
Staff or student passwords for University devices and systems Information relating to ongoing commercial or research projects where disclosure could jeopardise the project Information that could identify a security vulnerability. Special Category Data as defined in footnote[1]. Financial information defined as commercial-in-confidence Information covered by the Official Secrets Act 1989. |
8. Annex B – Handling Requirements
Classification |
PUBLIC |
INTERNAL |
SENSITIVE |
Access |
Intended for public distribution, although embargoes may apply prior to publication. |
Available to any authenticated University member i.e. with login access |
Available only to specified authenticated University members, with login access and additional authorisation. |
Labelling |
Internal copies should be visibly marked ‘PUBLIC’ |
There is no requirement to visibly mark |
All copies should be visibly marked ‘SENSITIVE’ Reference the classification in the subject line and / or text of email communications. |
Storage |
Primary copy on University drive (personal or shared) or University system. Can keep on University or personal devices or other portable media. Retain in line with University Retention and Disposal Schedule. |
Primary copy on University system. Where possible should be kept on appropriate University systems. If it is necessary to store on portable media, it must only be stored on encrypted portable media, and removed once its purpose has been served. Users should avoid processing business critical data on their local computer using programs such as Access or Excel. Data stored locally does not benefit from complete IT management including managed access control. Store physical assets securely when not in use. Observe the University’s clear desk policies and screen locking when IT equipment is left unattended. Paper records should be stored on University premises in secure cupboards or rooms. Retain in line with University Retention and Disposal Schedule. |
Data covered by the GDPR should remain as far as possible in the appropriate University systems e.g. HR, Student Records. Where downloaded, this should be retained on University drives (personal or shared). Users should avoid processing business critical data on their local computer using programs such as Access or Excel. Data stored locally does not benefit from complete IT management including managed access control. Can keep on University laptops or other University portable media/devices,(excluding portable hard drives/USB sticks) but only on temporary basis, if encrypted/password protected, and taking care to avoid loss or theft. Should not be kept on personally owned devices. Retain in line with University Retention and Disposal Schedule. |
Communication |
Can email without encryption or password protection. Can be sent in the standard mail. |
The use of encryption or password protection should be considered but is not mandated. Extra consideration should be given to encryption if student data, bank account details etc. are being transferred in large numbers. Further advice can be obtained from Information Security or Legal. Can be sent in the standard mail, but for large data sets Royal Mail Signed For should be considered. |
Not to be communicated externally except in defined circumstances e.g. pre-agreed data sharing, police investigation. Authorised staff should email with encryption or use another encrypted transfer mechanism. When discussing in public or by telephone, appropriate discretion should be exercised. Details of sensitive material should be kept to a minimum. Should only be posted using Royal Mail Signed For or equivalent. |
Sharing |
Intended for public distribution, although embargoes may apply prior to publication. |
Can share for business purposes, maintaining a need-to-know approach. Can share via OneDrive, shared drive, SharePoint or publish on authenticated Website. |
Internal distribution should be according to a strict application of the need-to-know principle. Where there is a reason to share selected or general information from a SENSITIVE report more widely, originators should develop a version at INTERNAL or PUBLIC where possible. Only the minimum amount of data required should be shared and a level of security appropriate for the nature and sensitivity of the data should be used. Departments may have established procedures for doing this, but if in doubt consult the Information Security team. Can be shared via OneDrive or SharePoint as long as access is appropriately restricted. Sharing SENSITIVE documents by email should be avoided where possible especially if this can be shared via OneDrive or other sharing method with appropriate access restrictions. If this is not possible, particular care should be taken to ensure, emails, faxes and letters are only sent to named recipients at known addresses where there is an agreed business need to share (a legal agreement with external parties such as contractors and suppliers may be required to cover data protection and confidentiality obligations). See section 4.2 of the MMU Data Protection Policy and consult the Legal team for further guidance. |
Destruction |
No restrictions. Destroy in line with University Retention and Disposal Schedule |
Information that is not freely available in the public domain should be destroyed in a way that makes reconstitution unlikely. Destroy in line with University Retention and Disposal Schedule. |
Information should be destroyed in a way that makes reconstitution difficult. For example, paper files should be shredded, electronic devices should be wiped or destroyed according to IAS5 or equivalent (which can be done via ISDS). Destroy in line with University Retention and Disposal Schedule. |
Remote Access |
Can be held on public website or authenticated systems. |
Can be held on systems accessible via authenticated web service or VPN access. |
Should only be held on systems requiring VPN access. |
Off-site working |
No restrictions |
Physical assets should be protected in transit, not left unattended, and stored securely. Precautions should be taken to prevent overlooking or inadvertent access when working remotely or in public places. |
Removal of physical assets should be confirmed with the asset owner. Physical assets should be protected in transit, not left unattended, and stored securely. Precautions should be taken to prevent overlooking or inadvertent access when working remotely or in public places. |
[1] Sensitive personal data is personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation; and the commission or alleged commission by them of any criminal convictions or offence, or any proceedings for any offence committed or alleged to have been committed by them, the disposal of such proceedings or the sentence of any court in such proceedings.
Compliance
Failure to comply with this procedure could result in action in line with the University’s Disciplinary Procedure or Capability Procedure.
Compliance checks will be undertaken by the University’s Information Governance functions. The results of compliance checks, their risk assessment and their remediation will be managed by the Information Governance Board.
Related documents
This control procedure needs to be understood in the context of the other policies and procedures constituting the University’s Information Security Management System.
Browse Information Security policies and control procedures
Review
A review of this policy will be undertaken by the Information Security team annually or more frequently as required, and will be approved by the Information Governance Board.
Version: | 6.3 |
Release date: | 17/07/2023 |
Review date: | 16/07/2024 |