Data Classification-Sensitivity Labels

 

Public

Internal

Confidential

Highly confidential


Document Affect

None

Inserts footer in document

Inserts footer in document

No changes to permissions

Inserts footer in document

Autosave Feature disabled in desktop tools

Owner – full control

Recipient must be given rights to edit or print the document

Email Effect

None

None

Encrypted only

Encrypted and recipients cannot forward, or print

Description

Information in the public domain

Information not approved for general circulation outside the Group where its loss would inconvenience the Group or management but where disclosure is unlikely to result in financial loss or serious damage to reputation.

Information that, if made public or even shared around the Group, could seriously impede operations and is considered critical to ongoing operations.

Highly sensitive information which, if it’s confidentiality, integrity or availability was compromised, would be likely to result in critical damage such as serious financial loss or significant breakdown of confidence in the Group.

Examples

Annual reports, press releases, marketing materials, documents contained on the Group’s Publication Scheme.

Internal memos, finance reports, synopsis of meetings, staff newsletters, internal phone directories, learner results.

Sensitive financial information, Learner’s personal data, correspondence with solicitors.

Learner’s sensitive personal data. Highly sensitive internal documents e.g. disciplinary reports; investment strategies; that could seriously damage the Group if such information were lost or made public.

Risk

Low

Low - unauthorised disclosure would not significantly impact the Group, or any of its learners or employees.

High - unauthorised disclosure could result in significant adverse impact or penalties to the Group, or any of its learners or employees.

High - unauthorised disclosure is likely to result in significant adverse impact, embarrassment or penalties to the Group, or any of its learners or employees.

Access control

Available to the general public.

Generally available to all staff on a need to know basis.

Must have a business need to know the information.

Must have a business need to know the information.

Release to third parties

Available to the general public and for distribution outside of the organisation.

Intended for use only within the organisation.  May be shared outside the organisation only if there is a legitimate business need to know and is approved by a manager.

Access limited to a need to know basis and not to be released externally, unless in accordance with specified policies and procedures on release of information.

Access limited to as few persons as possible on a need to know basis.  Information is very sensitive and should be closely controlled from creation to destruction. Release only as permitted by applicable policies.

Transmission by email

No special handling required.

No special handling required.

Use of email discouraged, unless encrypted (including attachments) or sent by CMT/SMT member or emergency situation.  Broadcast to distribution lists is prohibited.

Use of email strongly discouraged, unless encrypted (including attachments) or sent by CCMT/SMT member or emergency situation.  Notify recipient in advance.

Storage standards

Storage on all laptop, portable or network drives.  No storage on PC hard drives.

Storage on all laptop, portable or staff only network drives.  No storage on PC hard drives.

Storage on staff only restricted access or personal network drives.

Storage on staff only restricted access or personal network drives. Password protection of document preferred.