The University’s information is a vital asset that improves our student experience, our research impact, and the efficient management of services. So it’s important that information is held securely and managed in a way that complies with our legal obligations.

Earlier this year, we updated our Information Classification and Handling Policy and Information Classification and Handling Matrix which are part of the framework for how all staff should use and safeguard information. Please take the time to read the Policy and Matrix again.

Taking account of the sensitivity or value of information, it should be classified using one of the following categories:

• Public/Open – the information is legitimately in the public domain or is appropriate for disclosure or dissemination to the public;
• Internal use – information can be disclosed and shared with appropriate individuals at the University with minimal restrictions;
• Sensitive – appropriate controls and measures are needed to protect sensitive information as loss could cause financial, legal and reputational damage to the University or could significantly impact individuals; or
• Protected – this is information with the most significant value for the University. Its unauthorised disclosure could result in severe financial or reputational damage to the University, or significant harm to individuals.

Once information has been classified, it needs to be clearly marked with the relevant classification. The Matrix then details how that information should be handled including access to, disclosure and storage of information.

Head of Information Management and Compliance, Alex Elliott, said: “Although we need to have safeguards in place to protect University information, sometimes mistakes happen. Information may be lost, or incorrectly disclosed, accessed or deleted.

“If this includes personal data, then report the matter to the Data Protection Officer immediately using the breach notification form. Please don’t delay in making a report. If a breach is reportable to the Information Commissioner, then we have to make notification within 72 hours of the University becoming aware of the breach.”

The majority of personal data breaches relate to the use of email, such as sending an email to the wrong person or including incorrect attachments or information. Please read our guidance which identifies areas where breaches are likely to occur when using email and steps you can take to reduce the risk.

If you have any queries about how to classify or handle information, then please contact the Information Management Team for guidance.