What is Information Classification  

Information Classification helps you to identify the sensitivity of the information you are handling.  The more sensitive the data the more secure it needs to be.  

This guidance about information classification is to be used in conjunction with documents including, but not limited, to: 

Information Handling Overview, Data Protection Policy, Information Security Policy, Email Procedures regarding Data Protection, Data Breach Reporting Procedure, Bring Your Own Device (BYOD) Policy, Data Protection Glossary, Data Protection Guidance on Photography and Filming 

Birmingham Newman uses three levels of information classification: 

1. Ordinary Information 
2. Restricted Information 
3. Highly Restricted Information 

1. Ordinary information:  information which is unlikely to identify an individual, or information that is or should be in the public domain or would not have any impact on people or the interests of the university if it was made public. 
2. Restricted Information: information which if disclosed to unauthorised recipients could have a negative impact on individuals or on the university’s reputation. In other words, information that should be considered internal only unless there is a specific obligation on us to share it outside the institution. 
3. Highly Restricted Information:  information which if disclosed to unauthorised recipients would be likely to cause serious damage or harm to individuals or of the interests of the University would very likely be a data breach under data protection laws or a breach of commercial confidentiality. In other words, information that should be kept strictly confidential and private and not shared unless there are specific circumstances, and the sharing is authorised by a senior member of staff.

Where information is considered to fall in the Restricted or Highly Restricted categories where the information is to be sent is important. Something that is restricted information internally could be highly restricted if we intend to send it externally. If in doubt, you can contact the DPO for advice. 

 

Securing Information based on its classification 

In simple terms, the more sensitive information is, the greater the level of security and protection it needs. The table below sets out what steps to take for each classification, and some examples. If you’re not sure what label to apply, see the next steps section below.  

Classification	Security Measures needed	Examples
Ordinary Information	You don’t need to take any specific measures.	Course guides and prospectus.  Commercial data that should be in the public domain.  Annual reports that published on a regular basis.
Restricted Information	You should only communicate this information internally on a need-to-know basis.   Be careful when using email to double check the recipient list.   Don’t forward on or share information externally including to personal email addresses or an external party unless there is a clear business reason.	Assessment Marks   Attendance / participation details relating to an existing student.  Meeting minutes which are not publicly published. They may include commercially sensitive information.  Emails, attachments or documents that would be considered confidential.  The information is to be sent to a group of 30 people or less.
Highly Restricted Information	If third party access to highly restricted information is required, this should be limited to the minimum necessary to achieve a clear and specific objective.   All access should be time limited if possible.  If access can be provided via limited system access such as to MyNewman or iTrent, this should take preference.   If information needs to be shared externally access should be provided via OneDrive or Teams rather than via email.   If email is the only option, any attachments must be password protected with the password sent in a separate email.	Application forms (direct or from UCAS) containing highly restricted information.  Academic progression information.  Assessment marks / results from other institutions (universities, schools, colleges, UCAS etc.).  CVs containing enough information that on its own or with other information being held with it, the person it is about could be identified.  Any documents, emails or systems data that includes ‘protected characteristics’ i.e. age, disability, gender reassignment, marriage, civil partnership, pregnancy, maternity, race, religion or belief, sex, sexual orientation.

 

 

Choosing the right classification 

Classification is not an exact science and there will be borderline cases. If in doubt, consider the information as Highly Restricted, however, if you are unsure, please contact the Data Protection Officer via dpo@newman.ac.uk for advice and assistance.    

 

UCAS Awarding Body Linkage Result Embargo

Under the UCAS Awarding Body Linkage Result Embargo Agreement all results under the embargo or the implication of a confirmed / rejected place to study at the University must not be communicated in any way to any third party, including applicants, their advisers or journalists during the embargo period (i.e. prior to results publication day). Please inform the Data Protection Officer if you receive any such request. To check the embargo period go to https://www.ucas.com/advisers/supporting-you-through-confirmation-and-clearing and navigate to this year’s embargo information. Assessment marks / results from other institutions (universities, schools, colleges, UCAS etc.) if under embargo are Highly Restricted unless anonymised. If it is truly anonymous then it is Ordinary Information.

3. How do I keep restricted and highly restricted information secure and also ensure the right people have access to it?

Computer Access: Highly restricted information must have access controls (e.g. should be password protected / pseudomyised in an email, should need a log on to access in a database, should be in an S-drive folder or Microsoft Teams storage only accessible by those who need it etc).

Electronic Portable Storage: As per the Information Security Policy clause 5.5.3 Removable Storage media containing ‘restricted information’ or ‘highly restricted information’ must be encrypted with inbuilt encryption or software such as ‘Bitblocker’ or password protected before being removed off-site. Bitlocker is a free Windows facility, instructions for which are on the intranet page How to encrypt a memory stick using Bitlocker.

Printing: Caution should be taken when printing Restricted or Highly Restricted information. Printing should only take place when necessary i.e. for a purpose when accessing the information electronically is either not possible or not practical. If you print Restricted or Highly Restricted information, you need to know the location of the physical document (e.g. stored in this locked cabinet, being taken to the Subject Assessments Board tomorrow and then disposed of). It needs to be disposed of in a confidential waste paper bin or in a cross-shredder.

Paper Access: Paper copies of restricted information should be out of sight and within offices when not being used. Paper copies of highly restricted information should be in locked storage when not being used.

Hard-copy storage: For Restricted or Highly Restricted information, if an electronic copy is stored, there should only also be a hard-copy if absolutely necessary and this copy should be in a locked cabinet or room with access limited to those are authorised to see the document. If locked storage is not possible on campus please consult with the Data Protection Officer (dpo@newman.ac.uk). Follow the Guidance for Handling Data Off-Site.

Pigeon Holes: Restricted and highly restricted information should NOT be placed in the pigeon holes opposite the security desk. Instead you need to deliver this information by hand, use S-drive folders which allow access just to the relevant departments or send via email (following the Email Procedures). Some areas of the University have pigeon holes inside the porters’ room. This information can be placed in those pigeon holes.

Sharing: Caution should be taken when sharing Restricted or Highly Restricted information. Consider whether the recipient should have access to the information and, if so, provide clear instructions as to whether or not they have authority to share it, and with whom and how they should store and dispose of it.

Disposal: All paper copies of Restricted and Highly Restricted information must be disposed of in confidential waste bins or cross-shredded when no longer required. All electronic copies must be deleted. Please note if your desktop recycle bin is set to retain deleted files, this bin automatically permanently deletes its contents once a month. The Confidential Waste Procedure and Map of confidential bins are found on the relevant intranet page. Physical media objects such as but not limited to CD-Roms, CDs, DVDs, tape cassettes, mini-disks, usbs, external hard-drives, floppy disks, computers, laptops, tablets, phones and cameras should be blanked as much as possible and given to the IT Service Desk for secure disposal.