Classifying our information appropriately is the first step in safeguarding our data across the University.
This information provides a quick look at information classification - for full details please read our Information Classification control procedure:
Classifying information
There are three categories or levels of classification:
1. Public information
Information that is intended for public distribution and requires no specific security handling. For example, marketing material or information that has already entered the public domain via a Freedom of Information request.
2. Internal information
Information that would have minimal impact if disclosed, but where it is prudent to maintain a need-to-know approach. This covers the majority of University-generated information.
3. Sensitive information
Information that has a clear elevated sensitivity due to its legal, contractual or business value. For example, information containing sensitive personal data according to the Data Protection Act definitions; information relating to ongoing commercial projects where disclosure could jeopardise the project; information that could identify a security vulnerability.
At a glance: how to handle sensitive information
How you can help:
Identify way sort of information you handle, and check that you are doing everything you can to store, share, mark, destroy and handle that information in the appropriate way for its classification.
The information classification procedure sets out how assets will be classified according to their legal requirements, business value, criticality and sensitivity, and classification will indicate appropriate handling requirements. All information assets will have a defined retention and disposal schedule.