/prod01/wlvacuk/media/departments/media-and-communications/images-18-19/iStock-163641275.jpg)
/prod01/wlvacuk/media/departments/media-and-communications/images-18-19/220325-Engineers_teach_thumbail.jpg)
/prod01/wlvacuk/media/departments/media-and-communications/images-18-19/220624-Salmon-Resized.jpg)
/prod01/wlvacuk/media/departments/media-and-communications/images-18-19/220525-Hamid-Pouran-Resized.jpg)
/prod01/wlvacuk/media/departments/media-and-communications/images-18-19/220616-Sci-Fest-Courtyard-Resized.jpg)
/prod01/wlvacuk/media/departments/business-solutions/images/banners/business-we-back-you-500x250.jpg)
Data Classification Policy
Updated May 2021. Approved by the University's Corporate Management Team
Data Classification policy and framework
1. Why is this important?
The University uses large volumes and a great diversity of information to support its business and teaching activities and to achieve its corporate strategic aims. Information that the University manages needs to be appropriately secured to protect against consequences of breaches of confidentiality, failures of integrity, interruption to availability and failure to comply with legal requirements, regulatory requirements, and information security certification standards.
To protect information consistently, it is necessary to define a University-wide scheme for classifying (describing) information and how it should be handled according to its requirements for confidentiality, integrity, and availability.
We should classify information so that it is clear to everyone with access to know how best to protect it. Everyone (including partners, contractors, and associated partnerships) should use the University's Data Classification and Handling Procedure in the framework below, when creating, storing, or publishing information for University business purposes.
Particular care must be taken to ensure that third-party information marked as ‘Confidential’ is handled in accordance with this procedure, in order for the University to meet data sharing and non-disclosure agreements for commercial agreements.
2. What is the Data Classification and Handling Procedure?
The procedure describes how information and systems should be classified and marked, according to their confidentiality, criticality, or value. Decisions around the appropriate protection and use of the information in each classification are based on the consequences of the loss or disclosure of the information.
The procedure relates to all types of information and formats and applies to staff but also covers students and third parties wherever appropriate.
The procedure is a mandatory part of the University Information Security Framework and is overseen by the Information Data Quality Committee. The University recognises that there may be legitimate circumstances where it is not possible to adhere to this procedure. In these cases, you must seek advice from the University Data Protection Officer.
3. What do I need to do?
You should assess the sensitivity of the information you create and receive using table A below and take proportionate measures to ensure that information is used securely – the key controls for protecting information are available in Annexes B and C below.
Where information classified as Confidential, is shared with others for a valid University business reason, everyone should ensure that the recipient is aware of the information’s classification and their obligation to protect it. Access to information in these classifications by a third party requires a data sharing or confidentiality agreement in place, signed on behalf of the University and the other party. The Legal Services team can help you with this requirement.
4. What should I do if I suspect an information security breach?
The University is expected to inform the Information Commissioner’s Office of any significant information security breach relating to personal data as per the GDPR or Data Protection Act 2018 and has an obligation to report any significant breaches pertaining to other types of ‘sensitive’ information to the data owner and other relevant parties. The University recognises that failure to adhere to its legislative, regulatory, and contractual obligations may result in significant financial and legal penalties and reputational damage.
It is therefore vital that everyone reports any observed or suspected security incidents where a breach of the University’s security policies has occurred, any security weaknesses in, or threats to, systems or services.
You should immediately report any actual or suspected information security breaches by completing the Data Breach Reporting Form https://www.wlv.ac.uk/about-us/governance/legal-information/corporate-compliance/data-protection/ and emailing to dataprotection@wlv.ac.uk
Classifying Your Information / Data
Please categorise your data / information using the three classes below or use this Data_Classification_postcard for guidance.
Appendix A – Handling Electronic Information
|
Activity |
Public |
Restricted |
Confidential |
|
Creation |
N/A |
Largely to @wlv.ac.uk addresses or other internal domains (take care to check recipient(s) addresses) |
Visibly marked ‘CONFIDENTIAL’; To be created (and stored) only in a secure environment and copies be limited and recorded |
|
Can Email |
Yes |
Largely to @wlv.ac.uk addresses or other internal domains (take care to check recipient(s) addresses) |
Recommended as encrypted/password protected attachment (take care to check recipient(s) addresses) |
|
Need to password protect file in transit |
N/A |
N/A |
Password to meet University standard, consider encryption to be used to protect file (AES-256 minimum standard) |
|
Can access remotely |
Use University VPN |
Use University VPN |
Use University VPN |
|
Access controls |
May be viewed by anyone, anywhere in the World, not restricted |
Available to all University of Wolverhampton members (e.g. secured behind a login screen) |
Access is controlled and restricted to a small number of authorised University of Wolverhampton members (e.g. secured behind a login screen, requires authorisation to gain access) |
|
Can share via SharePoint |
Yes |
Yes |
Consider encrypting/password protecting files for extra security (password to meet University standard) |
|
Can share via OneDrive@Wlv.ac.uk |
Yes |
Largely to @wlv.ac.uk addresses or other internal domains (take care to check recipient(s) addresses) |
Consider encrypted/password protected (take care to check recipient(s) addresses) |
|
Can keep on University managed laptops or other encrypted portable media |
Yes |
Only store on temporary basis whilst required for work, care must be taken to protect from loss or theft |
Only on temporary basis and if encrypted/password protected, taking care to avoid loss or theft |
|
Can keep on personally owned devices |
Yes |
Yes |
No |
|
Store on University Servers |
Preferable storage is backed up personal or shared storage |
Only store in backed up personal or shared storage locations. Access must be limited to those persons requiring access for business purposes (either by adding passwords to the document, encrypting document or apply restricted permission rights to folder) |
Only in backed up personal or shared network spaces with access restricted to only those with a valid right to access the information (either by adding a password to the document, encrypting it or apply permissions to a folder) |
Appendix B – Handling paper and other non-digital media
|
Activity |
Public |
Restricted |
Confidential |
|
Creation |
N/A |
N/A |
Visibly marked ‘CONFIDENTIAL’ To be created (and stored) only in a secure environment and copies be limited, numbered, and recorded. Copies delivered by hand. |
|
Storage in University |
N/A |
Locked filing cabinet or equivalent in office which is locked when unattended or office space is always attended |
Locked filing cabinet or equivalent in office which is always locked or attended |
|
Can take offsite |
Yes |
For shortest time possible and documents to be always kept securely and within personal possession |
Only exceptionally and with authorisation from line manager; documents to be kept securely and within personal possession |
|
Can Post |
Yes |
Yes |
Double envelope with inner envelope marked as stated above (Highly Confidential), hand delivered, recorded or courier delivery |
|
Secure Disposal |
Standard recycling |
Shredded recycling |
Confidential waste shredding |