Data Classification Policy

Updated May 2021. Approved by the University's Corporate Management Team

Data Classification policy and framework

1. Why is this important?

The University uses large volumes and a great diversity of information to support its business and teaching activities and to achieve its corporate strategic aims. Information that the University manages needs to be appropriately secured to protect against consequences of breaches of confidentiality, failures of integrity, interruption to availability and failure to comply with legal requirements, regulatory requirements, and information security certification standards. 

To protect information consistently, it is necessary to define a University-wide scheme for classifying (describing) information and how it should be handled according to its requirements for confidentiality, integrity, and availability. 

We should classify information so that it is clear to everyone with access to know how best to protect it. Everyone (including partners, contractors, and associated partnerships) should use the University's Data Classification and Handling Procedure in the framework below, when creating, storing, or publishing information for University business purposes. 

Particular care must be taken to ensure that third-party information marked as ‘Confidential’ is handled in accordance with this procedure, in order for the University to meet data sharing and non-disclosure agreements for commercial agreements.

2. What is the Data Classification and Handling Procedure? 

The procedure describes how information and systems should be classified and marked, according to their confidentiality, criticality, or value. Decisions around the appropriate protection and use of the information in each classification are based on the consequences of the loss or disclosure of the information. 

The procedure relates to all types of information and formats and applies to staff but also covers students and third parties wherever appropriate. 

The procedure is a mandatory part of the University Information Security Framework and is overseen by the Information Data Quality Committee. The University recognises that there may be legitimate circumstances where it is not possible to adhere to this procedure. In these cases, you must seek advice from the University Data Protection Officer.

3. What do I need to do? 

You should assess the sensitivity of the information you create and receive using table A below and take proportionate measures to ensure that information is used securely – the key controls for protecting information are available in Annexes B and C below.

Where information classified as Confidential, is shared with others for a valid University business reason, everyone should ensure that the recipient is aware of the information’s classification and their obligation to protect it. Access to information in these classifications by a third party requires a data sharing or confidentiality agreement in place, signed on behalf of the University and the other party. The Legal Services team can help you with this requirement. 

4. What should I do if I suspect an information security breach?

The University is expected to inform the Information Commissioner’s Office of any significant information security breach relating to personal data as per the GDPR or Data Protection Act 2018 and has an obligation to report any significant breaches pertaining to other types of ‘sensitive’ information to the data owner and other relevant parties. The University recognises that failure to adhere to its legislative, regulatory, and contractual obligations may result in significant financial and legal penalties and reputational damage. 

It is therefore vital that everyone reports any observed or suspected security incidents where a breach of the University’s security policies has occurred, any security weaknesses in, or threats to, systems or services. 

You should immediately report any actual or suspected information security breaches by completing the Data Breach Reporting Form https://www.wlv.ac.uk/about-us/governance/legal-information/corporate-compliance/data-protection/ and emailing to dataprotection@wlv.ac.uk  

Classifying Your Information / Data

Please categorise your data / information using the three classes below or use this Data_Classification_postcard for guidance.

Appendix A – Handling Electronic Information 

Activity 

Public 

Restricted 

Confidential 

Creation 

N/A 

Largely to @wlv.ac.uk addresses or other internal domains (take care to check recipient(s) addresses)

Visibly marked ‘CONFIDENTIAL’; To be created (and stored) only in a secure environment and copies be limited and recorded 

Can Email 

Yes 

Largely to @wlv.ac.uk addresses or other internal domains (take care to check recipient(s) addresses) 

Recommended as encrypted/password protected attachment (take care to check recipient(s) addresses) 

Need to password protect file in transit 

N/A 

N/A 

Password to meet University standard, consider encryption to be used to protect file (AES-256 minimum standard) 

Can access remotely 

Use University VPN 

Use University VPN 

Use University VPN 

Access controls 

May be viewed by anyone, anywhere in the World, not restricted 

Available to all University of Wolverhampton members (e.g. secured behind a login screen) 

Access is controlled and restricted to a small number of authorised University of Wolverhampton members (e.g. secured behind a login screen, requires authorisation to gain access) 

Can share via SharePoint 

Yes 

Yes 

Consider encrypting/password protecting files for extra security (password to meet University standard) 

Can share via OneDrive@Wlv.ac.uk 

Yes 

Largely to @wlv.ac.uk addresses or other internal domains (take care to check recipient(s) addresses)

Consider encrypted/password protected (take care to check recipient(s) addresses) 

Can keep on University managed laptops or other encrypted portable media 

Yes 

Only store on temporary basis whilst required for work, care must be taken to protect from loss or theft 

Only on temporary basis and if encrypted/password protected, taking care to avoid loss or theft 

Can keep on personally owned devices 

Yes 

Yes  

No 

Store on University Servers 

Preferable storage is backed up personal or shared storage 

Only store in backed up personal or shared storage locations. Access must be limited to those persons requiring access for business purposes (either by adding passwords to the document, encrypting document or apply restricted permission rights to folder) 

Only in backed up personal or shared network spaces with access restricted to only those with a valid right to access the information 

(either by adding a password to the document, encrypting it or apply permissions to a folder) 

Appendix B – Handling paper and other non-digital media  

Activity 

Public 

Restricted

Confidential

Creation 

N/A 

N/A 

Visibly marked ‘CONFIDENTIAL’ 

To be created (and stored) only in a secure environment and copies be limited, numbered, and recorded. 

Copies delivered by hand. 

Storage in University 

N/A 

Locked filing cabinet or equivalent in office which is locked when unattended or office space is always attended  

Locked filing cabinet or equivalent in office which is always locked or attended  

Can take offsite   

Yes 

For shortest time possible and documents to be always kept securely and within personal possession  

Only exceptionally and with authorisation from line manager; documents to be kept securely and within personal possession 

Can Post 

Yes 

Yes 

Double envelope with inner envelope marked as stated above (Highly Confidential), hand delivered, recorded or courier delivery 

Secure Disposal 

Standard recycling 

Shredded recycling 

Confidential waste shredding