View Current

Information Governance Procedures - Classifications

This is the current version of this document. You can provide feedback on this policy to the document author - refer to the Status and Details on the document's navigation bar.

Section 1 - Purpose and Context

(1) These Procedures apply to all forms of information (data, information and records) created, collected, stored or processed by the University and its controlled entities.

(2) These procedures set out how the University and its controlled entities’ information assets are assessed and classified according to business criticality to achieve appropriate information security.

(3) These procedures should be read in conjunction with the Business Continuity Management Policy, Cyber Security Policy, Privacy Policy, Records and Archives Management Policy and related user guidelines.

Top of Page

Section 2 - Definitions

(4) For the purposes of this Policy, definitions that apply can be found in the Information Governance Framework and the Policy DDS Glossary, in addition to the following:

Information Asset Classification means the identification and grading of the value of an information asset and the commensurate level of security protection it requires.

Top of Page

Section 3 - Procedures

(5) These procedures support the University's and its controlled entities legal obligations to ensure that private and sensitive information is managed in accordance with the principles outlined in the following legislation:

(6) These procedures do not override mandatory legal obligations to disclose data.

(7) The University will regularly review and update these procedures to ensure they align with current threat landscape, industry best practices, and changes in legal and regulatory requirements.

(8) The University and its entities use four main information asset classifications, aligned to the NSW/Australian Government/Department of Defence classifications:

Unofficial
Official
Protected
Secret (if required)
Top Secret (if required).

(9) New South Wales and Federal Government data classifications (refer to NSW Government Information Classification, Labelling and Handling Guidelines webpage) include categories of SECRET and TOP SECRET and may use Dissemination Limiting Markers (DLMs) to indicate limited access to information. University research may involve information which requires this higher classification. These projects are classified as Secret or Top Secret and handled individually to ensure additional security controls are used. Projects classified as Secret or Top Secret will be subject to mandatory security consultation with Cyber Security Assurance and Operations to implement appropriate safeguards.

(10) Disputes regarding the appropriate classification of information are resolved by the relevant Deputy Vice-Chancellor or Vice-President, or the head of the relevant University controlled entity.

(11) Information asset classifications are required to define acceptable use and handling of information with reference to the:

Business value
Criticality to the University
Confidentiality
Legal requirements
Sensitivity.

(12) Business Impact Levels are used to assess the value an information asset has to the University or its entity due to factors including:

Parameter	Key Considerations
Confidentiality	Unauthorised disclosure/exposure of University information or data.
Integrity	Unauthorised modification/corruption of the University information or data.
Availability	Loss of timely access to University systems or data.
Financial	Financial losses and recovery costs to obtain, recover or replace the information, or financial damages.
Operational	Disruption of critical processes or services.
Regulatory and Legal	Non-compliance, penalties, fines. The related legal or contractual obligations and associated penalties.
Reputational	Damage to reputation, trust, and credibility.
Safety and Health	Physical safety and wellbeing impact on students, staff, and external parties.
Dependencies	Interconnectedness and reliance between systems.
Recovery Time and Recovery Point	Tolerance for downtime and data loss.

(13) Business impact levels are informed by the University's Risk Management Policy and Guidelines and align with the University's Business Resilience arrangements.

(14) The Information Governance Committee will conduct periodic reviews of the effectiveness of these classification procedures, including sampling information assets and verifying their classification accuracy.

(15) The University will ensure appropriate level of training and awareness programs to all staff on the Information Governance Procedures and their responsibilities for properly classifying and handling information assets.

(16) Information Assets Classification Description and Examples:

