Information Classifications

Information Classifications

Back to “IT and Data Policies”

Last Updated: June 16th 2023

The following sections are on this page.

  1. What is Information Classification and what security controls are required?

  2. Information Classification Examples
    – Ordinary Information Examples
    – Restricted Information Examples
    – Highly Restricted Information Examples

  3. How do I keep restricted and highly restricted information secure and also ensure the right people have access to it?

For further information please contact the Data Protection Officer via email or telephone, dpo@newman.ac.uk, 0121 387 4567. 

———————————————————————————————————————————————————————————————————————————————————————————————–

  1. What is Information Classification and what security controls are required for each classification?

Information Classification helps you to identify the sensitivity of the information you are handling and helps to inform decision making about what security controls need to be in place. At the moment the information classifications helps you to know how to safely handle the document using a variety of means, including password protection. The information classifications help you accurately categorise what is ordinary information, restricted information and highly restricted information. This is designed to ensure that only relevant people have access to information, whilst reducing time-consuming processes such as password protecting attachments on emails.

This guidance about information classifications is to be used in conjunction with documents including, but not limited, to:

Information Handling Overview, Data Protection Policy, Information Security Policy, Email Procedures regarding Data Protection, Data Breach Reporting Procedure, Bring Your Own Device (BYOD) Policy, Data Protection Glossary, Data Protection Guidance on Photography and Filming

These are the information classifications:

  1. Ordinary Information
  2. Restricted Information
  3. Highly Restricted Information

1. Ordinary information is information which is unlikely to identify an individual, is in the public domain or would be unlikely to have a negative impact on the rights and interests of individuals or the interests of the university. No particular controls, other than common sense, apply to ‘ordinary information’. Ordinary information can be in the body of an email containing the data subject’s name.  However ‘ordinary information’ should be treated as restricted or highly restricted when combined with information from either of those categories.

2. Restricted Information is information which if disclosed to unauthorised recipients could have a negative impact on the rights / interests of individuals or the interests of the University and would likely be a data breach under data protection laws or a breach of commercial confidentiality. ‘Restricted information’ must be classified as ‘highly restricted’ when it covers 31 or more individuals and is being emailed or transferred by external hard-drive / USB etc.

Security controls for Restricted Information are:

  1. When emailing restricted information, do not put the data subject’s name in the email subject line. It is up to your professional judgement of the context of the personal data in the email whether you should use the methods described for ‘highly restricted information’. Ask your Data Protection Champion or the Data Protection Officer (dpo@newman.ac.uk) if you are unsure.
  2. If transferring via USB or external hard-drive, the USB, external hard-drive or documents on those items need to be encrypted (e.g. password protected). Please refer to the footnotes of the Information Classification Examples and then ask your line manager if you are unsure.

3. Highly Restricted Information is information which if disclosed to unauthorised recipients would be likely to result in serious damage to the rights and interests of individuals or of the interests of the University would very likely be a data breach under data protection laws or a breach of commercial confidentiality.

Security controls for Highly Restricted Information are:

  1. Using secure electronic communications rather than postal communications is the required norm for highly restricted information, with exceptions being made for Equality Act 2010 reasonable adjustments. If the recipient can access the information directly from MyNewman / iTrent / Moodle / S-drive / Microsoft Teams / One-Drive folder etc. they must do so instead of having it emailed to them. If none of the aforementioned methods are possible, then emailing is the next-best option and sending highly restricted information via a postal service is a last resort. Highly Restricted information that is being posted must be sent as a tracked / signed-for delivery.
  2. If transferring via USB or external hard-drive, the USB, external hard-drive or documents on those items need to be encrypted (e.g. password protected).
  3. If emailing highly restricted personal data, do not use the data subject’s name in subject line.
  4. If emailing highly restricted personal data, and you choose to use the data subject’s name in the email, this content must be in a password protected attachment (with the password sent in a separate email).
  5. If emailing and you choose to only use the data subject’s student ID / staff iTrent number (not their name), this information could be included in the body of an email.
  6. Where the content relates to non-personal data (e.g. it is commercially sensitive) the information must be attached as a password protected document.

