The Company generates and holds a wide variety of information that must be protected against unauthorised access, disclosure, modification, or other misuse. Efficient management of such assets is also necessary to comply with legal and regulatory obligations such as relevant Data Protection legislation, and to ensure efficient handling of Freedom of Information requests. Different types of information require different protection measures and therefore, applying classification markings of information assets is vital to ensuring effective information security and management.
This Information Classification Policy together with the accompanying technical marking controls are intended to help staff and students determine what information can be disclosed to external parties, as well as the relative sensitivity of information that should not be disclosed outside of the Company of Exeter without proper authorisation.
This policy also helps all members of the Company to ensure that correct classification and handling methods are applied to their day to day activities and managed accordingly.
Company information assets should only be made available to all those who have a legitimate need to access them.
The integrity of information must be maintained; information must be accurate, complete, timely and consistent with other related information and events.
This policy guidance covers information that is either stored or shared via any means including those created prior to the publishing of this policy. This includes: electronic information, information on paper and information shared orally or visually (such as telephone and video conferencing).
Where the Company holds information on behalf of another organisation with its own classification system, an agreement shall be reached as to which set of technical controls and handling guidelines shall apply.
|Data Management Plan:||A Data Management Plan (DMP) outlines what and how data will be created or collected and how it will be shared and preserved. A DMP also outlines your plans for sharing and preserving data in the longer‐term. A DMP can be adapted as a project advances and it should be reviewed regularly as your data needs change|
|Data Protection Impact
|A method of identifying and addressing privacy risks in compliance with
|Freedom of Information:||Information held by the Company may be requested under the Freedom of Information act and subject to exemptions will be disclosed. This classification scheme will help identify information where there may be exemptions that can be applied to allow the Company to withhold information. Information which has been classified as internal or possibly restricted/confidential may still be subject to requests and potentially disclosable, the classification scheme is a useful indicator but does not|
|provide a guarantee that information will not be disclosed, each request will be considered on its merits.|
|An individual who is responsible for the maintenance and protection of the information.|
|Information Asset:||A body of information which is organised and managed as a single entity and value for the Company|
|An individual who has final responsibility of data protection and would be held liable for any negligence when it comes to protecting the Company’s information assets. This person may be a senior executive in the management team, head of a specific department or a professor in the case of research.|
The Information security manager is responsible for:
- Approving the Information Classification system, associated data management policies and any subsequent changes to these and
- Publicising the classification system and data management policies for electronically stored information.
Information Asset Owners and Information Administrators are responsible for:
- Identifying the appropriate information classification level for any information within their care
- Ensuring that the appropriate management policies about storage, publishing, disposal etc. are followed. Where information is classified not for public consumption (i.e. Internal, Restricted or Confidential) this should be clearly articulated to those who have access to such information.
- Ensuring that information is processed and managed in accordance with the Company’s Information Governance and Security Policies.
All members of the Company (including staff, contractors, agency workers and associates) are responsible for
- Handling information in accordance to their classification
- Complying with this policy and with relevant legislation.
There are 4 levels of classification (Examples in Annex A)
|Confidential||Available only to specified and relevant members, with appropriate authorisation. A breach of confidentiality could result in unacceptable damage with very serious and lasting consequences threatening the Company or one of its activities.|
|Restricted||Available only to specified and / or relevant members, with appropriate authorisation. A breach of confidentiality could cause serious damage resulting in the compromise of activity within Company in the short to medium term. This includes both personnel data and research data.|
|Internal||Available to any authenticated member of the Company. Typically, if this level of information was leaked outside of the Company, it could be inappropriate or ill-timed.|
|Public||Available to any member of the public without restriction. This information however should not be placed into the public domain without reason, such as a request or publishing as part of data management policy.|
It is possible that we could receive information that is classified by Government or other institutions as Secret. Information classified as Secret will only be generated by the Company incredibly rarely. The information handling requirements associated with this level will be dictated by the Information Asset Owner on each occasion. Where information of this level is processed additional security may also be provided.
All information held by or on behalf of the Company will be categorised according to the Information Classification level.
The Information Asset Owner will assess the value, sensitivity and the risk of confidentiality breach to their data set. Once the classification has been established any documents containing this information must be systematically marked as such. Information Asset Owners will be identified by departments and recorded with the information assets on the Company’s Information Asset Register. It is recommended that data sets are larger rather than smaller to limit administrative complexity and overhead.
Any information which is not explicitly classified will be classified as confidential, pending classification, by default to avoid data leakage. In the case of disagreement over the classification level to be used, the more secure level should be adopted. Questions about the proper classification of a specific piece of information or a dataset should be addressed to your manager. Where there is a mix of information from different classification levels, the more secure level should be adopted. (Example in Annex B)
All information must be secured to meet the requirements of their respective classification levels. Guidance on the type of security controls that should be implemented is available in the Information Handling Guidelines.
Where a third party will be responsible for handling the information on behalf of the Company, the third party shall be required by contract to adhere to this policy prior to the sharing of information.
Where information is discovered to have been incorrectly classified, or not to have been managed in accordance with its Information Classification, this should be reported immediately to the IT Helpdesk who will log the incident and refer it to the appropriate team, information administrator or Information Asset Owner as appropriate for them to action.
Any queries or proposed amendments should be referred to the Privacy Office at [email protected].
Annex A: Example
Information Classification Levels
- Highly sensitive data that will explicitly identify individuals which, if disclosed, puts the individual at risk from identity theft, social or legal sanctions, targeting by marketing corporations or pressure groups, threats from criminal or vigilante individuals or organisations
- Any data which is classified as special category data under the GDPR.
- Financial information regarding individuals e.g. payment information (credit card details), bank account details, information about indebtedness.
- Draft research reports of controversial and / or financially significant subjects
- Preliminary degree classification or transcript information pending formal approval and any publication
- Future marketing or student fees information not yet agreed to be made public.
- Legal advice and other information relating to legal action against or by the Company.
- Business‐sensitive data such as detailed financial records, information on commercial contracts.
- Personal data identified under the Data Protection Act 1998 (or its successor legislation).
iii. Internal correspondence, timesheets, expenses.
- Incomplete reports and other documents whose integrity may be damaged by uncontrolled/unauthorised changes, or whose leakage may cause damage to the company
- General Company data: all staff internal memoranda
- Company policy and procedures
- Data that is already in the public domain but was not intended as such and could result in litigation if republished.
- Staff directory including email addresses.
- Public data will have no significant impact if they are altered or viewed in an uncontrolled fashion.
- Principal Company contacts e.g. name/email address/telephone numbers for public‐facing roles will be made freely available
- Annual Accounts
Please note that the volume of data may result in a high classification level and/or more secure data handling methods.
Annex B: Example
Mixed Information Classification Levels
If a database were to store employee welfare information (confidential) the whole data set would be classified as confidential.
Where a subset of information is extracted from a highly classified set of information, the information classification level should be reassessed.
If the programme details were extracted from the above database and stored in a spreadsheet for an annual review and update, this spreadsheet should be handled as internal information, not confidential.