Security impact
High.
Description
Information should be
classified as Strictly Confidential when unauthorised disclosure,
alteration or destruction could result in either personal (or sensitive
personal) or internal service configuration data being divulged; this equates
to the University being at risk from Information Commissioner’s Office
sanctions under the Data Protection Act 2018 and should be considered as a high
risk.
A significant level of security controls should
be applied to Strictly Confidential information.
Examples
Payroll; student grades; disability,
health and wellbeing information; emergency contact details; notes relating to
disciplinary processes; research data containing
personal or high-value information; medical (including tissue) or clinical trial
research data (any other research data stipulated by contract or agreement to
be handled with utmost care); commercially sensitive business operations and
strategies.
Access control
Access controls must
be enforced from creation to destruction.
Viewing:
Limited to members of the
University, partner organisations (where covered by data sharing agreements)
and individuals, as authorised by Information Asset Owners (or their delegate)
on the basis that the individual requires such access in order to perform their
job (‘need-to-know’).
Cannot be disclosed to the
general public.
Unless only one person needs access to the data
(in itself an information risk), access must be granted to those individuals who
require it via security groups (role-based access).
Printing and copying:
Limited. Printing and
copying is only permitted by individuals in order to perform their duties and
where appropriate controls are in place to protect the hard copy from creation
to destruction.
Modification:
Limited. Authorisation
for modification by Information Asset Owner (or their delegate) required and
access granted as above for viewing.
Storage
Electronic:
Working copies of
documents can reside on an individual’s computer or mobile device (e.g., a
laptop computer). The device must be
encrypted using whole-disk encryption. Final or approved copies of documents
must be stored within a document management system or a shared storage area
with appropriate permissions added to prevent unauthorised access.
Cannot be stored in any personal cloud account.
Can be stored in the
University’s public cloud (i.e., Microsoft 365 environment) where not
contravening any license or contractual arrangements, with restrictions on who
can access the materials.
Cannot be shared publicly.
Can
be shared with partners with a non-disclosure agreement or contractual
confidentiality terms in effect between all of the relevant parties.
Sharing permissions must be approved by the
Information Asset Owner or their delegate.
Paper/hard copy:
In a locked or
otherwise secured storage unless it is in use.
Transmission and collaboration
Document or file encryption
required for electronic transmission. The University public cloud (Microsoft
365 services) provide encryption in transmission.
Any distributed documents
(electronic or paper) must be watermarked as ‘STRICTLY CONFIDENTIAL’
and the intended recipients clearly indicated; if watermarking is not possible
‘STRICTLY CONFIDENTIAL’ must be included in the document header, aligned
to the right of the page or within the document metadata.
Printed copies to be delivered in sealed envelopes
marked ‘Personal’ or ’Strictly Confidential’.
Retention
All information must be retained for the legally or
contractually required minimum and maximum periods of time. This will vary
depending on the type of information under consideration. Importantly, if you are unsure of the
retention period, please refer to the University’s Records Retention Schedule.
Disposal
Electronic:
Must comply with Retention
Schedule (see above).
On decommissioning of equipment used to store
the information, the storage must be securely sanitised following NCSC guidelines. An accompanying certificate of
destruction shall be obtained and stored by the person facilitating the
destruction.
Paper/hard copy:
Printed copies should
be cross-cut shred to DIN 66399
P-3 standard and
disposed of in confidential waste (blue) bags.
Training
General data
protection and information security awareness training mandatory for all
University and affiliate staff.
Refresher training
carried out every two years.
Applicable policy and
regulation training required.
User devices
Password protection required,
locked when not in use. Encryption required.