If you require further advice about anything on this page please check the list of Data Protection Champions available on the intranet page of Data Protection Internal Information for Staff or contact the Data Protection Officer via dpo@newman.ac.uk or 0121 387 4567 or internally on Teams 4567. If you have an example to add to the lists below please contact the Data Protection Officer via dpo@newman.ac.uk

2. Information Classification Examples
(non-exhaustive examples of what information is in which classification)

Ordinary Information Examples:

  • Anonymised data – (for these purposes anonymised data is information which does not relate to a living individual and cannot identify an individual, or does relate to a living individual but cannot identify an individual through other information which is in the possession of, or is likely to come into the possession of the organisation or person processing the personal data).
  • Corporate contact details where the personal information is publicly available or does not identify an individual.
  • Dates of birth (without name).
  • Information agreed by individuals to be put into the public domain.
  • Information on individuals available through social network sites where information is provided on condition that will be in public domain.
  • Factual / general organisational information for public dissemination inc. annual reports or accounts.
  • Information contained in an organisation’s annual corporate report.
  • Information obtained from publicly available directories /regulatory bodies e.g. Companies House / HEFCE.
  • Information on organisations’ external websites.
  • Information subject to disclosure under the Freedom of Information Act (ask the Information Governance Manager if you need advice on this).
  • Library borrower number and information about their loans / fines owed.
  • List of names with no other personal data and not in a context which would be ‘restricted’ or ‘highly restricted’.
  • List of student names alongside their student ID number / or list of staff names alongside their iTrent numbers, with no other information about them.
  • Meeting minutes which need to be published publicly or on the University intranet. They will contain names and job titles but these are already available in the public domain.
  • Photos / film images taken by the University in accordance with the Data Protection Guidance on Photography and Filming.
  • Photos / film images placed in the public domain by the data subject themselves (i.e. the person in the photo). e.g. images they’ve put on a social media profile without privacy limitations (i.e. fully public profile).

Restricted Information Examples:

N.B. For information to be personal data, a living human being has to be directly or indirectly identifiable from it. This is often, but not always, through the use of a name, initial or number such as student number. If information is truly anonymous, it is not personal data. Therefore anonymous data would not be highly restricted information unless it was commercially sensitive information.
‘Restricted information’ must be classified as ‘highly restricted’ when it covers 31 or more individuals and is being emailed or transferred by external hard-drive / USB etc.

  • Application forms (whether direct or from UCAS) not containing highly restricted information.
  • Assessment material prior to “unseen” assessment – N.B. The Outlook global address list includes both student and staff data. Consider the risk of the assessment material accidentally being sent to a student, whether or not they are to sit that particular assessment, as it could be passed on.
  • Assessment marks / results from Newman (unless preliminary degree classification/ transcript information pending formal approval and any publication as this is Highly Restricted information unless anonymised. If it is truly anonymous then it is Ordinary Information).
  • Assessment marks / results from other institutions (universities, schools, colleges, UCAS etc.) if not under any embargo. See the UCAS Awarding Body Linkage Result Embargo section at the bottom of this page. Results under embargo are Highly Restricted unless anonymised. If it is truly anonymous then it is Ordinary Information.
  • Attendance / participation details relating to an existing student.
  • Corporate contact details where the personal information is not available publicly and identifies an individual.
  • Exam / assessment scripts. N.B. The Outlook global address list includes both student and staff data. Consider the risk of the assessment material accidentally being sent to a student, whether or not they are to sit that particular assessment, as it could be passed on.
  • Examiner’s comments on a student’s performance.
  • Final degree classification.
  • Meeting minutes which are not publicly published. They may include commercially sensitive information.
  • Name along with home address and / or phone number – (if the person who needs these contact details can access them from MyNewman / iTrent etc. they should do so. If they cannot access them, consider whether they need to receive them at all.)
  • Names and addresses of applicants to study at Newman – (if the person who needs these contact details can access them from MyNewman / iTrent etc. they should do so. If they cannot access them, consider whether they need to receive them at all.)
  • Name plus D.o.B or national insurance number.
  • Procurement or supply information of goods/services prior to approved publication.
  • References for students or staff not containing any highly restricted information.
  • Research grant applications/proposal.
  • Results / assessment marks from Newman (unless preliminary degree classification/ transcript information pending formal approval and any publication as this is Highly Restricted information unless anonymised).
  • Results / assessment marks from other institutions (universities, schools, colleges, UCAS etc.) if not under any embargo. See the UCAS Awarding Body Linkage Result Embargo section at the bottom of this page. Results under embargo are Highly Restricted unless anonymised. If it is truly anonymous then it is Ordinary Information.
  • Signatures with the person’s name legible including if the name appears typed on the document in place of a signature.
  • Staff Appraisal content.
  • Student ID and information about tuition fee debt or accommodation costs debt.
  • Student transcript.

