Division of General Counsel, Governance and Compliance

Records Management Guidance - Classification and Handling of Records

It is important that we manage our records appropriately including how we access, store, transfer and dispose of our records. In line with the University’s Records Management principles (section 4.2 of our Policy), information held within records should be classified in accordance with the University’s Information Classification and Handling Policy and Information Classification and Handling Matrix.

All information handled by the University that is confidential or has value must be protected at all times. Information must be classified and the appropriate safeguards and measures put into place to protect the information based on that classification.

If you own, handle, or are responsible for records, you will need to ensure that any information is classified using one of the categories below, based on its sensitivity or value.

  • The 'Public/Open' category means that there is no need for restrictions and information may be shared with or viewed by members of the public. The actual marking of the information is not required. Some examples: Information published on the University website, including professional contact details, or University policies and procedures, guidance and FAQs.
  • The 'Internal use' category means that information can be disclosed and shared with appropriate individuals at the University (e.g. staff and students), with minimal restrictions on its internal disclosure. Some examples: Committee and working group papers, recordings of teaching activities, and course and module related material.
  • The 'Sensitive' category means that the information within the record must be protected. Loss or unauthorised disclosure of information could, for example, constitute a personal data breach, cause harm to individuals, compromise integrity or breach trust or a contract, or prejudice the University’s commercial interests. Some examples: Commercially or financially valuable information, general research data held by academic staff, or personal data.
  • The 'Protected' category means that the highest level of protection is required. Loss or unauthorised disclosure of the information could, for example, cause significant harm to individuals or have a serious impact on them, or seriously impact University operations or damage University reputation. Some examples: Large data sets of personal data (>1000 records), research data specifically covered by patent or legal agreement, information protected by clauses in commercial contracts, or information relating to criminal activity.

The Policy applies to records management in three key ways:

  1. Protective markings
  2. Access and transfer
  3. Disposal
Protective markings

Records should be marked with the appropriate classification. For example:

RM guidance ichp example 1

An email that is appropriate for sharing with internal colleagues is classified as 'Internal use' and marked as such in the email subject heading.

RM guidance ichp example 2

Folders on a shared drive that are classified as 'Sensitive' include the classification in the folder name.

RM guidance ichp example 3

The response to a Police request for student details in relation to an ongoing criminal investigation is classified as 'Protected' with a watermark to reflect that.

Access and transfer

When setting up a folder to share records with others, appropriate access and editing controls should be put in place.

RM guidance ichp example 4

For example, a Freedom of Information request folder is set up in Box and shared with invited people only. Note that the file is set up for viewing only as opposed to editing.

RM guidance ichp example 5

When sharing a contract with colleagues, it is shared as a link rather than as an attachment. Note that the email is classified in the subject heading as 'Sensitive' and the password is shared separately.

Disposal

All records that are classified as ‘Internal use’, ‘Sensitive’ or ‘Protected’ must be disposed of securely. Paper records should be disposed of using confidential waste disposal and secure shredding. Electronic records should be deleted from IT equipment and servers.

Paper records that are classified as ‘Public/Open’ can be disposed of using paper recycle bins.

 

Last updated November 2021