Information Classifications helps you to identify the sensitivity of the information you are handling and helps to inform decision making about what security controls need to be in place. At the moment the information classifications helps you to know how to safely handle the document using a variety of means, including password protection. The information classifications help you accurately categorise what is ordinary information, restricted information and highly restricted information. This is designed to ensure that only relevant people have access to information, whilst reducing time-consuming processes such as password protecting attachments on emails.
This guidance about information classifications is to be used in conjunction with documents including, but not limited, to:
Information Handling Overview, Data Protection Policy, Information Security Policy, Email Procedures regarding Data Protection, Data Breach Reporting Procedure, Bring Your Own Device (BYOD) Policy, Data Protection Glossary, Data Protection Guidance on Photography and Filming
These are the information classifications:
- Ordinary Information
- Restricted Information
- Highly Restricted Information
1. Ordinary information is information which is unlikely to identify an individual, is in the public domain or would be unlikely to have a negative impact on the rights and interests of individuals or the interests of the university. No particular controls, other than common sense, apply to ‘ordinary information’. Ordinary information can be in the body of an email containing the data subject’s name. However ‘ordinary information’ should be treated as restricted or highly restricted when combined with information from either of those categories.
2. Restricted Information is information which if disclosed to unauthorised recipients could have a negative impact on the rights / interests of individuals or the interests of the University and would likely be a data breach under data protection laws or a breach of commercial confidentiality. ‘Restricted information’ must be classified as ‘highly restricted’ when it covers 30 or more individuals and is being emailed or transferred by external hard-drive / USB etc.
Security controls for Restricted Information are:
- When emailing restricted information, do not put the data subject’s name in the email subject line. It is up to your professional judgement of the context of the personal data in the email whether you should use the methods described for ‘highly restricted information’.
- If transferring via USB or external hard-drive, the USB, external hard-drive or documents on those items need to be encrypted (e.g. password protected). Please refer to the footnotes of the Information Classification Examples and then ask your line manager if you are unsure.
4. Highly Restricted Information is information which if disclosed to unauthorised recipients would be likely to result in serious damage to the rights and interests of individuals or of the interests of the University would very likely be a data breach under data protection laws or a breach of commercial confidentiality.
Security controls for Highly Restricted Information are:
- Using secure electronic communications rather than postal communications is the required norm for highly restricted information, with exceptions being made for Equality Act 2010 reasonable adjustments. If the recipient can access the information directly from MyNewman / iTrent / Moodle / S-drive / Microsoft Teams / One-Drive folder etc. they must do so instead of having it emailed to them. If none of the aforementioned methods are possible, then emailing is the next-best option and sending highly restricted information via a postal service is a last resort. Highly Restricted information that is being posted must be sent as a tracked / signed-for delivery.
- If transferring via USB or external hard-drive, the USB, external hard-drive or documents on those items need to be encrypted (e.g. password protected).
- If emailing highly restricted personal data, do not use the data subject’s name in subject line.
- If emailing highly restricted personal data, and you choose to use the data subject’s name in the email, this content must be in a password protected attachment (with the password sent in a separate email).
- If emailing and you choose to only use the data subject’s student ID / staff iTrent number (not their name), this information could be included in the body of an email.
- Where the content relates to non-personal data (e.g. it is commercially sensitive) the information must be attached as a password protected document.
If you require further advice about anything on this page please check the list of Data Protection Champions available on the intranet page of Data Protection Internal Information for Staff or contact the Data Protection Officer via firstname.lastname@example.org or 0121 476 1181 # 2500. If you have an example to add to the lists below please contact the Data Protection Officer via email@example.com
Information Classification Examples
(non-exhaustive examples of what information is in which classification)
- Anonymised data – (for these purposes anonymised data is information which does not relate to a living individual and cannot identify an individual, or does relate to a living individual but cannot identify an individual through other information which is in the possession of, or is likely to come into the possession of the organisation or person processing the personal data).
- Corporate contact details where the personal information is publicly available or does not identify an individual.
- Dates of birth (without name).
- Information agreed by individuals to be put into the public domain.
- Information on individuals available through social network sites where information is provided on condition that will be in public domain.
- Factual / general organisational information for public dissemination inc. annual reports or accounts.
- Final degree classification.
- Information contained in an organisation’s annual corporate report.
- Information obtained from publicly available directories /regulatory bodies e.g. Companies House / HEFCE.
- Information on organisations’ external websites.
- Information subject to disclosure under the Freedom of Information Act (ask the Information Governance Manager if you need advice on this).
