IMST 01: Information Classification Standard

Information Classification - Public

Introduction and purpose

This Information Classification Standard, uses four levels to categorise information based on its sensitivity. These levels range from ‘Public’ for information that is available to all, to ‘Highly Confidential’ for information that should be restricted to a small number of people. The levels are:

Public
Internal
Confidential
Highly Confidential

This standard provides guidelines on how to classify information into these levels. The practices for the handling, storage, and transmission of information, at each level will be described in other documents, such as IMST 03: Handling Information Standard.

Classification standards are used by organisations, to classify information. For example, the UK government uses Government Security Classifications.

Information classification is the practice of categorising information according to its sensitivity and is vital for the University’s Information Security controls.

Classifying information at the University, supports the University in meeting its Information Management obligations (e.g. data protection legislation). Information Classification also helps the University operate efficiently, by ensuring appropriate information management practices are followed, from creation, through its usage to deletion or preservation. Technologies are available that aid in the classification of information. Where possible the University will endeavour to use this functionality.

Scope and definitions

This standard applies within the scope of its parent policy IMP 01: Information Management Framework Policy and any policies that directly reference the standard. All information used for university work requires classification, regardless of format, type, function or source. All individuals who work with university information are subject to this standard. The definition of ‘Information’ is taken from the Information Management Glossary of Terms.

The full scope of everyone this standard applies to, is set out in the ‘scope and definitions’ section of IMP 01: Information Management Framework Policy.

Roles and responsibilities

Standard roles

Everyone is expected to classify their information. When information is created, or the sensitivity of the information changes, an information classification category should be applied according to its sensitivity. Unclassified information will be considered to have the classification ‘Internal’.

Heads of Departments, (or equivalent), or nominated deputies are responsible for ensuring that this standard is adhered to in their respective departments, and for its communication to their staff as appropriate.

The Chief Information & Transformation Officer (CITO) retains overall accountability for this standard. The Chief Information Security Officer (CISO) has delegated authority for ensuring the standard meets legal and regulatory requirements; for keeping this standard up to date; and for ensuring that controls, checks and audits are carried out as part of compliance with this standard.

Operational responsibilities

Operational responsibilities of this standard

Role	Function
Designate of Head of Department (e.g. academic lead on research, individuals with delegated authority for information, system administrators)	Responsible - for overseeing the use of the standard, within areas of responsibility
Head of Department	Accountable - for use of the standard within departments
Information Risk and Compliance Team (with escalation to CISO and CITO required)	Consult - to discuss organisational level use of the standard
IDG Digital Business Partners	Inform - must be informed of the content of the standard to communicate it to their departments

Requirements

Classification

The University Information Classifications, from Public to Highly Confidential broadly map to the UK Government Security Classification (OFFICIAL – OFFICIAL SENSITIVE). If staff are working with Government Secret or Top Secret information the CISO should be made aware that this work is being undertaken. The CISO does not need to be made aware of the content of the information unless this has been requested by HMG officials.

Level	Public	Internal	Confidential	Highly Confidential
Risk	None The information is fit for public consumption, and therefore confidentiality is of no importance. This should be the classification applied to information, when there is no reason to protect or restrict it.	Low The information meets the criteria for it to be kept out of public consumption. Unclassified information will be considered to have the classification ‘Internal’. Internal information should be accessible to anyone within the organisation, but not those outside of it. However, disclosure of this information outside of the organisation, would risk causing only minimal harm to individuals or the University. E.g. disclosure may cause minor disruption to university operations, cause minor distress to individuals or amount to a minor breach of statutory requirements.	High Improper disclosure of the information carries heightened risks. Access to information classified as Confidential, is limited to known individuals on a need-to-know basis. Typically, Confidential information is limited to specific teams, who have a need to access such information, to carry out their work functions. Disclosure of the information could cause: Distress to individuals, harm to the University’s reputation, disruption in university operations, undermining of confidence between the University and its partners, negatively affect the commercial interests of the University.	Critical Improper disclosure of the information carries serious risks to the organisation and individuals. Access to Information classified as Critical, is limited to a small number of known individuals on a strict need-to-know basis. These individuals are appropriately trained, specifically authorised, and in appropriate positions of responsibility to access this information. Access is often only given on a temporary basis. Disclosure of this information could cause: Serious distress, significant harm, or existential risks to individuals, undermining of the University’s security, serious loss or disruption to critical operations, serious breaches of statutory requirements, breach of confidentiality agreements, critical reputational damage to the University, significant financial loss, disruption to the University’s ability to assist with legal action and investigations.
Examples - personally identifiable information	Personal Information made public with consent by individuals, or as a statutory requirement. Staff details shared publicly by the University.	Staff names and professional contact details (incl. job titles) unless publicly shared. Student names, email addresses or other identifiers including online identifiers. Staff or student ID number irrespective of whether publicly shared.	Personal contact details of staff and students. Location data. Academic staff qualifications and publication details unless publicly shared. Research participants’ contact details. Identifiers for research participants, for research that does not concern sensitive topics, or special category personal data.	Special category data as defined under UK GDPR (e.g. racial or ethnic origin, political opinion, religious or other beliefs, physical or mental health, criminal record or trade union membership. Financial information relating to individuals (e.g. banking information, salary details, student fees. Progression details, including details of disciplinary proceedings. Provisional degree classification, prior to formal approval and any publication. Staff appointment, promotion or details of personal affairs. Biometric data (e.g. fingerprints, facial recognition), genetic data. Information related to formal complaints, disciplinary processes and legal investigations. Research data relating to identifiable individuals which presents a risk of significant harm if it were exposed. (e.g. sensitive political views, criminal activity, medical data).
Examples - non-personally identifiable information These examples are limited. They are for guidance.	General factual public information incl. annual reports or accounts. Department and course details. Marketing or press information. Policies and guidance unless publicly shared.	Policies and guidance (if deemed to present risk if publicly shared). Internal business communications. Most contractual information. Org charts/departmental structures.	Most unpublished research data. Most business-to-business communication. Most internal project documentation. Most information related to processing internal customer queries (e.g. documentation of an ongoing service request).	'Trade' secrets, intellectual property intended for commercialisation. Corporate secrets. Financial information if not published/shared. Research data that is particularly security-sensitive or has been similarly classified by an external body (e.g. Government, other university or commercial partner with a confidentiality agreement). Legal advice or other information relating to legal action against, or by the University.

