Divisional Procedures: Information Classification, Handling and Approved Systems
This set of procedures covers the use of the University classification scheme and the associated handling rules by staff and students of the Medical Sciences Division. It underlines the importance of the use of approved university systems when handling University information.
Medical Sciences Division, Information Governance, September 2021
In the course of their University work, all University Members have a personal and professional responsibility to safeguard any information that they create and any information shared with them, or entrusted to them. This is vital for confidentiality and security and also to ensure that the University complies with regulations such as UK GDPR and the Freedom of Information Act. It also enables the University to retain a record of work undertaken, which can be necessary in securing intellectual property rights, or in demonstrating proper use of funding.
To facilitate this, the University has a simple classification scheme for information and a guide on how to handle each category of information.
It is particularly important that members of the Medical Sciences Division familiarise themselves with these rules. Much of our research depends on the use of confidential and personal data, entrusted to us by data providers and research participants. We must maintain their confidence in us. A professional approach to handling all information should be engrained across the Division: it should be the rule rather than the exception.
1 The University Information Classification Scheme
All members of the Medical Sciences Division must be aware of the University information classification scheme:
- Public: Comprising unrestricted sharing and circulation, including on open access / public sites.
- Internal: Reserved for the general “day to day’’ University of Oxford information, which should not be publicly available and requires a reasonable level of protection.
- Confidential: Reserved for the most sensitive University of Oxford information, which requires the highest level of protection.
The full policy can be downloaded from the Information Security website.
2 The University Information Classification Handling Rules
All members of the Medical Sciences Division must familiarise themselves with the handling rules for each classification and consult these when necessary.
Links to useful tutorials on how to implement the handling rules using Oxford University approved IT services can be found on the Information Security Handling Information webpages. Further information on available systems in the Medical Sciences Division can be found on the Medical Sciences Divisional website.
3 University Approved Services
Members of the Medical Sciences Division must ensure that University information (including that exchanged within the University in the body of an email) is processed and stored in University approved services
Internal and Confidential information must not be disclosed to third parties without due consideration of the risks. This includes storing or forwarding information to unapproved systems and online software, for example, using an automatic forwarding command to a personal email account.
University approval of a third-party service will include:
- Third party security assessments or project security reviews
- Contracts negotiated by purchasing or including the University’s standard terms and conditions and security schedule
- Where personal data is processed, data processing agreements between the University as data controller and the software provider as data processor.
Further details about the approval process can be found on the MSD website.
Please note: Google Drive and Gmail are not approved by the University for several reasons. It is highly unlikely that they would be approved given that suitable collaborative software and email is available through Outlook, OneDrive, Teams and SharePoint online.
4. University Approved Email Services
Members of the Medical Sciences Division must ensure that emails containing University information classified as internal or confidential are sent via approved University email services.
Members of the Medical Sciences Division must not set up automatic forwarding of University email addresses (ox.ac.uk) to other email accounts.
Emails containing confidential information must be encrypted.
Advice on encryption is available on the Medical Sciences Divisional website.
Alternative methods to transfer confidential information – including sharing via OneDrive or SharePoint - should also be considered.