Information classification scheme

The University's information classification scheme helps you understand how you should manage data you need to access, process, store or otherwise use in your role at the University of Bristol.

The University's information classification scheme helps you understand how you should manage data you need to access, process, store or otherwise use in your role at the University of Bristol.

The University defines five levels for classifying data. Each level is based on the impact that compromise of data in that level would have.

Public

Definition

Data classified as public may be viewed by anyone inside or outside the organisation.

Impact if information were made public

From an information security perspective, there are no negative impacts if the information is lost, stolen, or made public.

Examples of Public information

Public information assets may include but are not limited to:

  • Publications
  • Press releases
  • Course information
  • Principle University contacts for public facing roles, such as names, email addresses and landline telephone number
  • Public events.

Open 

Definition

Available to people at the University who are in one of other of these groups: 'staff', ‘postgraduate researchers', and 'taught students'.

Note: this is not defined as 'everyone with an account at the University', as that would include other account holders such as affiliates at other organisations and alumni.

Impact if information were made public

There is a low information security risk if data classified as Open is lost, stolen or made public. Loss of this data may result in:

  • Very minor reputational or financial damage to the University.
  • Very minor privacy breach for an individual.

Examples of Open information

Open information assets may include (but are not limited to):

  • Contact information for most staff (including name, role, email address and University telephone number)
  • General policies, procedures and guidelines.

Confidential

Definition

Access is controlled and restricted to a group of people. This may be members of the University and members of other organisations.

Impact if information were made public

There is a medium information security risk if data classified as Confidential is lost, stolen or made public. Loss of this data may result in:

  • An intermediate reputational, financial or privacy impact.
  • It may make it less likely that the University would be trusted with similar information in the future.

Examples of Confidential information

Confidential information assets may include (but are not limited to):

  • Personal details and identifiable information, including name, address, telephone number, email address, date of birth, National Insurance Number)
  • Information relating to the private wellbeing of a University member
  • Wage slips
  • Death certificates
  • Employee contract information
  • Non-Disclosure Agreements.

Confidential and Sensitive

Definition

Access is restricted to a small number of people who are listed by name.

Impact if information were made public

There is a high information security risk if data classified as Confidential and Sensitive is lost, stolen or made public. Loss of this data may result in:

  • Possible substantial damage to the reputation of the University.
  • A substantial financial effect on the University or a third-party.
  • A serious privacy breach to one or more individuals.

Examples of Confidential and Sensitive information

  • Bank details
  • Financial data
  • Student transcripts
  • Examination papers
  • Staff or student medical records
  • Certain medical research data
  • Research papers intended to lead to patentable results (If research is ongoing and has not been published)
  • Details of servers and server rooms
  • Passwords
  • Investigations and disciplinary proceedings
  • Submitted patents and Intellectual Property Rights
  • University and third party contract/supplier information
  • Market sensitive information (for example concerning some property purchases).

Secret

Definition 

Known only to a very small number of named staff and postgraduate research students who have been explicitly cleared and vetted for access.

Access is subject to or obtained under the Official Secrets Act or equivalent.

Impact if information were made public

Critical - may damage national security.

Examples

Access is subject to or obtained under the Official Secrets Act or equivalent.

Alternative format

The information classification scheme is also available as a PDF: Information Classification Scheme (PDF, 99kB)