Data classification principles

All University data has an intrinsic value and must be looked after. However, data differs widely in its sensitivity and value and, as such, in the risk that it poses. It is essential to assess the sensitivity and value of all data in order to ensure that it is handled appropriately and that the risks are effectively managed. This includes ensuring that data is stored and processed using appropriate IT facilities with appropriate security and access controls in place.

The main technique for assessing data and deciding on appropriate IT and other facilities and controls is a data classification model. The University has adopted a simple data classification model which must be applied by the PI and/or data owner to all data. To help data owners classify their data according to the classification model and select the appropriate data handling measures and facilities, a set of guiding principles and a data classification decision tree have been produced. These should be used in conjunction with professional judgement and knowledge of the data content and context.

Data classification principles

• All information that the University needs to generate, collect, receive, store, process or share has intrinsic value and level of sensitivity and therefore requires an appropriate degree of protection and active management
• All information has a relevant classification
• Everyone who works or studies with, for or at the University has a duty of confidentiality and a responsibility to safeguard any University information or data that they access, and must be provided with appropriate training
• Where information is regarded as sensitive, access must only be granted on the basis of a genuine ‘need to know’ basis with appropriate security control
• Information received from or exchanged with external partners must be protected in accordance with any relevant legislative, regulatory or contractual requirements, including any national or international agreements and obligations
• Where contracts are in place, and/or there is relevant legislation e.g. ‘special category’ personal data under GDPR and the Data Protection Act 2018, it is the responsibility of all to recognise and act accordingly. This policy aims to support this process, not dictate precise detail.
• It is possible for the sensitivity and value of one piece of information, document, or dataset to change over time. The owner/originator must review information regularly to ensure its classification remains valid
• Where one integrated set of information comprises content of varying classifications, the highest relevant classification should be applied to the whole set