Information classification & handling

Related pages

Policy for device access to University information

The University aims to embed good information handling processes in all that it does, and make protecting information part of our culture.

The Information Classification and Handling Scheme provides guidance on the classification of information and the different levels of security required.

It encompasses all information held by the University, in any format (electronic and hard-copy).

Benefits of the Information Classification and Handling Scheme

The scheme will help to:

protect information from accidental or deliberate compromise, which may lead to damage and/or be a criminal offence

meet legal, ethical and statutory obligations

protect the interests of all those who have dealings with the University and about whom it may hold information (including staff, students, alumni, funders, collaborators, business partners, supporters)

promote good practice in relation to information handling

Using descriptors

Information may be marked with a descriptor to identify the reason why the classification is applied and an expiry date if appropriate.

A descriptor can be used to show when information also falls within another organisation's classification scheme (eg the Government Protective Marking Scheme).

For Confidential information it is advisable to note clearly the group who may have access. For example:

Confidential - personal
Confidential - commercially sensitive - [named groups and individuals]
Confidential - exams - expires 1 July 2013 and becomes public
Confidential - GPMS Secret

The Information Classification and Handling Scheme

	Public	Restricted	Confidential
Description	UoY information that can be seen by anyone.	Non-confidential information where dissemination is restricted for policy or contractual reasons, eg to members of the UoY, a committee, partners, suppliers or affiliates.	Information which is sensitive because it is personal data, commercial or legal information, under embargo prior to wider release, or which could not be disclosed under Freedom of Information legislation. Included information about an individual or the institution. May also include information provided to the UoY by other organisations.
Examples	Prospectus, programme and course information Press releases (not under embargo) Open content on the UoY website Flyers and publicity leaflets Published information released under the Freedom of Information Act	Some committee minutes Departmental intranets University timetable Online directory of contact details Teaching materials Procurement documents	Student personal details Staff personal details Sensitive data relating to an individual eg patient research data Some press releases Some financial transactions Some internal reports Some commercial contracts Some research data
Storage	Electronic information should be stored using UoY IT facilities to ensure appropriate management, back-up and access.	Electronic and paper-based information must be stored using UoY-provided facilities.	Electronic information must be stored using UoY IT facilities. Portable devices must have full disk encryption. Unencrypted removable media (eg USB sticks) must not be used. Encrypted removable media are not permitted without evaluating other options.
Dissemination & access	Can be shared via the web without requiring a UoY username & password. Can be circulated freely subject to applicable laws eg copyright, contract, competition. May be accessed remotely and via any device without encryption.	Can be shared via the web but the user must provide UoY authentication. Can be circulated on a need-to-know basis to UoY members subject to applicable laws (eg copyright) and UoY regulations. May be accessed remotely and via disk-encrypted portable and mobile devices without further encryption.	Access to confidential data must be strictly controlled by the Information Owner who should conduct regular access reviews. Some types of confidential information may be shared with authorised users via UoY IT facilities, including remote access, subject to UoY authentication. For web access encryption must be used. Must not be extracted from UoY IT systems and stored on local IT systems. All devices used to access confidential information must be UoY managed or be encrypted and require a password or PIN to access (eg personal PC, laptop, tablet or phone)
Exchange & collaboration	Can be exchanged via email or file sharing without needing encryption.	Can be exchanged via email without needing encryption. Can be shared using UoY IT facilities (eg wiki, shared filestore). Can be printed and circulated via the UoY internal mail service.	The appropriate method for exchanging information must be decided taking into account the nature and volume of the information being exchanged and the impact of inappropriate disclosure. Must be encrypted and use UoY provided facilities. Information must be marked 'Confidential' and the intended recipients clearly indicated. An optional descriptor, to state the reason for confidentiality, may be used. Duplicate copies of confidential information must be avoided. Where copies are necessary the protective marking must be carried with the information. Where paper copies are required for sharing, secure delivery methods must be used
Disposal	Electronic information should be deleted using normal file deletion processes in accordance with any retention schedule. Printed copy should be disposed of via the UoY paper recycling scheme and in accordance with any retention schedule.	Electronic equipment holding this information must be disposed of using the UoY secure IT waste disposal service and in accordance with any retention schedule. Printed copy should be disposed of via the UoY confidential waste scheme and in accordance with any retention schedule.	Electronic equipment holding this information must be disposed of using the UoY secure IT waste disposal service and in accordance with any retention schedule. Printed copy should be disposed of via the UoY confidential waste scheme or departmental shredding facilities in accordance with any retention schedule. Large accumulations of data should not be downloaded or copied.
Classification changes	Public information may not be reclassified to any other level.	Restricted information may move between classifications (eg exam papers)	Confidential information is likely to move into the Restricted and/or Public classifications over time (eg commercially sensitive information)

Case study: exam papers

Exam papers start their life as 'Restricted'; once the exam has been held they might become 'Confidential' (to the UoY and its students, to protect intellectual property in module design and examination) for a period of years, and then become 'Public' as their sensitivity declines over time.