The Information Classification Table (downloadable pdf below) helps you to identify the sensitivity of the information you are handling and helps to inform decision making as to what security controls need to be in place.
Headlines about what access and security is appropriate:
Highly restricted information must have access controls (e.g. should be password protected / pseudomyised in an email, should need a log on to access in a database, should be in an S-drive folder only accessible by those who need it etc).
Electronic Portable Storage:
As per the Information Security Policy clause 5.5.3 Removable Storage media containing ‘restricted information’ or ‘highly restricted information’ must be encrypted with inbuilt encryption or software such as ‘Bitblocker’ or password protected before being removed off-site. Bitlocker is a free Windows facility, instructions for which are on the intranet page How to encrypt a memory stick using Bitlocker.
There are different controls for emailing different classifications of information.
How to email ‘Ordinary Information’: This content can be in the body of an email containing the data subject’s name. No particular controls, other than common sense, apply to ‘ordinary information’. However ‘ordinary information’ should be treated as restricted or highly restricted when combined with information from either of those categories.
How to email ‘Restricted information’: Do not put the data subject’s name in the email subject line. It is up to your professional judgement of the context of the personal data in the email whether you should use the methods described for ‘highly restricted information’. Please refer to the footnotes of the Information Classification Table and then ask your line manager if you are unsure. N.B. ‘Restricted information’ must be classified as ‘highly restricted’ when it covers 30 or more individuals and is being emailed or transferred by an external hard-drive / USB etc.
How to email ‘Highly restricted information’:
- If the recipient can access this directly from MyNewman / iTrent / Moodle / S-drive folder etc. they must.
- If the content is personal data do not use the data subject’s name in subject line.
- If the content is personal data you have two options:
- If you choose to use the data subject’s name in the email, this content must be in a password protected attachment (with the password sent in a separate email).
- If you choose to only use the data subject’s student ID / staff iTrent number, this information could be included in the body of an email.
4. Where the content relates to non-personal data (e.g. it is commercially sensitive) the information must be attached as a password protected document.
For more information about emailing please go to www.newman.ac.uk/knowledge-base/email-procedures-regarding-data-protection/
Caution should be taken when printing ‘Restricted’ or ‘Highly Restricted’ information. Printing should only take place when necessary i.e. for a purpose when accessing the information electronically is either not possible or not practical. If you print ‘Restricted’ or ‘Highly Restricted’ information, you need to know the location of the physical document (e.g. stored in this locked cabinet, being taken to the Subject Assessments Board tomorrow and then disposed of). It needs to be disposed of in a confidential waste paper bin or in a cross-shredder. A map of the locations of the confidential paper waste bins is available on the intranet and is also displayed by the university printers and standard recycling paper bins.
Paper copies of restricted information should be out of sight and within offices when not being used. Paper copies of highly restricted information should be in locked storage when not being used.
For ‘Restricted’ or ‘Highly Restricted’ information, if an electronic copy is stored, there should only also be a hard-copy if absolutely necessary and this copy should be in a locked cabinet or room with access limited to those are authorised to see the document. If locked storage is not possible on campus please consult with the Data Protection Officer (firstname.lastname@example.org). Follow the Guidance for Handling Data Off-Site.
Restricted and highly restricted information should NOT be placed in the pigeon holes opposite the security desk. Instead you need to deliver this information by hand, use S-drive folders which allow access just to the relevant departments or send via email (following the Email Procedures). Some areas of the University have pigeon holes inside the porters’ room. This information can be placed in those pigeon holes.
Caution should be taken when sharing ‘Restricted’ or ‘Highly Restricted’ information. Consider whether the recipient should have access to the information and, if so, provide clear instructions as to whether or not they have authority to share it, and with whom and how they should store and dispose of it.
All hard copies of ‘Restricted’ and ‘Highly Restricted’ information are to be disposed of in confidential waste bins or cross-shredded when no longer required. All electronic copies must be deleted. Please note if your desktop recycle bin is set to retain deleted files, this bin automatically permanently deletes its contents once a month.
This is to be used in conjunction with documents including, but not limited, to:
Data Protection Policy, Information Security Policy, Email Procedures regarding Data Protection, Data Breach Reporting Procedure, Bring Your Own Device (BYOD) Policy, Data Protection Glossary, Data Protection Guidance on Photography and Filming