Information classifications

Knowing what your data is and who can see it

Overview

The University has a responsibility to protect the information that it creates.

Any information created becomes a "record" and must be managed according to its sensitivity and value to the University. See the Records Management Policy for more information.

The concept of "Information classification" provides an easy way to assign sensitivity or value to a record (whether a document, IT system, book, photograph, etc). The University's Information Security Policy requires all information assets be assigned a Confidentiality Rating.

Confidentiality rankings

Examples

Confidentiality ratings

University staff are responsible for assigning an information classification to any document or data they create. The choice of classification is primarily driven by the potential for adverse impact to the University. Higher classifications can result in more restrictive information handling practices.

Confidentiality Ratings

If you are the user of an existing document or system, you must comply with all information handling obligations for the assigned calssification. See Document Handling Quick Reference Guide

Highly confidential

The information is for very limited distribution to specific individuals within the University.

Type of information	Medical records, workcover forms or personally identifiable information
Impact of disclosure or breach	Accidental or deliberate disclosure or unauthorised access to the information results in critical financial, reputational and/or legal impact to the University.

Restricted

The information is for limited distribution to specific groups within the University.

Type of information	Audit reports, intellectual property, student academic records, staff or student contract information, council papers
Impact of disclosure or breach	Accidental or deliberate disclosure or unauthorised access to the information results in modest financial, reputational and/or legal impact to the University.

Internal only

The information is not for public access.

Type of information	Day-to-day emails, procedures, project and other administrative information.
Impact of disclosure or breach	Accidental or deliberate disclosure or unauthorised access to the information would result in minor or no adverse impact to the University.

Public

The information or service is spefically for public access (e.g. Flinders University website, or research that has been released).

Type of information	Student course information, marketing materials, website content, approved media releases.
Impact of disclosure or breach	No adverse impact to University resulting from publication (or such publication is specifically approved).

Examples

The data you create, and manage, will need to be allocated an information classification. This classification determines security boundaries (e.g. internal / external access), storage location (e.g. on-site / off-site) and access rights (e.g. who can see what).

The following table identifies some typical scenarios for information created at the University. Consider which use case is most similar for the information you’ll be creating, and which classification is applicable.

The information created is...	The audience is...	The classification is...
Potential harmful, or sensitive, data that cannot be shared. Only the data owner has access.	Internal staff at the University	Highly Confidential
Confidential, or restricted, data that is only accessible by limited internal people / systems only.		Restricted
Discoverable data that is accessible by all internal people / systems only.		Internal Use Only Information
Externally available data that is only accessible by limited people / systems.	External contacts outside of the University	Public Information
Externally available data that can be commercially licensed and is available to all people / systems.		Public Information
Externally discoverable data that is available to all people / systems.		Public Information
Externally discoverable and licensed data that is available to all people / systems.		Public Information

IMPORTANT! The Data Owner is responsible for selecting the classification. This won’t always be a Flinders University staff member, or researcher, and can be a third party. Please ensure you identify the Data Owner and have them select the appropriate classification for the information being created.

Support for digital and IT services

Opening hours: 8am to 6pm, Monday to Friday, excluding public holidays

After hours or when all staff are busy you will be given an option to leave a voicemail message. Voicemails will be accessed as soon as practical during business hours otherwise you may choose to log an IT support request.