Category Highly restricted Restricted Internal use
Description Highly Confidential information whose inappropriate disclosure¹ would be likely to cause serious damage or distress to individuals and/or constitute unfair/unlawful processing of "senstive personal data" under the Data Protection Act; and/or seriously damage the University's interests and reputation; and/or significantly threaten the security/safety of the University and its staff/students. Only those who explicitly need access should be granted it and only to the extent they need to fulfil their work. The impact of inappropriate disclosure could include: - Fines of up to £500,000 from the Information Commissioner's Office - Revocation of research contracts and failure to win future research bids - Serious negative publicity - Legal Action Confidential information whose inappropriate disclosure would be likely to cause a negative impact on individuals and/or constitute unfair/unlawful processing of "personal data" under the Data Protection Act; and/or damage the University's commercial interests, and/or have some negative impact on the University's reputation. This information should be handled in a way as to prevent unauthorised access e.g. appropriate access controls must be in place. It should be noted that 'restricted' information may become 'highly restricted' depending upon the circumstances in which it is handled. For example, a large dataset containing personal information of large numbers of students should have 'highly restricted' protective measures put in place. Information not considered being public which should be shared only internally but would not cause sustantive damage to the University and/or individuals if disclosed.
Examples Sensitive personal data relating to identifiable living individuals (particularly if it is a number): - racial/ethnic origin - political opinion - religious beliefs - trade union membership - physical/mental health - sexual life - criminal record. Examples relevant to the Uiversity include: - Staff/student medical records - Equality and diversity individual data - Records of staff/student disciplinary proceedings. Other examples of 'highly restricted' information include: Salary information Individual's bank details Large aggregates (>1000 records) of personal contact details. Research data that relates to personal health of individuals or national security (e.g. interview transcripts containing identifiable individuals' senstive personal data such as drug dependence). Research data/information/IP with significant commercial value/obligations. Draft research reports of controversial and/or financially significant subjects. Non-public data relating to business activity which has potential to seriously affect commercial interests and/or University's reputation e.g. REF strategy (prior to submission). Non-public information that facilitates protection of individuals' safety or security of key functions and assets e.g. network passwords and access codes for higher risk areas. Personal data relating to identifiable living individuals such as student assessment marks or research data that identifies individuals. Other examples of personal data held by the University include: Student/alumni contact details Staff contact details such as home address, personal telephone number and next of kin Other examples of 'restricted' information include: Non-public data relating to business activity and ha potential to affect financial interest and/or reputation e.g. tender bids prior to award of contract, exam questions prior to use. Reserved committee business. Draft reports, papers and minutes. Research data/information/IP with commercial value/obligations Non-confidential internal correspondence e.g. routine administration such as meeting room and catering arrangements. Final working group papers and minutes. Internal policies and procedures
Protection required Significantly security measures, strictly controlled and limited access. Lawful collection and use for specified purpose(s) only if it constitutes sensitive personal data. Secure disposal when no longer required (for example shredding paper files and seeking advice from DD&T regarding appropriate disposal of electronic information) . Appropriate measures to prevent loss or deletion. Security measures, controlled and limited access. Lawful collection and use for specified purpose(s) only if it consitutes personal information. Secure disposal when no longer required. Appropriate measures to prevent loss or deletion. No additional protection