Division of General Counsel, Governance and Compliance

Records Management Guidance - Classification and Handling of Records

The University needs to safeguard its information and, where that information is personal data, also has a duty to comply with data protection legislation.

The Information Classification and Handling Policy sits alongside the University’s Information Security policies and Data Protection Policy and is in place to ensure that all information – whether personal data or not – is handled by the University with appropriate care and security at all times.

Consideration should always be given to the sensitivity and value of the information being handled. Where there is a risk that inappropriate disclosure or dissemination of the information (either internally or externally) would cause financial or reputational damage to the University, breach legal or regulatory requirements, or cause harm to or impact negatively on individuals, information should be classified as ‘Sensitive’.

Examples of ‘Sensitive’ information include commercial information, research data, special categories of personal data, or information relating to contractual or legal obligations.

Information should be classified as follows:

Classification Description
Sensitive The information may be shared or used internally or externally as appropriate, but appropriate safeguards should be in place to protect the information.
No classification The information can be shared or used internally and externally, without any safeguards in place, such as information on our external webpages. However, as with all information, it should only be shared with appropriate and necessary recipients.

 

 

 

 

 

The Policy applies to records management in three key ways:

1. Protective markings

Records should be marked with the appropriate classification. For example:

The subject line of an email contains the word 'Sensitive'

In this example, the ‘Sensitive’ classification category is included in the subject heading to indicate that the email includes sensitive information. 

A folder containing 3 other folders labelled ' 2020 Student Complaints - Sensitive', '2021 Student Complaints - Sensitive' and so on

In this example, the ‘Sensitive’ classification category is included at the end of three folder names to indicate that the records within these folders are sensitive. 

An example of a completed police request form

The response to a Police request for student details in relation to an ongoing criminal investigation is classified as ‘Sensitive’ with a watermark to reflect that. 

2. Access and transfer

When setting up a folder to share records with others, appropriate access and editing controls should be put in place.

RM guidance ichp example 4

For example, a Freedom of Information request folder is set up in Box and shared with invited people only. Note that the file is set up for viewing only as opposed to editing.

RM guidance ichp example 5

When sharing a contract with colleagues, it is shared as a link rather than as an attachment. Note that the email is classified in the subject heading as 'Sensitive' and the password is shared separately.

3. Disposal

All records that are classified as ‘Sensitive' must be disposed of securely. Paper records should be disposed of using confidential waste dispoal and secure shredding. Electronic records should be deleted from IT equipment and servers.

 

Last updated 17 February 2023