Highly Restricted Information Examples:

N.B. For information to be personal data, a living human being has to be directly or indirectly identifiable from it. This is often, but not always, through the use of a name, initial or number such as student number. If information is truly anonymous, it is not personal data. Therefore it would not be highly restricted information unless it was commercially sensitive information.

  • Application forms (direct or from UCAS) containing highly restricted information.
  • Academic progression information.
  • Assessment marks / results from other institutions (universities, schools, colleges, UCAS etc.) if under embargo are Highly Restricted unless anonymised. If it is truly anonymous then it is Ordinary Information. See the UCAS Awarding Body Linkage Result Embargo section at the bottom of this page.
  • CVs containing enough information that on its own or with other information being held with it, the person it is about could be identified.
  • Equality Act 2010 as ‘protected characteristics’ i.e. age, disability, gender reassignment, marriage, civil partnership, pregnancy, maternity, race, religion or belief, sex, sexual orientation. (Sometimes at Newman emails are sent around sharing the news of an individual’s life step such as birthday, marriage, civil partnership or birth of a child / adoption. Under data protection laws these emails are personal data processing ‘carried out by individuals purely for personal/household activities’ and therefore do not count as restricted or highly restricted. If you do not want an email of this kind sent about you, you should inform your line manager.)
  • Financial Information regarding individuals e.g. payment information (credit card details), bank account details, information about debts and student fees.
  • Future marketing or student fees information not yet agreed to be made public.
  • Information relating to restricted intellectual property rights or covered by a confidentiality agreement / contract.
  • Legal advice and other information relating to legal action against or by the University.
  • Misconduct, disciplinary or grievance information.
  • Name plus D.o.B and passport details.
  • Name plus national insurance number and passport details – (combinations of personal data increase the risk of misuse of data / damage to the individual if received by the wrong person. E.g. a combination of personal details can increase the ability to carry out identify theft).
  • Preliminary degree classification/ transcript information pending formal approval and any publication.
  • Protected characteristics as defined in Equality Act 2010 i.e. age, disability, gender reassignment, marriage, civil partnership, pregnancy, maternity, race, religion or belief, sex, sexual orientation. ( Sometimes at Newman emails are sent around sharing the news of an individual’s life step such as birthday, marriage, civil partnership or birth of a child / adoption. Under data protection laws these emails are personal data processing ‘carried out by individuals purely for personal/household activities’ and therefore do not count as restricted or highly restricted. If you do not want an email of this kind sent about you, you should inform your line manager.)
  • References for students or staff containing highly restricted information.
  • Results / assessment marks from other institutions (universities, schools, colleges, UCAS etc.) under embargo are Highly Restricted unless anonymised. If it is truly anonymous then it is Ordinary Information. See the UCAS Awarding Body Linkage Result Embargo section at the bottom of this page.
  • Scan of or actual identification documentation.
  • School children’s personal information which allows someone to know their likely location.
  • Signatures combined with the person’s name and another piece of personal data e.g. d.o.b. or address. (Redacting some of this information could lower the document into the restricted information classification).
  • Special category data’ i.e. Information on individuals which is classed under data protection laws: race; ethnic origin; politics; religion; trade union membership; genetics; biometrics (where used for ID purposes); health; sex life; sexual orientation or criminal conviction information.
  • Student name and information about their tuition fee debt or accommodation costs debt.
  • Trade secret information or otherwise highly commercially sensitive information.
  • University business contracts if they contain commercially sensitive information (whether signed or unsigned).

