Information should be classified as Strictly Confidential when unauthorised disclosure, alteration or destruction could result in either personal (or sensitive personal) or internal service configuration data being divulged; this equates to the University being at risk from Information Commissioner’s Office sanctions under the Data Protection Act 2018 and should be considered as a high risk.
A significant level of security controls should be applied to Strictly Confidential information.
Payroll; student grades; disability, health and wellbeing information; emergency contact details; notes relating to disciplinary processes; research data containing personal or high-value information; medical (including tissue) or clinical trial research data (any other research data stipulated by contract or agreement to be handled with utmost care); commercially sensitive business operations and strategies.
Access controls must be enforced from creation to destruction.
Limited to members of the University, partner organisations (where covered by data sharing agreements) and individuals, as authorised by Information Asset Owners (or their delegate) on the basis that the individual requires such access in order to perform their job (‘need-to-know’).
Cannot be disclosed to the general public.
Unless only one person needs access to the data (in itself an information risk), access must be granted to those individuals who require it via security groups (role-based access).
Printing and copying:
Limited. Printing and copying is only permitted by individuals in order to perform their duties and where appropriate controls are in place to protect the hard copy from creation to destruction.
Limited. Authorisation for modification by Information Asset Owner (or their delegate) required and access granted as above for viewing.
Working copies of documents can reside on an individual’s computer or mobile device (e.g., a laptop computer). The device must be encrypted using whole-disk encryption. Final or approved copies of documents must be stored within a document management system or a shared storage area with appropriate permissions added to prevent unauthorised access.
Cannot be stored in any personal cloud account.
Can be stored in the University’s public cloud (i.e., Microsoft 365 environment) where not contravening any license or contractual arrangements, with restrictions on who can access the materials.
Cannot be shared publicly.
Can be shared with partners with a non-disclosure agreement or contractual confidentiality terms in effect between all of the relevant parties.
Sharing permissions must be approved by the Information Asset Owner or their delegate.
In a locked or otherwise secured storage unless it is in use.
Transmission and collaboration
Document or file encryption required for electronic transmission. The University public cloud (Microsoft 365 services) provide encryption in transmission.
Any distributed documents (electronic or paper) must be watermarked as ‘STRICTLY CONFIDENTIAL’ and the intended recipients clearly indicated; if watermarking is not possible ‘STRICTLY CONFIDENTIAL’ must be included in the document header, aligned to the right of the page or within the document metadata.
Printed copies to be delivered in sealed envelopes marked ‘Personal’ or ’Strictly Confidential’.
All information must be retained for the legally or contractually required minimum and maximum periods of time. This will vary depending on the type of information under consideration. Importantly, if you are unsure of the retention period, please refer to the University’s Records Retention Schedule.
Must comply with Retention Schedule (see above). On decommissioning of equipment used to store the information, the storage must be securely sanitised following NCSC guidelines. An accompanying certificate of destruction shall be obtained and stored by the person facilitating the destruction.
Printed copies should be cross-cut shred to DIN 66399 P-3 standard and disposed of in confidential waste (blue) bags.
General data protection and information security awareness training mandatory for all University and affiliate staff.
Refresher training carried out every two years.
Applicable policy and regulation training required.
Password protection required, locked when not in use. Encryption required.