Classification	Business Impact Level	Example Information Types
Unofficial	Insignificant: Some loss but not material; existing controls and procedures should cope with events or circumstances Information that if breached owing to accidental or malicious activity would have a minor or insignificant impact on the University's activities and objectives.	Information intended for public consumption, such as a press release. Published research.
Unofficial	Minor: Event with consequences that can be readily absorbed but requires management effort to minimise impact.	Information intended to inform prospective students, such as Program Lists or Subject information. University research information from ongoing programs of research.
Official	Moderate: Information that if breached owing to accidental or malicious activity would have a medium to low impact on the University's activities and objectives. Does not include personal or sensitive information.	Information intended for internal University business use only such as Internal correspondence; University Financial Data (i.e. relating to University funds or banking details); Official University Records; considered to be Intellectual Property belonging to the University; or relating to any Strategic Partnerships the University has with other organisations. University research information from ongoing programs of research.
Protected	Moderate (to external organisation or the nation): this is information that if breached could have impact on national interest or security.	Research projects with Department of Defence that require a baseline security clearance level.
	Major: Information that if breached owing to accidental or malicious activity would have a high impact on the University's activities and objectives. Does include Personal Information.	Information relating: to various risk registers maintained by the University, including the University's overall risk register; Personal details, or personally identifiable details; Healthcare, this includes a person’s preferences for treatment in the future; Personal financial details; relating to matters of Misconduct (whether staff or students); HR records; Exam Results; commercial in confidence. Research information containing personal information. Research information containing personal medical information.
	Catastrophic: circumstance has a potentially disastrous impact on business or significant material adverse impact on a key area. May trigger the University's Crisis Management Plan.	Information relating to legal privilege; as defined under the Evidence Act 1995 (Cth); or relating to sensitive University matters such as sexual assault and complaints.
Secret	Rating based upon requirements of project	Any official University Research information that has been classified as SECRET by an external body.
Top Secret	Rating based upon requirements of project	Any official University Research information that has been classified as TOP SECRET by an external body.

(17) The handling of and access to information assets is based on the classification:

	Unofficial	Official	Protected
Impact if the information is accessed based on risk assessment	Minor/Insignificant	Moderate	Moderate (to an external organisation or the nation)
Access Controls	No viewing restrictions. Can be publicly accessible.	Viewing and modification are restricted to authorised users. Information Asset Owner authorises access. Multi-Factor Authentication. Access control using approved University protocols.	Viewing and modification is restricted to authorised users. Information Asset Owner authorises access. Multi-Factor Authentication. Access control using approved University or controlled entity protocols. Non-disclosure agreement required to be signed by third parties/included in agreements/contracts. Additional controls as required for the business or research function.
Storage and security	Can be stored on any device, service or published over the internet. No restrictions on printing, emailing, or copying, however; may be subject to copyright restrictions.	Stored using University-approved methods and tools: One Drive; Sharepoint; MS Teams. Refer to the Records and Archives Management Policy and Acceptable Use of Digital Services Policy. Not generally printed or transferred to non-standard systems, external and/or mobile devices, and special care should be taken if this is performed.	Stored using University-approved methods and tools, with appropriate restricted access. Refer to Acceptable Use of Digital Services Policy. Not generally printed or transferred to non-standard systems, external and/or mobile devices, and special care should be taken if this is performed. Copying was kept to a minimum in keeping with operational requirements. Printed copies should not be left unattended. Only printed when there is a legitimate need. Additional controls as required for the business or research function.
Storage Location	No restrictions (apart from adherence to other policy or process instruments that dictate where information should be stored).	Stored within NSW or Australia, wherever practical. University Records should be stored within NSW. ITDS and RAMS can advise on appropriate controls if this is not possible.	Stored within NSW or Australia wherever possible. Personal and Healthcare information must be stored within NSW or Australia wherever possible, otherwise by Approved exemption.
Remote Access	No restrictions - data is available on University's public facing website.	Accessed via University authorised and supported channels with users’ authentication required.	Accessed via University authorised and supported channels with users’ authentication required. Additional controls as required for the business or research function.
Backup and Disaster Recovery	Backups recommended.	Backups required, frequency and location to be documented. Disaster Recovery and Business Continuity Plans are recommended	Backups required, frequency and location to be documented. Disaster Recovery and Business Continuity Plans are required. Restoration and recovery from backup or archive to be regularly tested. Backups should be treated with the same level of security as the production system. Additional controls as required for the business or research function.
Sanitisation and Disposal	No restrictions.	Follow the Records and Archives Management Policy for sanitisation or disposal of any information assets that includes/stores University records. Contact the Records and Archives Management Services Unit for more information. Data is sanitised and disposed of with methods provided, authorised and supported by ITDS.	Follow the Records and Archives Management Policy for sanitisation or disposal of any information assets that include/stores University records. Contact the Records and Archives Management Services Unit for more information. Data is sanitised and disposed of with methods provided, authorised and supported by ITDS. Additional controls as required for the business or research function.

Top of Page

Section 4 - Guidelines

(18) Refer to the Research Data Handling guidance on the Data Management Planning webpage for further information on research data.