UCAS Awarding Body Linkage Result Embargo

Under the UCAS Awarding Body Linkage Result Embargo Agreement all results under the embargo or the implication of a confirmed / rejected place to study at the University must not be communicated in any way to any third party, including applicants, their advisers or journalists during the embargo period (i.e. prior to results publication day). Please inform the Data Protection Officer if you receive any such request. To check the embargo period go to https://www.ucas.com/advisers/supporting-you-through-confirmation-and-clearing and navigate to this year’s embargo information. Assessment marks / results from other institutions (universities, schools, colleges, UCAS etc.) if under embargo are Highly Restricted unless anonymised. If it is truly anonymous then it is Ordinary Information.

 

3. How do I keep restricted and highly restricted information secure and also ensure the right people have access to it?

Computer Access: Highly restricted information must have access controls (e.g. should be password protected / pseudomyised in an email, should need a log on to access in a database, should be in an S-drive folder or Microsoft Teams storage only accessible by those who need it etc).

Electronic Portable Storage: As per the Information Security Policy clause 5.5.3 Removable Storage media containing ‘restricted information’ or ‘highly restricted information’ must be encrypted with inbuilt encryption or software such as ‘Bitblocker’ or password protected before being removed off-site. Bitlocker is a free Windows facility, instructions for which are on the intranet page How to encrypt a memory stick using Bitlocker.

Printing: Caution should be taken when printing Restricted or Highly Restricted information. Printing should only take place when necessary i.e. for a purpose when accessing the information electronically is either not possible or not practical. If you print Restricted or Highly Restricted information, you need to know the location of the physical document (e.g. stored in this locked cabinet, being taken to the Subject Assessments Board tomorrow and then disposed of). It needs to be disposed of in a confidential waste paper bin or in a cross-shredder.

Paper Access: Paper copies of restricted information should be out of sight and within offices when not being used. Paper copies of highly restricted information should be in locked storage when not being used.

Hard-copy storage: For Restricted or Highly Restricted information, if an electronic copy is stored, there should only also be a hard-copy if absolutely necessary and this copy should be in a locked cabinet or room with access limited to those are authorised to see the document. If locked storage is not possible on campus please consult with the Data Protection Officer (dpo@newman.ac.uk). Follow the Guidance for Handling Data Off-Site.

Pigeon Holes: Restricted and highly restricted information should NOT be placed in the pigeon holes opposite the security desk. Instead you need to deliver this information by hand, use S-drive folders which allow access just to the relevant departments or send via email (following the Email Procedures). Some areas of the University have pigeon holes inside the porters’ room. This information can be placed in those pigeon holes.

Sharing: Caution should be taken when sharing Restricted or Highly Restricted information. Consider whether the recipient should have access to the information and, if so, provide clear instructions as to whether or not they have authority to share it, and with whom and how they should store and dispose of it.

Disposal: All paper copies of Restricted and Highly Restricted information must be disposed of in confidential waste bins or cross-shredded when no longer required. All electronic copies must be deleted. Please note if your desktop recycle bin is set to retain deleted files, this bin automatically permanently deletes its contents once a month. The Confidential Waste Procedure and Map of confidential bins are found on the relevant intranet page. Physical media objects such as but not limited to CD-Roms, CDs, DVDs, tape cassettes, mini-disks, usbs, external hard-drives, floppy disks, computers, laptops, tablets, phones and cameras should be blanked as much as possible and given to the IT Service Desk for secure disposal.

 

 

Was this article helpful?