An overview on what is Data Classification
1. Why is this important?
The University uses large volumes and a great diversity of information to support its business and teaching activities and to achieve its corporate strategic aims. Information that the University manages needs to be appropriately secured to protect against consequences of breaches of confidentiality, failures of integrity, interruption to availability and failure to comply with legal requirements, regulatory requirements, and information security certification standards.
To protect information consistently, it is necessary to define a University-wide scheme for classifying (describing) information and how it should be handled according to its requirements for confidentiality, integrity, and availability.
We should classify information so that it is clear to everyone with access to know how best to protect it. Everyone (including partners, contractors, and associated partnerships) should use the University's Data Classification and Handling Procedure in the framework below, when creating, storing, or publishing information for University business purposes.
Particular care must be taken to ensure that third-party information marked as ‘Confidential’ is handled in accordance with this procedure, in order for the University to meet data sharing and non-disclosure agreements for commercial agreements.
The procedure describes how information and systems should be classified and marked, according to their confidentiality, criticality, or value. Decisions around the appropriate protection and use of the information in each classification are based on the consequences of the loss or disclosure of the information.
The procedure relates to all types of information and formats and applies to staff but also covers students and third parties wherever appropriate.
The procedure is a mandatory part of the University Information Security Framework and is overseen by the Information Data Quality Committee. The University recognises that there may be legitimate circumstances where it is not possible to adhere to this procedure. In these cases, you must seek advice from the University Data Protection Officer.
You should assess the sensitivity of the information you create and receive using table A below and take proportionate measures to ensure that information is used securely – the key controls for protecting information are available in Annexes B.
Where information classified as Confidential, is shared with others for a valid University business reason, everyone should ensure that the recipient is aware of the information’s classification and their obligation to protect it. Access to information in these classifications by a third party requires a data sharing or confidentiality agreement in place, signed on behalf of the University and the other party.
The Legal Services team can help you with this requirement.
The University is expected to inform the Information Commissioner’s Office of any significant information security breach relating to personal data as per the GDPR or Data Protection Act 2018 and has an obligation to report any significant breaches pertaining to other types of ‘sensitive’ information to the data owner and other relevant parties. The University recognises that failure to adhere to its legislative, regulatory, and contractual obligations may result in significant financial and legal penalties and reputational damage.
It is therefore vital that everyone reports any observed or suspected security incidents where a breach of the University’s security policies has occurred, any security weaknesses in, or threats to, systems or services.
You should immediately report any actual or suspected information security breaches by completing the Data Breach Reporting Form https://www.wlv.ac.uk/about-us/governance/legal-information/corporate-compliance/data-protection/ and emailing to firstname.lastname@example.org
Please categorise your data / information using the three classes below or use this Data_Classification_postcard for guidance.
Information classed as PUBLIC or unclassified
This information can be readily shared and made publicly available with no adverse consequences for any organisation or individual.
Typical content might be:
PERSONAL INFORMATION (DATA)
- Information about individuals made public, with their consent, on social media sites or University websites
- Anonymised information.
NON-PERSONAL INFORMATION (DATA)
- Information on the University website (marketing, recruitment, services, support, course details)
- Information used on social media
- News updates
- Some policy documents
- Published Research
- Published Financial information
- Most areas published under the Freedom of Information request
Largely to @wlv.ac.uk addresses or other internaldomains
(take care to check recipient(s) addresses)
|Visibly marked ‘CONFIDENTIAL’; To be created
(and stored) only in a secure environment and copies
be limited and recorded
|Can Email||Yes||Largely to @wlv.ac.uk addresses or other internal domains
(take care to check recipient(s) addresses)
|Recommended as encrypted/password protected
attachment (take care to check recipient(s) addresses)
|Need to password
protect file in transit
|N/A||N/A||Password to meet University standard, consider encryption
to be used to protect file (AES-256 minimum standard)
|Can access remotely||Use University VPN||Use University VPN||Use University VPN|
|Access controls||May be viewed by anyone, anywhere in the World, not restricted||Available to all University of Wolverhampton members (e.g. secured behind a login screen)||Access is controlled and restricted to a small number of authorised University of Wolverhampton members (e.g. secured behind a login screen, requires authorisation to gain access)|
|Can share via SharePoint||Yes||Yes||Consider encrypting/password protecting files for extra security (password to meet University standard)|
|Can share via OneDrive@Wlv.ac.uk||Yes||Largely to @wlv.ac.uk addresses or other internal domains (take care to check recipient(s) addresses)||Consider encrypted/password protected (take care to check recipient(s) addresses)|
|Can keep on University managed laptops or other encrypted portable media||Yes||Only store on temporary basis whilst required for work, care must be taken to protect from loss or theft||Only on temporary basis and if encrypted/password protected, taking care to avoid loss or theft|
|Can keep on personally owned devices||Yes||Yes||No|
|Store on University Servers||Preferable storage is backed up personal or shared storage||Only store in backed up personal or shared storage locations. Access must be limited to those persons requiring access for business purposes (either by adding passwords to the document, encrypting document or apply restricted permission rights to folder)||Only in backed up personal or shared network spaces with access restricted to only those with a valid right to access the information(either by adding a password to the document, encrypting it or apply permissions to a folder)|
|Creation||N/A||N/A||Visibly marked ‘CONFIDENTIAL’ To be created (and stored) only in a secure environment and copies be limited, numbered, and recorded. Copies delivered by hand.|
|Storage in University||N/A||Locked filing cabinet or equivalent in office which is locked when unattended or office space is always attended||Locked filing cabinet or equivalent in office which is always locked or attended|
|Can take offsite||Yes||For shortest time possible and documents to be always kept securely and within personal possession||Only exceptionally and with authorisation from line manager; documents to be kept securely and within personal possession|
|Can Post||Yes||Yes||Double envelope with inner envelope marked as stated above (Highly Confidential), hand delivered, recorded or courier delivery|
|Secure Disposal||Standard recycling||Shredded recycling||Confidential waste shredding|
|Version||Approved Date||Review Date||Author/Owner||Approved By|
|1||May 2021||May 2024||Digital Services||University's Corporate Management Team|