The University’s scheme classifies information according to three levels of confidentiality:
Public – information intended for public release with no harm caused by anybody having access to this information.
Internal – information that is not sensitive but could cause some harm, such as reputational damage to the University or research sponsor if it fell into the wrong hands. Internal information should only be seen within the University and by authorised third parties.
Confidential – sensitive information that could cause serious harm if it fell into the wrong hands. Access should be restricted to those with a need to know.
The information owner, which maybe you or the person who is responsible for the information, should decide what level classification to use. If ownership is unclear, it should be referred upwards, to your head of Department if necessary. Consult your local information governance lead or the Information Compliance if you are unsure how to classify personal data.
So the first step in securing information is to decide how sensitive or valuable it is and give it a corresponding classification. The decision should be based on:
• Its intrinsic value - how valuable would it be to others, notably competitors, criminal groups looking to sell it on and hostile nation-states?
• Its criticality to research - what would the impact be if compromised?
• Its sensitivity - what would the effect be of unauthorised disclosure on the University, researchers and research subjects?