Level

Public

Internal

Confidential

Highly Confidential

Risk

None

The information is fit for public consumption, and therefore confidentiality is of no importance.

This should be the classification applied to information, when there is no reason to protect or restrict it.

Low

The information meets the criteria for it to be kept out of public consumption.

Unclassified information will be considered to have the classification ‘Internal’.

Internal information should be accessible to anyone within the organisation, but not those outside of it.

However, disclosure of this information outside of the organisation, would risk causing only minimal harm to individuals or the University. E.g. disclosure may cause minor disruption to university operations, cause minor distress to individuals or amount to a minor breach of statutory requirements.

High

Improper disclosure of the information carries heightened risks.

Access to information classified as Confidential, is limited to known individuals on a need-to-know basis. Typically, Confidential information is limited to specific teams, who have a need to access such information, to carry out their work functions.

Disclosure of the information could cause: Distress to individuals, harm to the University’s reputation, disruption in university operations, undermining of confidence between the University and its partners, negatively affect the commercial interests of the University.

Critical

Improper disclosure of the information carries serious risks to the organisation and individuals.

Access to Information classified as Critical, is limited to a small number of known individuals on a strict need-to-know basis. These individuals are appropriately trained, specifically authorised, and in appropriate positions of responsibility to access this information. Access is often only given on a temporary basis.

Disclosure of this information could cause: Serious distress, significant harm, or existential risks to individuals, undermining of the University’s security, serious loss or disruption to critical operations, serious breaches of statutory requirements, breach of confidentiality agreements, critical reputational damage to the University, significant financial loss, disruption to the University’s ability to assist with legal action and investigations.

Examples - personally identifiable information

Personal Information made public with consent by individuals, or as a statutory requirement.

Staff details shared publicly by the University.

Staff names and professional contact details (incl. job titles) unless publicly shared.

Student names, email addresses or other identifiers including online identifiers.

Staff or student ID number irrespective of whether publicly shared.

Personal contact details of staff and students.

Location data.

Academic staff qualifications and publication details unless publicly shared.

Research participants’ contact details.

Identifiers for research participants, for research that does not concern sensitive topics, or special category personal data.

Special category data as defined under UK GDPR (e.g. racial or ethnic origin, political opinion, religious or other beliefs, physical or mental health, criminal record or trade union membership.

Financial information relating to individuals (e.g. banking information, salary details, student fees.

Progression details, including details of disciplinary proceedings.

Provisional degree classification, prior to formal approval and any publication.

Staff appointment, promotion or details of personal affairs.

Biometric data (e.g. fingerprints, facial recognition), genetic data.

Information related to formal complaints, disciplinary processes and legal investigations.

Research data relating to identifiable individuals which presents a risk of significant harm if it were exposed. (e.g. sensitive political views, criminal activity, medical data).

Examples - non-personally identifiable information

These examples are limited. They are for guidance.

General factual public information incl. annual reports or accounts.

Department and course details.

Marketing or press information.

Policies and guidance unless publicly shared.

Policies and guidance (if deemed to present risk if publicly shared).

Internal business communications.

Most contractual information.

Org charts/departmental structures.

Most unpublished research data.

Most business-to-business communication.

Most internal project documentation.

Most information related to processing internal customer queries (e.g. documentation of an ongoing service request).

'Trade' secrets, intellectual property intended for commercialisation.

Corporate secrets.

Financial information if not published/shared.

Research data that is particularly security-sensitive or has been similarly classified by an external body (e.g. Government, other university or commercial partner with a confidentiality agreement).

Legal advice or other information relating to legal action against, or by the University.

Guidance on appropriate practice for handling information in accordance with its classification will be made available, as part of ongoing work to revise Information Management policies, standards and guidance.

Exceptions

‘Exception requests’ under this standard are processed through the IDG Exceptions process with the delegated authority of the CITO.

Activities that have received prior approval by the Research Governance and Ethics Committee are not required to go through the exceptions process.

This standard may have an impact on users of assistive technology, or assistive software due to their circumstances. These individual cases will be considered on a case by case basis.

References

This standard has been prepared with reference to:

HM Government Security Classifications
ISO/IEC 27001:2022 and ISO/IEC 27002:2022 (8.2 Information Classification)
Code of Practice on the management of records issued under section 46 of the Freedom of Information Act 2000
UK Data Protection Act 2018
Gartner - ID G00764590 - How to Succeed with Data Classification Using Modern Approaches
National Institute of Standards and Technology (NIST) - Cyber Security Framework 2.0 (Function - Identify - ID.M-05 and ID.AM-07)

Version/document control

Version	Date created	Date published	Next review	Notes/outcomes
1.0	May 2024	11 December 2024	11 December 2025	A new standard that replaces IG05: Information Classification Policy