Skip to main content Skip to navigation

IG05: Information Classification Policy

The University operates and enforces an Information Classification Policy in order to reduce the risk of information breaches and disclosures. The policy establishes three classification levels for information at the University: Public, Protected and Restricted.

Policy Introduction and Purpose

The University operates and enforces this Information Classification Policy in order to reduce the risk of information breaches and disclosures.

Scope and Definitions

This Policy applies to everyone who has a contractual relationship with the University including all employees (both full-time and part-time across all grades) and those engaged via the Variable Monthly Staff (VAM) Payroll and Unitemps/other agency contracts. It also includes visiting professors, consultants/self-employed carrying out roles which if carried out by an employee would require disclosure. For purposes of this Policy we will refer to everyone covered as “staff”.

This Policy and corresponding procedures apply to all information held for the purposes of the University’s operations including, but not limited to, the provision of teaching and education, research, student and staff support, internal and external reporting and publications. It applies to information created by members of the University and to information received from third parties.

This Policy and corresponding procedures apply to all work activities across all the University’s campuses and other facilities.

A glossary of the terms used throughout the Policy can be found in our Information Management Glossary. This policy sits within the Information Management Policy Framework and should be read in conjunction with the over-arching policies IM01 – Information Management Policy of Policies and IM02 – Information Management Training Policy.

Responsibilities

Policy Responsibilities

Heads of Departments, or nominated deputy are responsible for the implementation of this Policy in their respective departments, and for its communication to their staff as appropriate.

The Chief Information & Transformation Officer (CITO) is accountable for meeting legal and regulatory requirements; for keeping this policy up to date; and for ensuring that controls, checks and audits are carried out as part of compliance with this Policy.

Operational Responsibilities

Role Function
Digital Strategy Group representative Responsible
Head of Department Accountable
Chief Information and Transformation Officer
Data Protection Officer
Consult
University Information Management Committee representative Inform

Principles of this Policy

This Policy enforces and supports all University Information Governance Core Principles, but in particular:

  • Adequacy and Accuracy – Ensuring that all information held is both sufficient to properly fulfil our stated purpose and is correct and not misleading.
  • Public by Default – Information is classified at the lowest level of classification by default, being restricted only if it meets a genuine restriction criterion.
  • Discoverability – Information should be named, tagged and stored in such a way that makes it easy to retrieve.
  • Integrity – Ensuring information is of a consistent high quality across the University and that information is used and represented honestly by all.
  • Ownership – Ensure that all information created or held by the University has a designated owner and is appropriately managed.
  • Value – Recognising the importance of the University's information assets and ensuring that maximum value is obtained from them.
  • Security – Ensuring that information, especially protected and confidential information, is always handled safely and securely.

Implementation Guidance

Line Managers and Staff are encouraged to raise any issues or concerns arising with their Head of Department or directly with the CITO Organisation.

Policy Requirements

Classification

The University Information Classification broadly maps to the UK Government Security Classifications.

When information is classified, the core principle of Public by Default must be applied: Information is classified at the lowest level of classification by default, being restricted only if it meets a genuine restriction criterion.

  Public Protected Restricted

Risk

None/Minimal

Confidentiality is of no particular significance to this information and disclosure would have minimum significance. This should be the default classification applied to all information when there is no reason to protect or restrict it.

This means that the principle of Public by Default applies, i.e. information does not meet any of the criteria for protection and restriction.

Low

Disclosure could adversely affect the University's reputation or operations, cause distress to individuals or breach statutory restrictions on disclosure of information.

This means that the principle of Public by Default has applied, and although the information concerned is not particularly sensitive, it does meet one or more of the criteria for protection and restriction, and disclosure could adversely affect the University or an individual.

High

Disclosure could cause significant damage to the University's reputation or operations, great distress to individuals, pose a danger to personal safety or to life, impede the investigation, or facilitate the commission of serious crime. There could be substantial financial or legal penalties.

Public by Default has applied, but the information concerned is highly or particularly sensitive, and therefore should be further protected and restricted. Disclosure would be high adverse impact.

Examples - Personally Identifiable Information.

These examples are limited. They are for guidance.

Anonymised data.

Personal Information made public with consent by individuals or as statutory requirement.

Staff details shared publicly by the University.

Staff names and contact details (incl. job titles) unless public domain.

Student names, email addresses or other identifiers including online identifiers.

Academic staff qualifications and publication details unless public domain.

Staff or student ID number irrespective of public domain.

Location data.

IP addresses of any device.

Mobile phone numbers.

HR/Personnel records.

Special category personal data (e.g. racial or ethnic origin, political option, religious or other beliefs, physical or mental health, criminal record or trade union membership).

Financial information relating to individuals (e.g. banking information, salary details, student fees).

Student academic progression details including details of disciplinary proceedings.

Provisional degree classification prior to formal approval and any publication.

Staff appointment, promotion or details of personal affairs.

Biometric data (e.g. fingerprints, facial recognition).

Examples - Non-Personally Identifiable Information.

These examples are limited. They are for guidance.

General factual public information incl. annual reports or accounts.

Anything subject to disclosure under the Freedom of Information Act.

Department and course details.

Marketing or press information.

HR policies and guidance.

Most general research.

Internal business communications.

Most contractual information.

'Trade' secrets, intellectual property intended for commercialisation.

Corporate secrets.

Financial information if not published.

Research data that is particularly security-sensitive or has been similarly classified by an external body (e.g. Government, other university or commercial partner with a confidentiality agreement).

Legal advice or other information relating to legal action against or by the University.

Exemptions

‘Exemption requests’ under this policy must be submitted to the CITO or their designate. Exemptions to this policy may only be granted by the CITO or their designate. Activities that have received prior approval by the Research Ethics Committee will be exempt, but the CITO must be notified.

This policy may have an impact on users of assistive technology or assistive software due to their disability. These individual cases will be considered on a case by case basis.

Compliance Monitoring

Compliance to this policy will be monitored on an ongoing basis. The compliance focus will be on:

  • Breaches to this policy.
  • Exemptions requested and exemptions granted under this policy.

Compliance performance will be reported monthly to the University Information Management Committee.

A failure to comply with this policy will be deemed to be a disciplinary offence, and will be subject to the University Information Management Executive Committee escalation process (see link above) and may lead to proceedings being taken through the University Disciplinary Process.