Data Classification Policy


Corporate, Digital Services

An overview on what is Data Classification 

1. Why is this important?

The University uses large volumes and a great diversity of information to support its business and teaching activities and to achieve its corporate strategic aims. Information that the University manages needs to be appropriately secured to protect against consequences of breaches of confidentiality, failures of integrity, interruption to availability and failure to comply with legal requirements, regulatory requirements, and information security certification standards. 

To protect information consistently, it is necessary to define a University-wide scheme for classifying (describing) information and how it should be handled according to its requirements for confidentiality, integrity, and availability.  

We should classify information so that it is clear to everyone with access to know how best to protect it. Everyone (including partners, contractors, and associated partnerships) should use the University's Data Classification and Handling Procedure in the framework below, when creating, storing, or publishing information for University business purposes. 

Particular care must be taken to ensure that third-party information marked as ‘Confidential’ is handled in accordance with this procedure, in order for the University to meet data sharing and non-disclosure agreements for commercial agreements.


The procedure describes how information and systems should be classified and marked, according to their confidentiality, criticality, or value. Decisions around the appropriate protection and use of the information in each classification are based on the consequences of the loss or disclosure of the information.   

The procedure relates to all types of information and formats and applies to staff but also covers students and third parties wherever appropriate. 

The procedure is a mandatory part of the University Information Security Framework and is overseen by the Information Data Quality Committee. The University recognises that there may be legitimate circumstances where it is not possible to adhere to this procedure. In these cases, you must seek advice from the University Data Protection Officer. 

You should assess the sensitivity of the information you create and receive using table A below and take proportionate measures to ensure that information is used securely – the key controls for protecting information are available in Annexes B. 

Where information classified as Confidential, is shared with others for a valid University business reason, everyone should ensure that the recipient is aware of the information’s classification and their obligation to protect it. Access to information in these classifications by a third party requires a data sharing or confidentiality agreement in place, signed on behalf of the University and the other party.

The Legal Services team can help you with this requirement. 

The University is expected to inform the Information Commissioner’s Office of any significant information security breach relating to personal data as per the GDPR or Data Protection Act 2018 and has an obligation to report any significant breaches pertaining to other types of ‘sensitive’ information to the data owner and other relevant parties. The University recognises that failure to adhere to its legislative, regulatory, and contractual obligations may result in significant financial and legal penalties and reputational damage. 

It is therefore vital that everyone reports any observed or suspected security incidents where a breach of the University’s security policies has occurred, any security weaknesses in, or threats to, systems or services.  

You should immediately report any actual or suspected information security breaches by completing the Data Breach Reporting Form and emailing to 


Please categorise your data / information using the three classes below or use this Data_Classification_postcard for guidance. 

Information classed as PUBLIC or unclassified 

This information can be readily shared and made publicly available with no adverse consequences for any organisation or individual. 

Typical content might be: 


  • Information about individuals made public, with their consent, on social media sites or University websites
  •  Anonymised information. 


  • Information on the University website (marketing, recruitment, services, support, course details)
  • Information used on social media 
  • News updates 
  • Some policy documents 
  • Published Research 
  • Published Financial information 
  • Most areas published under the Freedom of Information request


Activity  Public   Restricted   Confidential  
 Creation    N/A   

Largely to addresses or other internal domains

(take care to check recipient(s) addresses)  

Visibly marked ‘CONFIDENTIAL’; To be created
(and stored) only in a secure environment and copies
be limited and recorded   
Can Email    Yes    Largely to addresses or other internal domains
(take care to check recipient(s) addresses)   
Recommended as encrypted/password protected
attachment (take care to check recipient(s) addresses)  
Need to password
protect file in transit   
N/A   N/A   Password to meet University standard, consider encryption
to be used to protect file (AES-256 minimum standard)  
Can access remotely   Use University VPN    Use University VPN   Use University VPN  
Access controls    May be viewed by anyone, anywhere in the World, not restricted    Available to all University of Wolverhampton members (e.g. secured behind a login screen)  Access is controlled and restricted to a small number of authorised University of Wolverhampton members (e.g. secured behind a login screen, requires authorisation to gain access)   
Can share via SharePoint    Yes   Yes   Consider encrypting/password protecting files for extra security (password to meet University standard)  
Can share via    Yes    Largely to addresses or other internal domains (take care to check recipient(s) addresses)  Consider encrypted/password protected (take care to check recipient(s) addresses) 
Can keep on University managed laptops or other encrypted portable media   Yes  Only store on temporary basis whilst required for work, care must be taken to protect from loss or theft   Only on temporary basis and if encrypted/password protected, taking care to avoid loss or theft  
Can keep on personally owned devices   Yes   Yes   No 
Store on University Servers   Preferable storage is backed up personal or shared storage   Only store in backed up personal or shared storage locations. Access must be limited to those persons requiring access for business purposes (either by adding passwords to the document, encrypting document or apply restricted permission rights to folder)   Only in backed up personal or shared network spaces with access restricted to only those with a valid right to access the information(either by adding a password to the document, encrypting it or apply permissions to a folder)  
 Activity   Public    Restricted   Confidential 
 Creation  N/A N/A Visibly marked ‘CONFIDENTIAL’  To be created (and stored) only in a secure environment and copies be limited, numbered, and recorded. Copies delivered by hand.  
Storage in University  N/A  Locked filing cabinet or equivalent in office which is locked when unattended or office space is always attended  Locked filing cabinet or equivalent in office which is always locked or attended 
Can take offsite    Yes  For shortest time possible and documents to be always kept securely and within personal possession Only exceptionally and with authorisation from line manager; documents to be kept securely and within personal possession
Can Post  Yes  Yes  Double envelope with inner envelope marked as stated above (Highly Confidential), hand delivered, recorded or courier delivery 
Secure Disposal  Standard recycling  Shredded recycling  Confidential waste shredding 
 Version   Approved Date   Review Date  Author/Owner   Approved By 
May 2021  May 2024  Digital Services   University's Corporate Management Team