Information classification scheme
The University's information classification scheme helps you understand how you should manage data you need to access, process, store or otherwise use in your role at the University of Bristol.
The University's information classification scheme helps you understand how you should manage data you need to access, process, store or otherwise use in your role at the University of Bristol.
The University defines five levels for classifying data. Each level is based on the impact that compromise of data in that level would have.
Public
Definition
Data classified as public may be viewed by anyone inside or outside the organisation.
Impact if information were made public
From an information security perspective, there are no negative impacts if the information is lost, stolen, or made public.
Examples of Public information
Public information assets may include but are not limited to:
- Publications
- Press releases
- Course information
- Principle University contacts for public facing roles, such as names, email addresses and landline telephone number
- Public events.
Open
Definition
Available to people at the University who are in one of other of these groups: 'staff', ‘postgraduate researchers', and 'taught students'.
Note: this is not defined as 'everyone with an account at the University', as that would include other account holders such as affiliates at other organisations and alumni.
Impact if information were made public
There is a low information security risk if data classified as Open is lost, stolen or made public. Loss of this data may result in:
- Very minor reputational or financial damage to the University.
- Very minor privacy breach for an individual.
Examples of Open information
Open information assets may include (but are not limited to):
- Contact information for most staff (including name, role, email address and University telephone number)
- General policies, procedures and guidelines.
Confidential
Definition
Access is controlled and restricted to a group of people. This may be members of the University and members of other organisations.
Impact if information were made public
There is a medium information security risk if data classified as Confidential is lost, stolen or made public. Loss of this data may result in:
- An intermediate reputational, financial or privacy impact.
- It may make it less likely that the University would be trusted with similar information in the future.
Examples of Confidential information
Confidential information assets may include (but are not limited to):
- Personal details and identifiable information, including name, address, telephone number, email address, date of birth, National Insurance Number)
- Information relating to the private wellbeing of a University member
- Wage slips
- Death certificates
- Employee contract information
- Non-Disclosure Agreements.
Confidential and Sensitive
Definition
Access is restricted to a small number of people who are listed by name.
Impact if information were made public
There is a high information security risk if data classified as Confidential and Sensitive is lost, stolen or made public. Loss of this data may result in:
- Possible substantial damage to the reputation of the University.
- A substantial financial effect on the University or a third-party.
- A serious privacy breach to one or more individuals.
Examples of Confidential and Sensitive information
- Bank details
- Financial data
- Student transcripts
- Examination papers
- Staff or student medical records
- Certain medical research data
- Research papers intended to lead to patentable results (If research is ongoing and has not been published)
- Details of servers and server rooms
- Passwords
- Investigations and disciplinary proceedings
- Submitted patents and Intellectual Property Rights
- University and third party contract/supplier information
- Market sensitive information (for example concerning some property purchases).
Secret
Definition
Known only to a very small number of named staff and postgraduate research students who have been explicitly cleared and vetted for access.
Access is subject to or obtained under the Official Secrets Act or equivalent.
Impact if information were made public
Critical - may damage national security.
Examples
Access is subject to or obtained under the Official Secrets Act or equivalent.
Alternative format
The information classification scheme is also available as a PDF: Information Classification Scheme (PDF, 99kB)