Classify and handle University data securely
The University of Oxford uses a large volume and diversity of information to support its activities and to achieve its teaching and research objectives.
All University members have a personal and professional responsibility to safeguard any information that they create, or is shared with, or entrusted to them, whether intentionally or otherwise.
This section outlines rules on how to protect different types of information depending on the classification level based on the University's Information Classification Policy and provides guidance for preserving the confidentiality of information across the University. It represents the minimum set of measures for protecting University data in order to mitigate the risks of potential information security breaches. The full description can be found in the Information Security Handling Rules.
Any information asset should be assigned one of three classifications:
1. Public 2. Internal 3. Confidential
Information should be classified as “public” when unauthorised disclosure has no potential to cause any damage or distress to the interests, employees or reputation of the University, its affiliates or data subjects.
This classification should be used for information for the public domain and carries not appreciable confidentiality risk.
-
Information should be identifiable as originating from the University of Oxford
-
Mark front page of each document
-
In the case of published information, such as web site content and University brochures it is not necessary, but a record should be kept of the decision to release information to the public domain
-
Widely available
-
May be viewed by anyone, anywhere in the world subject to restrictions in law
-
No restrictions
-
No restrictions
-
No restrictions
-
No restrictions
-
No restrictions
-
No restrictions
-
No restrictions
-
No restrictions
-
No restrictions
-
No master copy storage permitted
-
No restrictions
-
OxFile is being retired (date to be confirmed) and we recommend using OneDrive instead. Files from OxFile can be migrated to OneDrive
-
No restrictions
-
No restrictions
-
No restrictions
-
No restrictions
Information should be classified as ''internal'' when unauthorised disclosure has a potential to cause some damage or distress to the interests, employees or reputation of the University, its affiliates or data subjects.
This classification should be used for information for a defined audience, but is not particularly sensitive.
- Information should be identifiable as from the University of Oxford
- Mark “INTERNAL” on the front page of each document and on front of folders, binders
- Dissemination only to members of the University of Oxford or organisations and individuals authorised by the University of Oxford
- Access should be authenticated by password or similar
- Dissemination should be on a “need to know” basis.
- Prior to termination ensure return of all internal information held and full revocation of access rights and permissions granted to systems and data stores holding internal information
- Depending on the sensitivity and confidentiality of the information, consider protecting document through:
Marking as final (let reader know the document is final and make it read-only)
Encrypting with password (password protect the document)
Restricting permissions (grant people access while removing their ability to edit, copy or print)
- Information should be stored on the University systems in monitored and restricted access drives managed by IT Services, whenever possible
- Storage on external system may be possible subject to Third Party Risk Assessment approval
- Depending on the sensitivity and confidentiality of the information, consider restricting access by:
Amending default folder permissions (full control, modify, read only) as appropriate
Amending permissions inherited from parent folder
Regularly monitoring users (adding or deleting)
Password protection for sensitive files at document level
- Information should be created in a secure environment and stored in a locked filing cabinet or equivalent
- Documents can be taken off site, but should be kept securely in a document holder
- Ensure fax number is entered correctly
- Sealed envelope
- Normal internal and external mail services can be used
- Print only what you really need to hold as hard-copy
- Use University of Oxford managed printers, if possible
- Data may be accessed and stored on University PCs, laptops and portable media with endpoint protection in place
- Access to the device should be controlled in accordance with the University's Security Policy
- Full disk encryption is advisable, in case of loss or theft
- Laptops should be kept secure at all times and locked away overnight when left in the office
- In accordance with the University's guidance on protecting personally-owned devices
- Depending on the sensitivity and confidentiality of the information, consider assigning specific permissions
- Three permission groups exist: Owner, Member and Visitor
- By default, all sites, lists, and libraries in a site collection inherit permissions settings from the site that is directly above them in the site hierarchy. Owners can assign unique permissions to a list, library, or survey, through first breaking permissions inheritance, then assigning unique permissions. Permissions can be altered down to the document level
- Depending on the sensitivity and confidentiality of the information, consider password protection. Recipients should receive the password via separate channel, such as phone call, text or separate email
- OxFile is being retired (date to be confirmed) and we recommend using OneDrive instead. Files from OxFile can be migrated to OneDrive
- By default, access to OneDrive for Business documents is restricted only to the user, until sharing options are enabled. Permissions can be altered down to the document level
- The team owner should ensure that access rights are set up on the basis of need to know. When uploading data bear in mind that the content is visible to all team members
- Depending on the sensitivity and confidentiality of the information, consider:
Using encryption and password protection for specific files
Double-checking that you have used the right address before sending the email
Using blind copy (Bcc) when emailing multiple recipients
Whether recipient may have delegated authority to others
Restricting permissions from forwarding the email (recipients can read the message but cannot forward, print or copy)
Requesting a delivery and read receipt for the message
- Telephone systems do not generally offer a high level of security. Therefore depending on the sensitivity and confidentiality of the information, consider an alternative method of voice communication, such as Teams for calling
- Use bins or shredders located in your building
- Ensure all copies of information are erased when no longer needed or according to your data retention policy. Remember to empty the trash bin
- If hardware is to be disposed of, contact your local IT support for secure destruction
Information should be classified as “confidential” when unauthorised disclosure has a potential to cause serious damage or distress (including severe or long-term impact) to the interests, employees or reputation of the University, its affiliates or data subjects.