- Library borrower number and information about their loans / fines owed.
- List of names with no other personal data and not in a context which would be ‘restricted’ or ‘highly restricted’.
- List of student names alongside their student ID number / or list of staff names alongside their iTrent numbers, with no other information about them.
- Meeting minutes which need to be published publicly or on the University intranet. They will contain names and job titles but these are already available in the public domain.
- Photos / film images taken by the University in accordance with the Data Protection Guidance on Photography and Filming.
- Photos / film images placed in the public domain by the data subject themselves (i.e. the person in the photo). e.g. images they’ve put on a social media profile without privacy limitations (i.e. fully public profile).
(N.B. When the information below is personal data the list below assumes that the person who the information is about is identifiable by name or student number)
- Assessment material prior to “unseen” assessment – (the Outlook global address list includes both student and staff data. Consider the risk of the assessment material accidentally being sent to a student, whether or not they are to sit that particular assessment, as it could be passed on.)
- Attendance / participation details relating to an existing student.
- Corporate contact details where the personal information is not available publicly and identifies an individual.
- Exam / assessment scripts, assessment marks.
- Examiner’s comments on a student’s performance.
- Meeting minutes which are not publicly published. They may include commercially sensitive information.
- Name along with home address and / or phone number – (if the person who needs these contact details can access them from MyNewman / iTrent etc. they should do so. If they cannot access them, consider whether they need to receive them at all.)
- Names and addresses of applicants to study at Newman – (if the person who needs these contact details can access them from MyNewman / iTrent etc. they should do so. If they cannot access them, consider whether they need to receive them at all.)
- Name plus D.o.B or national insurance number.
- Procurement or supply information of goods/services prior to approved publication.
- References for students or staff not containing any highly restricted information.
- Research grant applications/proposal.
- Signatures with the person’s name legible including if the name appears typed on the document in place of a signature.
- Staff Appraisal content.
- Student ID and information about tuition fee debt or accommodation costs debt.
- Student transcript.
- UCAS forms not containing any highly restricted information.
Highly Restricted Information:
- Academic progression information.
- CVs containing enough information that on its own or with other information being held with it, the person it is about could be identified.
- Financial Information regarding individuals e.g. payment information (credit card details), bank account details, information about debts and student fees.
- Information identified in Equality Act 2010 as ‘protected characteristics’ i.e. age, disability, gender reassignment, marriage, civil partnership, pregnancy, maternity, race, religion or belief, sex, sexual orientation. ( Sometimes at Newman emails are sent around sharing the news of an individual’s life step such as birthday, marriage, civil partnership or birth of a child / adoption. Under data protection laws these emails are personal data processing ‘carried out by individuals purely for personal/household activities’ and therefore do not count as restricted or highly restricted. If you do not want an email of this kind sent about you, you should inform your line manager.)
- Future marketing or student fees information not yet agreed to be made public.
- Information relating to restricted intellectual property rights or covered by a confidentiality agreement / contract.
- Legal advice and other information relating to legal action against or by the University.
- Misconduct, disciplinary or grievance information.
- Name plus D.o.B and passport details.
- Name plus national insurance number and passport details – (combinations of personal data increase the risk of misuse of data / damage to the individual if received by the wrong person. E.g. a combination of personal details can increase the ability to carry out identify theft).
- Preliminary degree classification/ transcript information pending formal approval and any publication.
- References for students or staff containing highly restricted information.
- Scan of or actual identification documentation.
- School children’s personal information which allows someone to know their likely location.
- Signatures combined with the person’s name and another piece of personal data e.g. d.o.b. or address. (Redacting some of this information could lower the document into the restricted information classification).
- Special category data’ i.e. Information on individuals which is classed under data protection laws: race; ethnic origin; politics; religion; trade union membership; genetics; biometrics (where used for ID purposes); health; sex life; sexual orientation or criminal conviction information.
- Student name and information about their tuition fee debt or accommodation costs debt.
- Trade secret information or otherwise highly commercially sensitive information.
- UCAS forms containing highly restricted information.
- University business contracts if they contain commercially sensitive information (whether signed or unsigned).
Additional protected information:
Under the UCAS Awarding Body Linkage Result Embargo Agreement all results under the embargo or the implication of a confirmed / rejected place to study at the University must not be communicated in any way to any third party, including applicants, their advisers or journalists during the embargo period (i.e. prior to results publication day). Please inform the Data Protection Officer if you receive any such request.