Keeping Information Safe at Bath
It has never been more important to make sure we keep our information safe while working at the University: students, regulators, and research partners have all increased their expectations, and our University relies on each one of us understanding how we can help to keep us secure.
The 5 key areas
This guidance is intended to help us keep information safe by making sure it is appropriately handled and protected by:
- applying an appropriate classification
- adding the correct label
- managing how it's stored
- managing how it's transferred or shared
- managing how it's destroyed
The guidance is for the use of all staff who use University information in any way, and should be applied to all types of documents that are created to be shared.
1. Classifying
The university creates and uses a wide range of information that could be sorted into many different types. For example, research data, financial details, or personal HR information.
When classifying information, the key is to consider the impact (or harm) that the information would cause the University if it was compromised. By considering the information in this way, we can start to apply a risk-based approach to how we protect different information.
Classes of Information at Bath
University information has three classes (Confidential, Internal, or Public), as detailed within the Information Classification, Labelling and Handling Policy. Classification should be used across the University for all information that is created to be shared, including for information within shared document stores.
Classification will come down to your individual judgement, but a general rule of thumb is summarised in the table below.
| Classification | Impact/harm to the University if disclosed | Circulation |
|---|---|---|
| Confidential | Would have a significant impact on Bath’s operations or success | If the information should only be shared with a limited group of recipients, it’s Confidential |
| Internal | Could cause short-term impact | If the information should be kept inside the University, it’s Internal |
| Public | No harm | Everything else is Public |
Note that information may change its classification over time. For example, embargoed information will see reduced confidentiality requirements.
Classification schemes and partner organisations
The classification scheme used within the University may differ from the schemes used by other partner organizations, even if the names for levels are similar.
When this happens, information sharing agreements with such organizations should identify how the different classifications will be interpreted: usually, correspondence between different schemes can be determined by looking for equivalence in the associated handling and protection methods.
Information classification and Freedom of Information (FOI) requests
Regardless of its classification level, all recorded information held by the University in any format may be requested and disclosed under the Freedom of Information Act (FOIA) and Environmental Information Regulation (EIR) with limited legal exemptions with which to withhold.
Visit Dealing with Freedom of Information (FOI) Requests for full guidance and advice.
2. Labelling
It's important that you communicate the classification of your information by adding a label. This supports the correct, risk-managed handling of information, and may provide opportunities to automate our information processing and management.
What needs to be labelled and how
Information which is Internal or Confidential should be marked with the appropriate label.
Output from systems containing information that is classified as being sensitive or critical should carry an appropriate classification label.
Public documents do not require any label but may be labelled for clarity. All documents without a label are therefore classified and considered as Public. Items such as wall posters should be public in nature – and therefore do not require labelling.
The classification label will usually be located in:
- the footer of a Word document
- the lower right for a PowerPoint document, including any title page
- close to the top left cell (A1) in Spreadsheets, and replicated in each sheet
Examples of labelling techniques may include:
- using M365 functionality to add labels to your Microsoft files
- physical labels
- headers and footers
- watermarking
- physical stamps
Exceptions: Cases may occur where information cannot be labelled - perhaps as a result of storage format or other technical restrictions. These will be handled on an exception basis with advice from the Information Security team.
Information users must be made aware of labelling procedures, and necessary training provided to ensure that information is correctly labelled and handled accordingly. Staff can view or re-visit the bite-sized Keeping Information Safe recordings via the MetaCompliance platform.
3. Storing
Information security depends on the protections you put in place – so keeping information safe when storing it depends on How it's stored, rather than Where, and is determined by the classification.
Access to confidential information should always be controlled, with limited distribution to known recipients. Internal information should not normally be accessible to those outside the University.
Departments need to establish where and how they wish to store information appropriately. For electronic documents this will be in folders within your University file storage options, with access controlled appropriately. IT security best practice includes maintaining a clear desk, as well as locking your device if you are away from it - if you leave your device unlocked, anyone could use your account to access our systems and information.
Owners of information that is internal or confidential should regularly review access and update as appropriate – for example if members of the team who previously required access move roles in the University. You can easily run a Sharing report to review the visibility of your online Microsoft files and content.
| . | Public | Internal | Confidential |
|---|---|---|---|
| Guidance |
|
|
|
| Consider |
|
|
|
4. Transferring
Information transfer (or sharing) is determined by the classification label on the information. This is because Classification determines the appropriate methods of handling and protection.
As a result, the guidance (which equally applies to the verbal sharing of information) may be different for each of the three classifications.
The table below summarises guidance and considerations to keep information safe when sharing.
More detailed rules on information transfer and suitable procedures and agreements may be developed by individual departments to meet local needs, reflecting diverse types of transfers inside and outside of the University. All rules should reflect the classification of the information involved.
| . | Public | Internal | Confidential |
|---|---|---|---|
| Guidance |
|
|
|
| Consider |
|
|
|
5. Destruction
Authorization of disposal of information (and associated assets) should be agreed for all classes of information. You should also review what is retained to ensure DPA compliance.
As with the other stages, the approach for securely destroying information are determined by the classification.
| . | Public | Internal | Confidential |
|---|---|---|---|
| Guidance |
|
|
|
| Consider |
|
|
|