Call IT Support Email IT Support

Information Classification

Defining the University’s approach to information asset classification

Policy Statement

This control procedure defines the University’s approach to asset classification, and directly supports the following policy statement from the Information Security Policy:

All information assets will be classified according to their legal requirements, business value, criticality and sensitivity, and classification will indicate appropriate handling requirements. All information assets will have a defined retention and disposal schedule.

Audience

The Information Classification Scheme is intended to be read and understood by all individuals who have access to University information and technologies, including external parties that provide information processing services to the University.

Control Statements

  1. Principles
  2. Classifications
  3. Storage
  4. Responsibilities 
  5. Aggregation
  6. Mapping to the HMG Classification Scheme
  7. Annex A - Classifications
  8. Annex B - Handling requirements 

1. Principles

All University records, regardless of their storage location, are subject to the University’s Retention and Disposal schedule.

Where personal data is being collected and stored we shall adopt a data protection by default and design approach, subject to the University Data Protection Assessment Procedure (internal staff only).

2. Classifications

The Information Classification Scheme applies to all information used at the University, in all formats. This includes information processed by other organisations in their dealings with the University. All information will be classified according to the following distinctions, which are fully explained and illustrated in the supporting guidance:

For further information about the definitions under this procedure, please see Annex A. Annex B provides comprehensive guidance on how a specific classification affects handling requirements.

Applying too high a marking can inhibit sharing and lead to unnecessary and expensive protective controls; applying too low a marking may result in inappropriate controls and potentially put sensitive assets at greater risk of compromise.

A file, or group of sensitive documents or assets, must carry the highest marking contained within it. For example, a paper file or an e-mail string containing INTERNAL and SENSITIVE material must be covered by the higher marking (i.e. SENSITIVE).

A system must carry the highest marking of the information it processes.

3. Storage

The most secure storage locations for University information are:

If you have a requirement that appears not to be met by University systems, please contact ISDS.

Users should avoid storing information on their local computer where possible. Although the desktop and My Documents folders on a Windows computer can be written to, these are not included in the staff profile or backed-up, so there is a high likelihood of data loss should the device suffer any corruption. The same applies for local storage locations on Apple Mac computers.

Microsoft OneDrive is intended for very limited usage – for staff this means personal documents only (personal development reviews, contracts, early draft documents, etc).

Personal cloud storage – such as Dropbox or Google Drive – should only be used where University-provisioned storage fails to address a business requirement. Such storage should not be used for information classified as SENSITIVE, or for any personal data.

Research data storage - a principal investigator will be responsible for ensuring good research data management including data storage requirements. Research data will be stored to agreed standards throughout the research data lifecycle and according to funder requirements. See Research Governance requirements for further guidance. Research staff and principal investigators should consult with ISDS staff if further storage is required or existing storage does not meet their specific requirements.

4. Responsibilities

Information Asset Owners are responsible for ensuring the classification of information within their business area and for putting in place appropriate processes to ensure that information is handled according to this scheme, reflecting the potential impact from compromise or loss. They are also responsible for considering any privacy issues at the outset of projects, processes or systems, which involve the processing of personal data and identify measures to mitigate risks to individuals’ privacy rights. A Data Privacy Impact Assessment (DPIA) should be completed to identify the privacy risks and to put in place plans to mitigate any identified risks.

Where information has been received from a third party and already has a classification, this should be retained, and mapped to the University classification scheme so that the appropriate handling arrangements can be made. Some third parties may specify handling requirements for their information, which should be respected.

5.Aggregation

Aggregated data sets should be considered to be within the same classification level. For example, multiple student records should be considered to attract the same classification as an individual student record. However where the impact of compromise or loss has increased as a result of aggregation, these aggregated data sets may require additional controls. See Annex A and B for examples.

Major ICT infrastructure (e.g. large aggregated data sets, payments systems, etc.) may require enhanced controls to effectively manage associated confidentiality, integrity and availability risks – determined on a case-by-case basis following risk assessment.

6. Mapping to the HMG Classification Scheme 

The most likely third party classification scheme to be encountered is that in use within HMG Departments. This has three information classification levels: OFFICIAL, SECRET and TOP SECRET. This scheme has also been adopted by some other public sector bodies.

Because all HMG information falls in to the OFFICIAL classification by default if it has not been given a higher classification, this means that it can contain a range of sensitive or public material. As such, OFFICIAL information should be handled in the same way as the University’s INTERNAL classification. Information marked as OFFICIAL and caveated SENSITIVE should be handled in the same way as the University’s SENSITIVE classification.

The University’s systems are not secured to the necessary level to process SECRET or TOP SECRET information. If you receive any information with these classifications, please notify the Information Security Team as soon as possible, and do not distribute the information further.

Annex A – Classifications

Classification

PUBLIC

INTERNAL

SENSITIVE

Definition

Information that is intended for public distribution and requires no specific security handling.

Information relating to routine business operations and services, where it is prudent to maintain a need-to-know approach. This covers the majority of University-generated information.

Information that has a clear elevated sensitivity due to its legal, contractual or business value.

Impact if compromised

Minimal or no risk to our operations, service delivery or reputation

No discomfort or embarrassment to individuals.

No breach of statutory obligations

Minor reputational risk

Technical breach of duty of confidence

Possible breach of a statutory obligation (such as Data Protection)

Short-term discomfort or embarrassment to an individual

Commercial disadvantage or loss

Short-term disruption to our operations and service

Serious reputational risk

Danger to personal safety

Major breach of a statutory obligation (such as Data Protection)

Prolonged distress, discomfort or embarrassment to an individual

Distress, discomfort or embarrassment to a group of individuals

Serious commercial disadvantage or loss, including financial or legal penalties

Long-term disruption to our operations and service

Examples

Marketing material

Published prospectus

information on public website

vacancy details

anonymised statistical information

Any information disclosable or already disclosed under the Freedom of Information Act 2000.