- Information should be identifiable as originating from the University of Oxford
- Mark “CONFIDENTIAL” on all pages of the document and on front of folders, binders, as well is in the subject line and body of all emails
- The same rule applies to removable electronic and optical media, such as USBs, CD-ROMs, microfilms, photographs, and removable hard drives
- Dissemination only to recipients authorised by the information owner on the basis of genuine and justified 'need to know'
- Appropriate access control measures to be taken by depending on method of dissemination and storage
- Prior to termination ensure return of all confidential information held and full revocation of access rights and permissions granted to systems and data stores holding confidential information
- Protect document by:
Restricting permissions (grant people access only on a justified ‘’need to know’’ basis)
Marking as final (let reader know the document is final and make it read-only)
- Depending on the sensitivity and confidentiality of the information, consider protecting document through encrypting with password (password protect the document, password should be shared via a different channel, such as phone call, text or separate email)
- Information should be stored on the University systems in monitored and restricted access drives managed by IT Services, whenever possible
- Storage on external system may be possible subject to Third Party Risk Assessment approval
- Restrict access by:
Amending default folder permissions (full control, modify, read only) as appropriate
Amending permissions inherited from parent folder
Regularly monitoring users (adding or deleting)
Password protection for sensitive files at document level
- Information should be created only in a secure environment and stored in locked filing cabinet or equivalent or in an office which is locked or attended only by authorised staff
- In open access offices, documents should not be left unattended on desks or printers
- Locks should conform to an appropriate standard of security
- In open access offices, documents shall not be left unattended
- Documents can be taken off-site only exceptionally for shortest time possible, and with authorisation from the line manager
- Documents should be kept securely in a document holder
- Documents should not be left unattended
- Not permitted, you should not fax anything confidential
- Sealed envelope marked as ‘’confidential’’
- Originals and copies should be delivered by hand where possible
- If delivery by hand not possible use recorded delivery or courier delivery with the confirmation of receipt
- Depending on the sensitivity and confidentiality of the information, consider:
Sealed double envelope with inner envelope marked as “confidential”
- Print only what you really need to hold as hard-copy and dispose of securely as soon as possible
- Use only University of Oxford printers
- Data may be accessed and stored on University PCs, laptops and portable media with an endpoint protection in place
- Access to the device should be controlled in accordance with the University's Security Policy
- Full disk encryption should be arranged in case of loss or theft
- Avoid downloading files to laptops and portable media, but where this is not possible files should be retained only on a temporary basis and erased as soon as possible
- Laptops should be kept secure at all times and locked away overnight when left in the office
- Only with specific departmental approval and in accordance with the University's guidance on protecting personally-owned devices
- Specific authorisation must be sought from the head of department, who owns the risk associated with allowing access to confidential University data through self-managed devices
- Assign specific permissions - MANDATORY
- Three permission groups exist: Owner, Member and Visitor
- By default, all sites, lists, and libraries in a site collection inherit permissions settings from the site that is directly above them in the site hierarchy
- Owners can assign unique permissions to a list, library, or survey, through first breaking permissions inheritance, then assigning unique permissions. Permissions can be altered down to the document level
- Depending on the sensitivity and confidentiality of the information, consider using ‘’ALERT ME’’ to be informed about changes to the site made by others
- Documents should be encrypted and password-protected. Recipients should receive the password via separate channel, such as phone call or text or separate email
- OxFile is being retired (date to be confirmed) and we recommend using OneDrive instead. Files from OxFile can be migrated to OneDrive
- By default, access to OneDrive for Business documents is restricted only to the user, until sharing options are enabled. Permissions can be altered down to the document level
- The user should ensure that access rights are set up on a ‘’need to know’’ basis
- The team owner should ensure that access rights are set up on the basis of need to know. When uploading data bear in mind that the content is visible to all team members
- Where transmitted via Outlook 365 email, the internal transmission is automatically encrypted in transit and at rest. Subject of the email must indicate CONFIDENTIAL
- Where transmitted via Outlook 365 to external recipient use Outlook 365 PROTECT function for encrypting. Subject of the email must indicate CONFIDENTIAL
- Where transmitted via other email services (such as Oxmail) encrypt confidential information, unless you are sure that encryption at rest and in transit is in place
- When sending from University hosted email account to external email account (from @ox.ac.uk to @xx.xx.xx), attachments should be encrypted and password protected at a document level
- Passwords for protected email attachments must never be sent in the same email as the attachment and should be communicated via another mechanism, such as by separate email, text or phone
- Double-check that you have used the right address before sending the email
- Use blind copy (Bcc) when emailing multiple recipients
- Do not email information to personal email accounts
- You may also, depending on the sensitivity and confidentiality of the information, consider:
Restricting permissions from forwarding the email (recipients can read the message, but cannot forward, print or copy)
Requesting a delivery and read receipt for the message
Whether recipient may have delegated authority to others
- Use confidential waste bins or shredders located in your building
- Ensure all copies of information are erased when no longer needed or according to your data retention policy. Remember to empty the trash bin
- If hardware is to be disposed of, contact your local IT support for secure destruction