Information classification

How to classify and handle information belonging to or relating to the University of Plymouth

Anyone who handles University information needs to be aware of the importance and sensitivity of that information so they can handle it appropriately. Storing highly sensitive or valuable data in the wrong place increases the risk that it will be lost or disclosed, which could have serious consequences for the University and the individual concerned. Please read the policy below, which has been re-written to make it simpler and therefore easier to comply with.

Purpose

The Information Classification Policy sets a framework for classifying and handling information belonging to or relating to the University of Plymouth.

Assigning classification levels

The classification of information is based on its level of sensitivity and the level of impact to the University (e.g., impact to organisational operations, organisational assets, or individuals) if the confidentiality, integrity or availability of the information is compromised.

The below table outlines the relationship between the level of damage, the security impact and the information security classification level.

Damage level	Security impact	Information classification
Minimal	Low	Public – Level 3
Moderate	Moderate	Internal Only – Level 2
Serious	High	Strictly Confidential – Level 1

Information classification levels

Public – Level 3

Security impact

Low.

Description

Information should be classified as Public when the unauthorised disclosure, alteration or destruction of that information would result in little or no risk to the University and its affiliates (inconvenient but not debilitating). The University has adopted and abides by the model publication scheme issued by the Information Commissioner’s Office. Read more about freedom of information.

Examples

Programme and course information; press releases; research publications and research datasets cleared for publication; approved University operating policies, e.g., teaching and learning, University services and governance information.

Access control

Viewing:

Unrestricted.

Printing and copying:

Unrestricted.

Modification:

Unrestricted, although modification is advised.

Storage

Electronic:

No restrictions.

Can be stored in any public cloud, including personal and corporate accounts (for example, DropBox, Google Drive or OneDrive).

Paper/hard copy:

No restrictions.

Transmission and collaboration

No restrictions.

Retention

All information must be retained for the legally or contractually required minimum and maximum periods of time. This will vary depending on the type of information under consideration. Importantly, if you are unsure of the retention period, please refer to the University’s Records Retention Schedule.

Disposal

Electronic:

No special requirements other than compliance with Retention Schedule (see above).

Paper/hard copy:

Printed copies can be recycled in the green bags provided around the campus.

Training

General data protection and information security awareness training mandatory for all University and affiliate staff.

User devices

Password protection suggested; locked when not in use.

Internal Only – Level 2

Security impact

Moderate.

Description

Information should be classified as Internal Only when the unauthorised disclosure, alteration or destruction of that information could result in a moderate level of risk to the University or its affiliates.

A reasonable level of security controls should be applied to Internal Only information.

Examples

Internal documents and emails of a non-confidential nature; collaborative documents of a non-confidential nature; building plans and information about the University’s infrastructure.

Access control

Access control must be observed from creation to destruction.

Viewing:

Limited to members of the University, partner organisations and individuals. Not intended for the general public. Information may have limited access for a specific subset of members. Access may be authorised to groups of persons by their job classification or responsibilities (role-based access) and may also be constrained by one’s department.

Printing and copying:

Limited. Printing and copying will be permitted unless stated otherwise.

Modification:

Limited. Authorisation for modification by Information Asset Owner (or their delegate) required and access granted as above for viewing.

Storage

Electronic:

Working copies of documents can reside on an individual’s computer or mobile device (e.g., a laptop computer). Device encryption is suggested.

Cannot be stored in any personal cloud account.

Can be stored in the University’s public cloud (i.e. Microsoft 365 environment), including SharePoint Online and OneDrive for Business.

Can be shared with partners without the requirement for a non-disclosure agreement.

Paper/hard copy:

Do not leave unattended outside of a secure working environment.

Transmission and collaboration

Document or file encryption suggested. Any distributed documents (electronic or paper) should include ‘INTERNAL ONLY in the document header, aligned to the right of the page, or within the document metadata. Hard-printed copy can be transmitted through the normal mail channels.

Retention

Disposal

Electronic:

No special requirements other than compliance with Retention Schedule (see above).

Paper/hard copy:

Printed copies can be recycled in the green bags provided around the campus.

Training

General data protection and information security awareness training mandatory for all University and affiliate staff.

Refresher training carried out every two years.

User devices

Password protection required, locked when not in use. Encryption suggested.

Strictly Confidential – Level 1

Security impact

High.

Description

Information should be classified as Strictly Confidential when unauthorised disclosure, alteration or destruction could result in either personal (or sensitive personal) or internal service configuration data being divulged; this equates to the University being at risk from Information Commissioner’s Office sanctions under the Data Protection Act 2018 and should be considered as a high risk.

