Guidance on using Information Classification

The University has defined four classification levels:

Public - information that can be seen by anyone and is created to be shared publicly by the University for anyone to access.
Internal - information that must be seen by members of the University only or authenticate external sharing.
Confidential - information that can be seen by University members on a need-to-know basis as determined by the responsible Data Owner.
Secret - information that can be seen by University members who have been explicitly cleared and vetted for access.

This guidance will help you to:

Identify the correct classifications for your information and provide examples of how to store, share and dispose of information and the media it may be on.
A significant number of compromises come from incorrect sharing of information. The guidance supports internal and external sharing and collaboration and how to do that securely.
Protect the interests of all those who have dealings with the University and about whom it may hold information (including staff, students, alumni, funders, collaborators, business partners, supporters).
Where it may be appropriate to re-classify information after a period of time.
Meet legal, ethical and statutory obligations and promote good practice in relation to information handling.

	Public
Description	UoY information that can be seen by anyone.
Examples	Prospectus, programme and course information Published department, research or support websites, Wordpress, microsites, etc Press releases (not under embargo) Flyers and publicity leaflets Publicly streamed information (eg Graduation ceremony, Festival of Ideas talk) Published information released under the Freedom of Information Act 2000 or Environmental Information Regulations 2004 or published under the University’s Publication Scheme
UoY provided storage	Electronic information should be stored using UoY IT facilities to ensure appropriate management, back-up and access Google Shared Drives (avoid personal Google Drive for shared Public information) OneDrive Central Storage
Personal (BYOD) storage	Allowed Mastered or original copy must be on UoY storage
Access, collaboration and exchange Internal sharing and collaboration	Can be shared via UoY IT storage facilities (as defined above), UoY email or the Drop-off service via the internet without the recipient requiring a UoY username and password. There are no access controls and information can be circulated freely subject to applicable laws eg copyright, contract and competition law, and data protection laws. May be accessed from outside the University and via any device without specific file encryption. Can be printed and transferred by internal mail or post.
Access, collaboration and exchange External sharing and collaboration	Can be shared externally for access, hosting or wider distribution. Artificial Intelligence (AI) can be used in the creation or processing of information at this classification.
Disposal	Information must be retained in accordance with the University’s Retention Schedule and disposed of in line with its guidance on disposal. Electronic information should be deleted using normal file deletion processes. Printed copies can be disposed of via the paper recycling scheme.
Classification changes	Public information may not be reclassified to any other level.

	Internal
Description	UoY information that can be seen by members of the UoY.
Examples	Content of intranets, wikis or knowledge bases requiring login with your University account University timetable Online directories of contact details Teaching, course and training materials Internal University communications
UoY provided storage	Electronic and paper-based information must be stored using UoY-provided facilities with appropriate access controls/edit rights. Removable media (eg USB) is not to be used for long-term storage of Internal information. Removable media may be used for transaction purposes.
Personal (BYOD) storage	Mastered information must be on UoY Limited temporary storage permitted: Time limited storage with move to UoY storage/master copy on UoY Must not be stored on personal cloud storage Requires devices to be on the BYOD register No personal USB storage.
Access, collaboration and exchange Internal sharing and collaboration	Must be circulated on a need-to-know basis to a defined list of UoY users, subject to applicable laws (eg copyright) and UoY regulations. Can be shared using UoY IT facilities (eg wiki, knowledge base, Shared Drives) as long as the access lists to those facilities are known and maintained. Can be printed and circulated via the UoY internal mail in a sealed envelope.
Access, collaboration and exchange External sharing and collaboration	Where external sharing is required via the internet, the user must provide UoY provisioned authentication, eg Shared Drive, Drop-off, etc. If file sharing via email use links rather than attachments. Can be printed and circulated via postal service in a sealed envelope. Artificial Intelligence (AI) can be used in the creation or processing of information with the following conditions: You are using a University paid AI service. Consult with IT Services; it must not be procured directly. You must not use free AI services as they do not provide the assurances we need to protect information and may use information submitted to ‘train’ the AI. Accounts for AI use must be under your University of York email address and where possible you must 'Sign in with Google' functionality. Information submitted must not contain details of online directories such as mail lists, departmental teams and staff.
Disposal	Information must be retained in accordance with the University’s Retention Schedule and disposed of in line with its guidance on disposal. Electronic equipment holding this information must be disposed of using the UoY secure IT waste disposal service. Printed copies should be disposed of via the UoY confidential waste scheme.
Classification changes	Internal information may move between classifications (eg exam papers).

