It is important that we handle University information appropriately, given the value and sensitivity of most of our information and to ensure we comply with our legal and contractual obligations.
The University’s Information Classification and Handling Policy and Information Classification and Handling Matrix have recently been approved by Information Governance Committee and provide a framework for safeguarding University information. All staff are required to comply with the policy, so it’s important to familiarise yourself with the documents and your responsibilities.
The policy applies to all information handled by the University, both internally and externally, and whether held electronically or physically.
Anyone who is responsible for information or handles information must ensure that it is classified using one of the following categories, based on a risk assessment of its sensitivity or value:
- Public/Open – the information is legitimately in the public domain or is appropriate for disclosure or dissemination to the public, for example, information about our Schools and Professional Services Divisions, our strategy and policies, our Prospectus and staff details.
- Internal use – information can be disclosed and shared with appropriate individuals at the University with minimal restrictions. Internal use includes information such as teaching materials, Committee papers, and our general emails with colleagues.
- Sensitive – appropriate controls and measures are needed to protect sensitive information as loss could cause financial, legal and reputational damage to the University or could significantly impact individuals. Sensitive information includes personal data, financial information such as card holder data and data relating to our research.
- Protected – this is information with the most significant value for the University. Its unauthorised disclosure could result in severe financial or reputational damage to the University, or significant harm to individuals. Examples include special categories of personal data such as health information, criminal offence data and research data protected by intellectual property rights.
Once you have classified information, then it needs to be clearly marked with the relevant classification – for example, including ‘Internal use’ in the email subject line, or including ‘Sensitive’ in file storage names or on the outside of documents. You don’t have to mark information that is classified as ‘Public/Open’.
The Matrix that sits alongside the Policy details how information should be handled accordingly to its classification. This includes detail on access controls, storage of information including what can be stored outside of University systems or devices; any restrictions on the transfer of information outside of the University; and the appropriate disposal of information.
If you have any queries about the Policy or Matrix, or how it applies to the information you handle, then please contact the Information Management Team for guidance.