Receiving sensitive or protected information

The University has taken steps to improve the safeguarding of information. Find out what emails marked 'sensitive' and 'protected' mean and what actions are required.

Sensitive information

The risk level of information marked as sensitive is 'medium'. Examples include personal data, financial data, or commercially valuable information. Disclosure could cause harm to individuals, impact the University's commercial interests or breach a contract. Access is available only to specifically authorised individuals.

You must:

• ensure information is only accessible to authorised users and only provided to intended recipients
• ensure appropriate security measures are used, including password protection and encryption, when storing and transferring information
• prevent accidental loss, destruction, or damage of information
• only hold onto information for as long as necessary and in accordance with the University's Records Management Policy and Master Records Retention Schedule
  
• securely dispose of information, for example through secure shredding, confidential waste disposal or IT-supported deletion.

Protected information

The risk level of information marked as protected is 'high'. The highest level of protection is required. Examples include the disclosure of large sets of personal data, information protected by clauses in contracts, and highly sensitive business information. The disclosure or loss of information could seriously impact the University's reputation or cause significant harm to individuals. Access is restricted to a small number of individuals and based on management approval.

You must:

• ensure information is only accessible to authorised users and only provided to intended recipients
• ensure appropriate security measures are used, including password protection and encryption, when storing and transferring information
• ensure information isn't processed on personal devices
• prevent accidental loss, destruction or damage to information
• only hold onto information for as long as necessary and in accordance with the University's Records Management Policy and Master Records Retention Schedule
• securely dispose of information, for example through secure shredding, confidential waste disposal or IT-supported deletion.

Further details

View our information classification policy and matrix for further details on how sensitive and protected information should be accessed, stored, transferred and disposed of.

Breaches

If there is a breach, this must be reported to the University's Data Protection Officer using the Data Breach Reporting Process.