Internal correspondence

Committee papers and minutes

Policies and procedures

Working documents

Personal data on staff and students but not meeting the GDPR definition for Special Category Data

Staff or student passwords for University devices and systems

Information relating to ongoing commercial or research projects where disclosure could jeopardise the project

Information that could identify a security vulnerability.

Special Category Data as defined in footnote[1].

Financial information defined as commercial-in-confidence

Information covered by the Official Secrets Act 1989.

Annex B – Handling Requirements

Classification

PUBLIC

INTERNAL

SENSITIVE

Access

Intended for public distribution, although embargoes may apply prior to publication.

Available to any authenticated University member i.e. with login access

Available only to specified authenticated University members, with login access and additional authorisation.

Labelling

Internal copies should be visibly marked ‘PUBLIC’

There is no requirement to visibly mark

All copies should be visibly marked ‘SENSITIVE’

Reference the classification in the subject line and / or text of email communications.

Storage

Primary copy on University drive (personal or shared) or University system.

Can keep on University or personal devices or other portable media.

Retain in line with University Retention and Disposal Schedule. 

Primary copy on University system.

Where possible should be kept on appropriate University systems. If it is necessary to store on portable media, it must only be stored on encrypted portable media, and removed once its purpose has been served.

Store physical assets securely when not in use. Observe the University’s clear desk policies and screen locking when IT equipment is left unattended.

Paper records should be stored on University premises in secure cupboards or rooms.

Retain in line with University Retention and Disposal Schedule.

Data covered by the GDPR should remain as far as possible in the appropriate University systems e.g. HR, Student Records. Where downloaded, this should be retained on University drives (personal or shared).

Can keep on University laptops or other University portable media/devices, but only on temporary basis, if encrypted/password protected, and taking care to avoid loss or theft. Should not be kept on personally owned devices.

Retain in line with University Retention and Disposal Schedule.

Communication

Can email without encryption or password protection.

Can be sent in the standard mail.

The use of encryption or password protection should be considered but is not mandated. Extra consideration should be given to encryption if student data, bank account details etc. are being transferred in large numbers. Further advice can be obtained from Information Security or Legal.

Can be sent in the standard mail, but for large data sets Royal Mail Signed For should be considered.

Not to be communicated externally except in defined circumstances e.g. pre-agreed data sharing, police investigation. Authorised staff should email with encryption or use another encrypted transfer mechanism.

When discussing in public or by telephone, appropriate discretion should be exercised. Details of sensitive material should be kept to a minimum.

Should only be posted using Royal Mail Signed For or equivalent.

Sharing

Intended for public distribution, although embargoes may apply prior to publication.

Can share for business purposes, maintaining a need-to-know approach.

Can share via OneDrive, shared drive, SharePoint or publish on authenticated Website.

 

Internal distribution should be according to a strict application of the need-to-know principle. Where there is a reason to share selected or general information from a SENSITIVE report more widely, originators should develop a version at INTERNAL or PUBLIC where possible. Only the minimum amount of data required should be shared and a level of security appropriate for the nature and sensitivity of the data should be used. Departments may have established procedures for doing this, but if in doubt consult the Information Security team.

Can be shared via OneDrive or SharePoint or shared University drive as long as access is appropriately restricted.

Sharing SENSITIVE documents by email should be avoided where possible especially if this can be shared via OneDrive or other sharing method with appropriate access restrictions. If this is not possible, particular care should be taken to ensure, emails, faxes and letters are only sent to named recipients at known addresses where there is an agreed business need to share (a legal agreement with external parties such as contractors and suppliers may be required to cover data protection and confidentiality obligations). See section 4.2 of the MMU Data Protection Policy and consult the Legal team for further guidance.

Destruction

No restrictions.

Destroy in line with University Retention and Disposal Schedule

Information that is not freely available in the public domain should be destroyed in a way that makes reconstitution unlikely.

Destroy in line with University Retention and Disposal Schedule.

Information should be destroyed in a way that makes reconstitution difficult. For example, paper files should be shredded, electronic devices should be wiped or destroyed according to IAS5 or equivalent (which can be done via ISDS).

Destroy in line with University Retention and Disposal Schedule.

Remote Access

Can be held on public website or authenticated systems.

Can be held on systems accessible via authenticated web service or VPN access.

Should only be held on systems requiring VPN access.

Off-site working

No restrictions

Physical assets should be protected in transit, not left unattended, and stored securely. Precautions should be taken to prevent overlooking or inadvertent access when working remotely or in public places.

Removal of physical assets should be confirmed with the asset owner. Physical assets should be protected in transit, not left unattended, and stored securely. Precautions should be taken to prevent overlooking or inadvertent access when working remotely or in public places.

[1] Sensitive personal data is personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation; and  the commission or alleged commission by them of any criminal convictions or offence, or any proceedings for any offence committed or alleged to have been committed by them, the disposal of such proceedings or the sentence of any court in such proceedings..

Compliance

Failure to comply with this procedure could result in action in line with the University’s Disciplinary Procedure or Capability Procedure.

Compliance checks will be undertaken by the University’s Information Governance functions. The results of compliance checks, their risk assessment and their remediation will be managed by the Information Security Board.

Related documents

This control procedure needs to be understood in the context of the other policies and procedures constituting the University’s Information Security Management System.

Browse Information Security policies and control procedures

Review

A review of this policy will be undertaken by the Information Security team annually or more frequently as required, and will be approved by the Information Security Board.

Information Security