Why information classification is important

All our information, across the University, needs to be given an appropriate level of protection.

This level depends on the risk associated with improper use of that information: the greater the impact of a compromise, the higher the level of classification required.

All information held on behalf of the University, its partners and stakeholders is subject to classification.

Who decides the level of classification

All information held is required to be classified: this is usually the responsibility of the operational function that needs it, processes it, and handles it.

This ‘information owner’ is responsible for choosing what level of classification is assigned to their information.

Where multiple functions require access to information, it may be appropriate to agree classifications based on wider processing and access requirements.

Types of classification at the University

To ensure we are aware of the level of protection required, and how to handle it appropriately, all University of Bath information is assigned to one of three classifications.

The classification is based on the degree of harm that would arise to the University, its partners and stakeholders, should the information be inadvertently disclosed.

The classifications at the University are:

• Public: disclosure causes no harm to the University. This information may be shared without additional safeguards.
• Internal: disclosure may cause some short-term harm to the University. This information may not be shared outside the University without appropriate additional safeguards.
• Confidential (disclosure may cause significant or long-term harm to the University). This information may not be shared beyond a restricted (documented/agreed) circulation.