Information Classification Criteria

Introduction and purpose

The purpose of this guidance is to set out the criteria to determine what is the appropriate classification level for information in line with the University’s IMST 01 Information Classification Standard and IMST 03 Handling Information Standard.

As it is not possible to create a comprehensive list of classifications for all University information, members should use the criteria in this guidance to aid their judgement in assigning classifications to the information they handle.

Scope Guidance Classification principles Determining classification Personal data Sensitive information

Scope

All the University’s information assets, in both hardcopy and digital formats, are considered within scope of this guidance. This includes all information held for the purposes of the University’s operations including, but not limited to, the provision of teaching and education, research, student and staff support, internal and external reporting and publications. It applies to information created by members of the University and to information received from third parties.

Guidance

What activities can be done with information is dependent upon the assigned classification level and the associated risk. The greater the potential risk to the University then the more limitations there are on how that information needs to be handled. This includes the creation, access, dissemination, sharing, printing and storage of that information. The aim is to make information assets available as widely as possible but with appropriate control.

Too low can result in not enough controls or inappropriate controls being put in place leaving the information at risk.
Too high can limit the ability to share and result in unnecessary and potentially expensive controls being put in place.

The University of Warwick has developed four Information Classification categories which are set out in the IMST 01 Information Classification Standard:

Public
General
Confidential
Highly Confidential

Classification principles

When determining the most appropriate classification for any information asset, the following principles must be applied as a starting point:

Information is considered as General by Default.
Classification applies to any information asset, in whatever form, but not to the IT systems that are used to store or process it. These should help manage access and use of the information as it has been classified.
Information should be considered from different perspectives:
- Independently;
- If it was aggregated with other information;
- How it relates to or is associated with other information;
- If it was part of an accumulation of other information;
- Files or groups of Information should be classified at the highest level necessary. Information should be split wherever possible to limit this.
If the classifications General, Confidential or Highly Confidential are being considered the following should be considered before finalising the classification:
- Can a valid answer be provided if the question ‘why not Public?’ is asked?
- The associated costs of managing the information at a higher classification should be thought about. Would it be good value for money for the associated risk?
- Would there be any limitations on sharing and collaboration that may result from having a higher classification?
- Whether the criteria being applied and therefore the classification level is time sensitive.

Determining the most appropriate classification

There are some instances where it is easy to state the classification as specific criteria applies. In other instances a risk management approach will be required to determine how the information should be managed. User judgement and knowledge of the information should also be utilised. The tables below aim to help with decision making on classification levels.

When information comes into the custody of the University, use the IMST 01 Information Classification Standard to asses the information's risk level:

Sensitive information

This can be a wide range of information including both personal and non-personal data such as research data, business information, financial data.

Follow the Sensitive information classification table.

Personal data

Information that can identify an individual, either directly or indirectly. This includes names, addresses, email addresses, and identification numbers.

See the Personal data classification table.

Public data

Information fit for public consumption, containing no personally identifiable or sensitive information.

Classify as Public and refer to IMST 03 for handling requirements (e.g., storage, email).

Personal data classification

The table below uses examples of personal data from the IMST 01 Information Classification Standard to outline an information classification approach based on the sensitivity of included information.

Note: These examples are not exhaustive.

Information type	Classification
Personal Information made public with consent by individuals, or as a statutory requirement. Staff details shared publicly by the University.	Public
Staff names and professional contact details (incl. job titles) unless publicly shared. Student names, email addresses or other identifiers including online identifiers. Staff or student ID number irrespective of whether publicly shared.	General
Personal contact details of staff and students. Location data. Academic staff qualifications and publication details (unless publicly shared). Research participants’ contact details. Identifiers for research participants, for research that does not concern sensitive topics, or special category personal data.	Confidential
Special category data as defined under UK GDPR. Financial information relating to individuals. Provisional degree classification. Staff appointment, promotion or details of personal affairs. Biometric data. Information related to formal complaints, disciplinary processes and legal investigations. Research data relating to identifiable individuals.	Highly Confidential

In each case, refer to IMST 03 for handling requirements (storage, email, etc.).

Sensitive information classification

The table below uses examples of sensitive information from the IMST 01 Information Classification Standard to outline an information classification approach based on the sensitivity of included information.

Note: These examples are not exhaustive.

Information type	Classification
General factual public information incl. annual reports or accounts. Department and course details.	Public
Policies and guidance (if deemed to present risk if publicly shared). Internal business communications. Most contractual information. Org charts/departmental structures.	General
Most unpublished research data. Most business-to-business communication. Most internal project documentation. Most information related to processing internal customer queries (e.g. documentation of an ongoing service request).	Confidential
'Trade' secrets, intellectual property intended for commercialisation. Corporate secrets. Financial information if not published/shared. Research data that is particularly security-sensitive or has been similarly classified by an external body (e.g. Government, other university or commercial partner with a confidentiality agreement). Legal advice or information relating to legal action against, or by the University.	Highly Confidential

In each case, refer to IMST 03 for handling requirements (storage, email, etc.).

References

This guidance has been prepared with reference to:

HM Government Security Classifications
ISO/IEC 27001:2022 and ISO/IEC 27002:2022 (8.2 Information Classification)
Code of Practice on the management of records issued under section 46 of the Freedom of Information Act 2000
UK Data Protection Act 2018
Gartner - ID G00764590 - How to Succeed with Data Classification Using Modern Approaches.
National Institute of Standards and Technology (NIST) - Cyber Security Framework 2.0 (Function -Identify – ID.M-05 and ID.AM-07)