	Confidential
Description	UoY information that can be seen by UoY members on a need-to-know basis as determined by the responsible Data Owner.
Examples	Special category data, ie data revealing: Racial or ethnic origin; Political opinions; Religious or philosophical beliefs; Trade union membership Genetic data Biometric data Health Sex life Sexual orientation. Legally privileged information. Information that would disadvantage the University on commercial or policy negotiations (eg planned procurement, patents, management forecasts). Research data and papers intended to lead to patentable results. Personal or commercially sensitive data gathered/used in research. Information which would breach contractual agreements, a statutory restriction on disclosure, or a duty of care Investigations and disciplinary proceedings Financial data including bank account details, NI numbers and internal budgeting Information that would impact the security of information or campus safety eg, location of CCTV cameras, server locations, system configurations and all passwords University and third-party contractor/supplier information Embargoed information
UoY provided storage	Electronic information must be stored using UoY IT facilities with appropriate access/edit rights. Portable devices must have full disk encryption. Unencrypted removable media (eg USB sticks) must not be used. Encrypted removable media are not permitted without evaluating other options with Cyber Security. Large accumulations of data should not be downloaded or copied. See guidance on Confidential records and remote working.
Personal (BYOD) storage	No saving or processing on personal devices or storage (BYOD).
Access, collaboration and exchange Internal sharing and collaboration	Information must be marked 'Confidential' and the intended recipients clearly indicated. An optional descriptor, to state the reason for, or the level of confidentiality, may be used. Access to confidential data must be strictly controlled by the Information Owner who should conduct regular access reviews. Confidential information may be shared with authorised users via UoY IT facilities, including remote access, but must be subject to UoY authentication. Information must be stored on central services eg Google Drive, Central Storage etc. Local storage is advised against but where required must be limited data set/files and only be on a University Managed Device and not on BYOD. Send hard copy information in a sealed envelope. Consider delivery by hand or asking the recipient to confirm receipt. Packaging should be sufficient to protect the contents.
Access, collaboration and exchange External sharing and collaboration	Information must be marked 'Confidential' and the intended recipients clearly indicated. An optional descriptor, to state the reason for, or the level of confidentiality, may be used. Access to confidential data must be strictly controlled by the Information Owner who should conduct regular access reviews. Confidential information may be shared with authorised users via UoY IT facilities, including remote access, but must be subject to UoY authentication. Information must be stored on central services eg Google Drive, Central Storage, etc. Local storage is advised against but where required must be limited data set/files and only be on a University Managed Device and not on BYOD. Send hard copy information in a sealed envelope. Consider delivery by hand or asking the recipient to confirm receipt. Packaging should be sufficient to protect the contents. The use of Artificial Intelligence (AI) tools should not be used without a separate review and sign off. A DPIA will be needed for personal data, as processing is often high-risk.
Disposal	Information must be retained in accordance with the University’s Retention Schedule and disposed of in line with its guidance on disposal. Electronic equipment holding this information must be disposed of using the UoY secure IT waste disposal service. Printed copies should be disposed of via the UoY confidential waste scheme or departmental cross-cut shredding facilities.
Classification changes	Confidential information is likely to move into the Internal and/or Public classifications over time (eg commercially sensitive information).

	Secret
Description	UoY information that can be seen by UoY members who have been explicitly cleared and vetted for access.
Examples	Criminal offence or conviction data Information specified as Secret by external partners or agencies Information subject to legislation, eg Official Secrets Act
UoY provided storage	Specifically defined storage areas must be set-up with restricted access. Storage on portable devices and removable media (eg USB sticks) must not be used. Data should not be downloaded or copied.
Personal (BYOD) storage	Not permitted.
Access, collaboration and exchange Internal sharing and collaboration	Internal sharing must be strictly limited to individuals involved in the required processing of the information. Information provided by an external partner may require the partner to approve internal sharing through named contact.
Access, collaboration and exchange External sharing and collaboration	External sharing is prohibited unless it is explicitly agreed with the Information Owner. If information is provided by an external partner they must positively confirm they agree to onward sharing criteria and UoY members confirm they apply partner criteria. The use of Artificial Intelligence (AI) is not permitted at this level of classification without approval from the relevant Ethics Committee, Data Protection Officer, Head of Cyber Security and relevant external partners or agencies.
Disposal	Information must be retained in accordance with the University’s Retention Schedule. Secret information must be securely destroyed by UoY prior to any supporting media being issued for physical destruction.
Classification changes	Classification changes must be authorised by the Information Owner/External Partner or Agency. Authorisation must be recorded.

Information classification and handling use cases