The University of Oxford handles a great volume and variety of information to support its day-to-day activities and poor data handling is the biggest source of information security incidents. As University members, we all have a personal and professional responsibility to safeguard any information that we create as well as information that is shared with or entrusted to us.
To help with this, the University has a classification scheme and guidance on how to handle each category of information as not all information should be treated equally.
There are three classification levels of confidentiality:
- Public: Comprising unrestricted sharing and circulation, including on open access / public sites.
- Internal: Reserved for the general “day to day’’ University of Oxford information, which should not be publicly available and requires a reasonable level of protection.
- Confidential: Reserved for the most sensitive University of Oxford information, which requires the highest level of protection.
The handling rules help you identify what you can do with each category of University information: how you can store it, send it, and secure it. They’re not exhaustive and don’t replace the need for common sense but it has plenty of practical recommendations for common methods and usages. You wouldn’t leave your passport on a bench in the centre of town but equally you wouldn’t lose much sleep over losing a loyalty card there...
Within Medical Sciences Division, there is also a divisional procedure for staff to familiarise themselves with the above as well as clarifying expectations for Internal and Confidential information within the Division. Emphasising the importance of the use of approved services for processing and storing information including what email services are appropriate.
If you would like more advice or guidance on how to use the information classification and handling scheme, or how we can help assess the security of your research, please refer to the Information Security website or contact the Information Security Governance, Risk and Compliance Team via firstname.lastname@example.org.
- University Classification Scheme and Handling Rules
- Medical Sciences Divisional Procedure: Information Classification, Handling and Approved Systems