A significant level of security controls should be applied to Strictly Confidential information.

Examples

Payroll; student grades; disability, health and wellbeing information; emergency contact details; notes relating to disciplinary processes; research data containing personal or high-value information; medical (including tissue) or clinical trial research data (any other research data stipulated by contract or agreement to be handled with utmost care); commercially sensitive business operations and strategies.

Access control

Access controls must be enforced from creation to destruction.

Viewing:

Limited to members of the University, partner organisations (where covered by data sharing agreements) and individuals, as authorised by Information Asset Owners (or their delegate) on the basis that the individual requires such access in order to perform their job (‘need-to-know’).

Cannot be disclosed to the general public.

Unless only one person needs access to the data (in itself an information risk), access must be granted to those individuals who require it via security groups (role-based access).

Printing and copying:

Limited. Printing and copying is only permitted by individuals in order to perform their duties and where appropriate controls are in place to protect the hard copy from creation to destruction.

Modification:

Limited. Authorisation for modification by Information Asset Owner (or their delegate) required and access granted as above for viewing.

Storage

Electronic:

Working copies of documents can reside on an individual’s computer or mobile device (e.g., a laptop computer). The device must be encrypted using whole-disk encryption. Final or approved copies of documents must be stored within a document management system or a shared storage area with appropriate permissions added to prevent unauthorised access.

Cannot be stored in any personal cloud account.

Can be stored in the University’s public cloud (i.e., Microsoft 365 environment) where not contravening any license or contractual arrangements, with restrictions on who can access the materials.

Cannot be shared publicly.

Can be shared with partners with a non-disclosure agreement or contractual confidentiality terms in effect between all of the relevant parties.

Sharing permissions must be approved by the Information Asset Owner or their delegate.

Paper/hard copy:

In a locked or otherwise secured storage unless it is in use.

Transmission and collaboration

Document or file encryption required for electronic transmission. The University public cloud (Microsoft 365 services) provide encryption in transmission.

Any distributed documents (electronic or paper) must be watermarked as ‘STRICTLY CONFIDENTIAL’ and the intended recipients clearly indicated; if watermarking is not possible ‘STRICTLY CONFIDENTIAL’ must be included in the document header, aligned to the right of the page or within the document metadata.

Printed copies to be delivered in sealed envelopes marked ‘Personal’ or ’Strictly Confidential’.

Retention

Disposal

Electronic:

Must comply with Retention Schedule (see above). On decommissioning of equipment used to store the information, the storage must be securely sanitised following NCSC guidelines. An accompanying certificate of destruction shall be obtained and stored by the person facilitating the destruction.

Paper/hard copy:

Printed copies should be cross-cut shred to DIN 66399 P-3 standard and disposed of in confidential waste (blue) bags.

Training

General data protection and information security awareness training mandatory for all University and affiliate staff.

Refresher training carried out every two years.

Applicable policy and regulation training required.

User devices

Password protection required, locked when not in use. Encryption required.

Location restrictions for storage and transmission

Note: the Data Protection Act 2018 restricts transfers of personal data outside the European Economic Area (EEA), or the protection of the GDPR, unless the rights of the individuals in respect of their personal data is protected in another way (refer to the Information Commissioner's Office for details) or one of a limited number of exceptions applies. Table 4 shows how classification levels affect the choice of storage location.

Location	Public (L3)	Internal Only (L2)	Strictly Confidential (L3)
On-site	S	S, UA	S, UA, E
Off-site (UK only)	S	S, UA	S, UA, E
Off-site (EEA only)	S	S, UA	AC, UA, E
Off-site (non-EEA)	S	AC, UA	AC, UA, E

S = Suitable; AC = Additional checks required; UA = Under access control; E = Encrypted

Security risk assessment, exemption process and authorisation

Where projects, elements of service or research requirements are not able to accommodate the data classification levels stated previously, a security risk assessment should be performed by the Enterprise Security Team or delegate and signed off at the appropriate level dependent on the likelihood and impact of the risk.

Author: Richard Bartlett (Enterprise Security Architect); Version: 2.0; Approved: 9th February, 2021; Next review: Q1 2022

Information security

Once you have identified the classification level of information, you must be aware of the steps you need to take to protect it.

View information and resources on helping to combat security threats and keep your data (and the University's data) safe:

Information security at the University of Plymouth