This document outlines the University's establishment and implementation of a University-wide system of categorising information it holds according to sensitivity and confidentiality. It also defines associated rules for the handling of each category of information in order to ensure that the appropriate level of security is put in place and maintained. The Information Classification Framework aims to facilitate compliance with the requirements of the University's Data Protection and IT Security Policy (Particularly in relation to cyber security). For research data, it should be read in conjunction with the guidance contained in the Research Data Policy.
All information held by or on behalf of the University of Bath in any form¹ is subject to the requirements of this framework. Information handling rules apply to all University staff, student and relevant third parties handling University information (e.g. contractors) and to third party information that may be held by the University.
Information shall be categorised according to the Information Classification Scheme. The categorisation shall be determined by the originator or designated owner of the information and all information falling into the 'restricted' or 'highly restricted' categories shall be appropriately treated as such.
Information shall be handled in accordance with the Information Handling Protocal (see Annex 2). Where particular information falls into more than one classification category, the higher level of protection shall apply in that instance. Where a third party will be responsible for handling information on behalf of the University, the third party shall undertake to adhere to these data handling requirements prior to the sharing of that information (this is particularly critical when 'personal data' or 'sensitive personal data' as defined by the Data Protection Act is concerned).
Where the University holds information on behalf of another organisation with its own information classification system, written agreement shall be reached as to which rules apply prior to the sharing of that information.
It is the responsibility of all individuals to categorise and handle information appropriately according to this framework. Failure to do so may be considered a breach of the University's Data Protection and/or IT Security Policies and could result in disciplinary action.
¹Includes paper, digital and all other media.