Skip to main content

Information handling guidance

Guidance to help you keep information safe, such as deciding its sensitivity, or classification, as well as how you label, share, store, and destroy it.

Keeping Information Safe at Bath

It has never been more important to make sure we keep our information safe while working at the University: students, regulators, and research partners have all increased their expectations, and our University relies on each one of us understanding how we can help to keep us secure.

This guidance is intended to help us protect information by making sure it is protected by an appropriate classification, indicated by the correct label, and handled in a secure manner – including when transferred, stored, or deleted.

Who this guidance is for and the types of information it applies to

This document is for the use of all staff who use University information in any way.

The guidance should be applied to all types of documents that are created to be shared.

The 5 key areas to consider for information handling

Five icons indicating the five considerations for information management - classify, labelling, sharing, storing and transfer, and destruction.
The 5 key areas to consider: classifying, labelling, transferring, storing, secure destruction
  1. Classifying – understand the importance of the information and the risks
  2. Labelling – make sure the classification is communicated
  3. Transferring – handle information according to the risk classification
  4. Storing – store information according to the risk classification
  5. Secure destruction – make sure information is securely deleted

1. Classifying

Icon indicating information 'classification' showing a document with three options below it representing the classification choices of confidential, internal, or public.
Classifying – understand the importance of the information and the risks

Obviously there is a huge amount of diverse information in use in the University which can be sorted into a many different types – from research data shared under non-disclosure agreements, through financial details or personal HR information, to administrational passwords designed to protect access to our systems.

The key to classification is understanding the risk: the impact to the University if the information was compromised.

University information has three classes, detailed within the Information Classification, Labelling and Handling Policy:

  • Confidential - disclosure has a significant negative impact on operations, business objectives, or might put the future success of the University in jeopardy.
  • Internal - disclosure could cause some reputational damage, or more serious short-term negative impact
  • Public - disclosure will cause no harm

Classification is to be used across the University.

The classification scheme used within the University may differ from the schemes used by other partner organizations, even if the names for levels are similar. When this happens, information sharing agreements with such organizations should identify how the different classifications will be interpreted: usually, correspondence between different schemes can be determined by looking for equivalence in the associated handling and protection methods.

Note that information may change its sensitivity over time – embargoed information will see reduced confidentiality requirements.

Information classification and Freedom of Information (FOI) requests

Regardless of its classification level, all recorded information held by the University in any format may be requested and disclosed under the Freedom of Information Act (FOIA) and Environmental Information Regulation (EIR) with limited legal exemptions with which to withhold.

Visit Dealing with Freedom of Information (FOI) Requests for full guidance and advice.

2. Labelling

Icon indicating information 'labelling' showing a label with three options below it to show the classification choices of confidential, internal, or public.
Labelling – make sure the classification is communicated

Information labelling supports the correct, risk-managed handling of information, and may also enable automation of information processing and management.

All documents to be shared should be classified. Working documents should always be handled appropriately (i.e. kept secure if containing confidential information). Some systems may deploy automated labelling, or utilise handling controls embedded within processes or using secure access and limited sharing.

Public documents do not require any label but may be labelled for clarity. Note that all documents without a label are therefore classified and considered as Public. Items such as wall posters should be public in nature – and therefore do not require labelling.

Those which are Internal or Confidential should be marked with the appropriate label.

  • This will usually be located in the footer of a Word document or the lower right for a PowerPoint document, including any title page.
  • For Spreadsheets, the classification should be labelled close to the top left cell (A1) and replicate this in each workbook.
  • Examples of labelling techniques may include: physical labels; headers and footers; watermarking; or physical stamps. New functionality to allow you to Apply classification labels to your Microsoft files (Microsoft guidance) is also coming soon.
  • Exceptions: There may occur cases where information cannot be labelled - as a result of storage format or other technical restrictions. These will be handled on an exception basis with advice form the Information Security team.

Information users must be made aware of labelling procedures, and necessary training provided to ensure that information is correctly labelled and handled accordingly.

Output from systems containing information that is classified as being sensitive or critical should carry an appropriate classification label.

3. Transferring

Icon indicating information 'transfer or sharing' showing a person with routes to 2 other people.
Transferring – handle information according to the risk classification

Classification determines the appropriate methods of handling and protection. As a result, guidance may be different for each of the three classifications. Information transfer (or handling or sharing) is determined by the label on the information.

The guidance for handling information is as follows:

  1. Public – no handling security required
  2. Internal – avoid sharing internal information to anyone outside the university. If this is a requirement, obtain prior assurances that the information will not be shared, and will be stored securely. For regular exchanges of internal information, a data sharing or non-disclosure agreement (NDA) is recommended.
  3. Confidential – transfer of confidential information should always be covered by an NDA. Such Information transfer should also use additional security measures – such as ensuring the information is clearly labelled as ‘confidential’, and if transferred electronically, uses password protection, encryption or similar electronic controls.

Note this guidance applies equally to verbal sharing of information.

Transfer by electronic means should take advantage of appropriate parameters, which allow for encryption, password protection or labelling of emails. More comprehensive features exist within the M365 environment which can prevent onward sharing, copying, or labelling as a lower classification.

More detailed rules on information transfer and suitable procedures and agreements may be developed by individual departments to meet local needs, reflecting diverse types of transfers inside and outside of the University.

All rules should reflect the classification of the information involved.

Where information is transferred between the University and third parties, transfer agreements (including recipient authentication) should be established and maintained to protect information in all forms in transit.

4. Storing

Icon indicating information 'storage' showing icons for a cloud and a folder.
Storing – store information according to the risk classification

Information needs to be stored appropriately, depending on classification. Access to confidential information should always be controlled, with limited distribution to known recipients. Internal information should not normally be accessible to those outside the University.

Departments need to establish where and how they wish to store information appropriately. For electronic documents this will be in folders within your University file storage options, with access controlled appropriately.

This can be in secure folders, with access controls limited by user, or protected (e.g. by passwords). Access restrictions should support the protection of documents.

For physical documents, the use of locking cabinets or drawers may be required. Where possible, records should be kept of who has access, and when it is used.

Temporary or permanent copies of information should be treated with the same level of protection of the original information.

Storage media should be clearly labelled.

Extra care should also be taken when a collaborative working environment is used.

Owners of information that is internal or confidential should regularly review access and update as appropriate – for example if members of the team who previously required access move roles in the University.

Review how to review the visibility of your online Microsoft files and content so you can regularly run a report and amend your sharing permissions if needed.

5. Destruction

Icon indicating information 'destruction' showing icons for a bin and a paper shredder.
Secure destruction – make sure information is securely deleted

Authorization of disposal of information (and associated assets) should be agreed for all classes of information.

The use of Partner information should be agreed, and an approved destruction process documented in any data agreements.

Deletion of confidential information should be controlled and documented.

Visit the Confidential waste paper disposal page to view information about how to safely dispose of confidential paper records.

On this page