The Information Classification Table (downloadable pdf below) helps you to identify the sensitivity of the information you are handling and helps to inform decision making as to what security controls need to be in place.
Computer Access: Highly restricted information must have access controls (e.g. should be password protected / pseudomyised in an email, should need a log on to access in a database, should be in an S-drive folder only accessible by those who need it etc).
Paper Access: Paper copies of restricted information should be out of side and within offices when not being used. Paper copies of highly restricted information should be in locked storage when not being used. Pigeon Holes – Restricted and highly restricted information should NOT be placed in the pigeon holes opposite the security desk. Instead you need to deliver this information by hand, use S-drive folders which allow access just to the relevant departments or send via email (following the Email Procedures). Some areas of the University have pigeon holes inside the porters’ room. This information can be placed in those pigeon holes.
Printing: Caution should be taken when printing ‘Restricted’ or ‘Highly Restricted’ information. Printing should only take place when necessary i.e. for a purpose when accessing the information electronically is either not possible or not practical. If you print ‘Restricted’ or ‘Highly Restricted’ information, you need to know the location of the physical document (e.g. stored in this locked cabinet, being taken to the Subject Assessments Board tomorrow and then disposed of). It needs to be disposed of in a confidential waste paper bin or in a cross-shredder.
Hard-copy storage: For ‘Restricted’ or ‘Highly Restricted’ information, if an electronic copy is stored, there should only also be a hard-copy if absolutely necessary and this copy should be in a locked cabinet or room with access limited to those are authorised to see the document. If locked storage is not possible on campus please consult with the Data Protection Officer (firstname.lastname@example.org). Follow the Guidance for Handling Data Off-Site.
Sharing: Caution should be taken when sharing ‘Restricted’ or ‘Highly Restricted’ information. Consider whether the recipient should have access to the information and, if so, provide clear instructions as to whether or not they have authority to share it, and with whom and how they should store and dispose of it.
Emailing: There are different controls for emailing ‘Restricted’ or ‘Highly Restricted’ information. See www.newman.ac.uk/knowledge-base/email-procedures-regarding-data-protection/
Disposal: All hard copies of ‘Restricted’ and ‘Highly Restricted’ information are to be disposed of in confidential waste bins or cross-shredded when no longer required. All electronic copies must be deleted. Please note if your desktop recycle bin is set to retain deleted files, this bin automatically permanently deletes its contents once a month.
This is to be used in conjunction with documents including, but not limited, to:
Data Protection Policy, Information Security Policy, Email Procedures regarding Data Protection, Data Breach Reporting Procedure, Bring Your Own Device (BYOD) Policy, Data Protection Glossary