Information Classification Criteria

Information Classification Criteria
Introduction and purpose
The purpose of this guidance is to set out the criteria to determine what is the appropriate classification level for information in line with the University’s IMST 01 Information Classification Standard and IMST 03 Handling Information Standard.
As it is not possible to create a comprehensive list of classifications for all University information, members should use the criteria in this guidance to aid their judgement in assigning classifications to the information they handle.
Scope
All the University’s information assets, in both hardcopy and digital formats, are considered within scope of this guidance. This includes all information held for the purposes of the University’s operations including, but not limited to, the provision of teaching and education, research, student and staff support, internal and external reporting and publications. It applies to information created by members of the University and to information received from third parties.
Guidance
What activities can be done with information is dependent upon the assigned classification level and the associated risk. The greater the potential risk to the University then the more limitations there are on how that information needs to be handled. This includes the creation, access, dissemination, sharing, printing and storage of that information. The aim is to make information assets available as widely as possible but with appropriate control.
- Too low can result in not enough controls or inappropriate controls being put in place leaving the information at risk.
- Too high can limit the ability to share and result in unnecessary and potentially expensive controls being put in place.
The University of Warwick has developed four Information Classification categories which are set out in the IMST 01 Information Classification Standard:
- Public
- General
- Confidential
- Highly Confidential
Classification principles
When determining the most appropriate classification for any information asset, the following principles must be applied as a starting point:
- Information is considered as General by Default.
- Classification applies to any information asset, in whatever form, but not to the IT systems that are used to store or process it. These should help manage access and use of the information as it has been classified.
- Information should be considered from different perspectives:
- Independently;
- If it was aggregated with other information;
- How it relates to or is associated with other information;
- If it was part of an accumulation of other information;
- Files or groups of Information should be classified at the highest level necessary. Information should be split wherever possible to limit this.
- If the classifications General, Confidential or Highly Confidential are being considered the following should be considered before finalising the classification:
- Can a valid answer be provided if the question ‘why not Public?’ is asked?
- The associated costs of managing the information at a higher classification should be thought about. Would it be good value for money for the associated risk?
- Would there be any limitations on sharing and collaboration that may result from having a higher classification?
- Whether the criteria being applied and therefore the classification level is time sensitive.
Determining the most appropriate classification
There are some instances where it is easy to state the classification as specific criteria applies. In other instances a risk management approach will be required to determine how the information should be managed. User judgement and knowledge of the information should also be utilised. The tables below aim to help with decision making on classification levels.
When information comes into the custody of the University, use the IMST 01 Information Classification Standard to asses the information's risk level:
Sensitive information
This can be a wide range of information including both personal and non-personal data such as research data, business information, financial data.
Follow the Sensitive information classification table.
Personal data
Information that can identify an individual, either directly or indirectly. This includes names, addresses, email addresses, and identification numbers.
See the Personal data classification table.
Public data
Information fit for public consumption, containing no personally identifiable or sensitive information.
Classify as Public and refer to IMST 03 for handling requirements (e.g., storage, email).
Personal data classification
The table below uses examples of personal data from the IMST 01 Information Classification Standard to outline an information classification approach based on the sensitivity of included information.
Note: These examples are not exhaustive.
Information type | Classification |
---|---|
|
Public |
|
General |
|
Confidential |
|
Highly Confidential |
In each case, refer to IMST 03 for handling requirements (storage, email, etc.).
Sensitive information classification
The table below uses examples of sensitive information from the IMST 01 Information Classification Standard to outline an information classification approach based on the sensitivity of included information.
Note: These examples are not exhaustive.
Information type | Classification |
---|---|
|
Public |
|
General |
|
Confidential |
|
Highly Confidential |
In each case, refer to IMST 03 for handling requirements (storage, email, etc.).
References
This guidance has been prepared with reference to:
- HM Government Security Classifications
- ISO/IEC 27001:2022 and ISO/IEC 27002:2022 (8.2 Information Classification)
- Code of Practice on the management of records issued under section 46 of the Freedom of Information Act 2000
- UK Data Protection Act 2018
- Gartner - ID G00764590 - How to Succeed with Data Classification Using Modern Approaches.
- National Institute of Standards and Technology (NIST) - Cyber Security Framework 2.0 (Function -Identify – ID.M-05 and ID.AM-07)