Data Classification-Sensitivity Labels
|
Public |
Internal |
Confidential |
Highly confidential |
Document Affect |
None |
Inserts footer in document |
Inserts footer in document No changes to permissions |
Inserts footer in document Autosave Feature disabled in desktop tools Owner – full control Recipient must be given rights to edit or print the
document |
Email Effect |
None |
None |
Encrypted only |
Encrypted and recipients cannot forward, or print |
Description |
Information in the public domain |
Information not approved for general circulation outside
the Group where its loss would inconvenience the Group or management but
where disclosure is unlikely to result in financial loss or serious damage to
reputation. |
Information that, if made public or even shared
around the Group, could seriously impede operations and is considered
critical to ongoing operations. |
Highly sensitive information which, if it’s
confidentiality, integrity or availability was compromised, would be likely
to result in critical damage such as serious financial loss or significant
breakdown of confidence in the Group. |
Examples |
Annual reports, press releases, marketing materials,
documents contained on the Group’s Publication Scheme. |
Internal memos, finance reports, synopsis of
meetings, staff newsletters, internal phone directories, learner results. |
Sensitive financial information, Learner’s personal
data, correspondence with solicitors. |
Learner’s sensitive personal data. Highly sensitive
internal documents e.g. disciplinary reports; investment strategies; that
could seriously damage the Group if such information were lost or made
public. |
Risk |
Low |
Low - unauthorised disclosure would not
significantly impact the Group, or any of its learners or employees. |
High - unauthorised disclosure could result in significant
adverse impact or penalties to the Group, or any of its learners or
employees. |
High - unauthorised disclosure is likely to result
in significant adverse impact, embarrassment or penalties to the Group, or
any of its learners or employees. |
Access control |
Available to the general public. |
Generally available to all staff on a need to know
basis. |
Must have a business need to know the information. |
Must have a business need to know the information. |
Release to third parties |
Available to the general public and for distribution
outside of the organisation. |
Intended for use only within the organisation.
May be shared outside the organisation only if there is a legitimate business
need to know and is approved by a manager. |
Access limited to a need to know basis and not to be
released externally, unless in accordance with specified policies and
procedures on release of information. |
Access limited to as few persons as possible on a
need to know basis. Information is very sensitive and should be closely
controlled from creation to destruction. Release only as permitted by
applicable policies. |
Transmission by email |
No special handling required. |
No special handling required. |
Use of email discouraged, unless encrypted
(including attachments) or sent by CMT/SMT member or emergency
situation. Broadcast to distribution lists is prohibited. |
Use of email strongly discouraged, unless encrypted
(including attachments) or sent by CCMT/SMT member or emergency
situation. Notify recipient in advance. |
Storage standards |
Storage on all laptop, portable or network
drives. No storage on PC hard drives. |
Storage on all laptop, portable or staff only
network drives. No storage on PC hard drives. |
Storage on staff only restricted access or personal
network drives. |
Storage on staff only restricted access or personal
network drives. Password protection of document preferred. |