Accessibility statement

Information classification

Related pages

  • Policy for device access to University information

The University aims to embed good information handling processes in all that it does, and make protecting information part of our culture.

The Information Classification Policy provides guidance on the classification of information and the different levels of security required. It replaces the Information Classification and Handling Scheme.

It encompasses all information held by the University, in any format (electronic and hard-copy).

Benefits of the Information Classification Policy

The policy will help to:

  • protect information from accidental or deliberate compromise, which may lead to damage and/or be a criminal offence
  • meet legal, ethical and statutory obligations
  • protect the interests of all those who have dealings with the University and about whom it may hold information (including staff, students, alumni, funders, collaborators, business partners, supporters)
  • promote good practice in relation to information handling.

Information Classification and Handling Policy

1. Policy

1.1. The University requires that information is protected in line with its value and sensitivity and the impact of loss or compromise.

1.2 Information handling processes ensure that we have assessed the risk to the information of loss, damage or compromise of availability or integrity, and manage that risk to allow everyone to be aware of the requirements on handling, sharing and storing different types of information.

1.3 The ‘marking’ of information; document labels, email subject lines etc, is not required as long as information is stored and access, collaboration and exchange are managed in accordance with this policy.

1.4 The University has defined four classification levels:

  • Public - information that can be seen by anyone and is created to be shared publicly by the University for anyone to access.
  • Internal - information that must be seen by members of the University only or authenticate external sharing and the impact of inappropriate disclosure would have a low level of risk.
  • Confidential - information that can be seen by University members on a need-to-know basis as determined by the responsible Data Owner.
  • Secret - information that can be seen by University members who have been explicitly cleared and vetted for access.

1.5 Where advised of an external Information Classification that must be applied University members must select the appropriate marking from this policy or seek guidance from Records Management or Cyber Security Team.

2 Scope

2.1 This policy covers information generated by or provided to the University in any format (electronic and hard copy).

2.2 This policy establishes the requirement for the classification of information and the associated guidance provides detail on the levels of security required to protect at each classification level.

2.3 All members of the University (including staff, students, contractors, agency workers and associates) are responsible for handling information in accordance to their classification complying with this policy and with relevant legislation

3 Oversight

3.1 Overall responsibility for information security in the University is delegated from the Vice Chancellor, via the Chief Operating Officer, as Senior Information Risk Owner, to the Director of IT Services.

3.2 The Information Security Board, chaired by the Senior Information Risk Owner, is responsible for approval of primary Information Security Policy and sponsoring the information security framework.

3.3 The Information Security Board, is responsible for regular policy reviews and monitors the effectiveness of the information security framework across the University.

3.4 This policy operates under the framework of the wider Information Security Policy and appropriate measures and sanctions.

3.5 The Records Manager, Data Protection Officer and Head of Cyber Security will review this policy and maintain associated guidance.

4 Responsibilities

4.1 All information users are responsible for protecting and ensuring the security of the information to which they have access.

4.2 Applying this policy, in line with the supporting guidance and use cases will support in protecting information from accidental or deliberate compromise, which may lead to damage and/or be a criminal offence.

4.3 All information users must be aware of legal, contractual, ethical and statutory obligations when handling information and apply classification guidance appropriately.

4.4 Where you are recipient of data from an external partner who communicates their classification marking you must benchmark against the University’s policy and guidance and apply that. Support can be obtained from Records Management or Cyber Security teams.

4.5 University Officers, Heads of Departments and Section Heads are responsible for ensuring that all information in their area is managed in conformance with this policy and promote good practice in relation to information handling.

4.6 Associates, contractors, consultants or visitors who act in breach of this policy, or who do not observe the requirement of security and privacy may have access withdrawn.

4.7 For queries on the wider handling and classification issues, eg used in record retention schedules or worked into departmental info asset registers contact Records Management.

4.8 Any breach of information security or violation of this policy must be reported to Cyber Security, via CERT (cert@york.ac.uk), who will take appropriate action and inform the relevant contacts within and outside the University.

5 Policy implementation documents

5.1 The Information Classification and Handling guidance table provides description and examples for applying this policy.

5.2 Information classification levels are included for different categories of record in the corporate retention schedule.

5.3 This document, together with related Information Security and Records Management policies and implementation documents, is also available in our University Information Policy index.

Support

For support in ensuring you are delivering to the requirement of this policy contact the Records Management Team records-manager@york.ac.uk or Cyber Security Team cyber-policy@york.ac.uk.