This guidance is for the UIS research storage services and helps you understand what data can be stored within these services, and what classifications of data the UIS research storage services can hold on the basis of the current University Guidance on Data Security Classification. Similar guidance may apply to other devices you use to store this data and appropriate protections may be necessary on those devices. You should seek out and become familiar with such guidance. It is assumed here that you are already familiar with that guidance. We have also taken into account the current UK Government Classification system in order to provide additional information and assurance for you to ascertain what data will be appropriate for storage within these Services. Both sets of Classification and Guidance are being provided because of the broad usefulness of the current UK Government Guidelines, which are in use throughout the UK public sector and which have established and considered application in the use of Public Cloud Services. It is important to note, in all levels of security classification, the principal factor in good data management is the ‘Need to Know’ principle (Information is only shared to people who need to know the information).
2. University Data Security Classifications & Guidelines
The University Guidance defines the following classifications.
Level 0: Unclassified or public information
Unclassified or public information is the largest class containing the majority of information.
Level 1: Cambridge Only
This covers information that is only available to students and staff within the Cambridge domain. It includes memoranda, minutes of meetings (not otherwise marked), and site-licensed software.
Level 2: Confidential information
This covers certain minutes of meetings, general personal information, financial information, or other information designated as confidential but which may be dealt with by any staff with delegated responsibility from the recipient (i.e. it is not, in a strict sense, information 'for your eyes only').
Level 3: Personal and strictly confidential information
This covers documents that contain highly sensitive information or personal details that are for the eyes of the recipient only where delegated authority is not appropriate.
Application to UIS Research Storage Services
The UIS research storage services includes Terms and Conditions that are compliant with UK/EU Data Protection Law and the University Statutes and Ordinances. The data centres are located in the UK and are owned by the University of Cambridge. If you require data to be held in UK/EU for compliance, the UIS research storage services can be used. The Services offered are integrated with authentication processes entirely within the control of the University of Cambridge. Staff should note that specific contractual obligations applying to aspects of their work may supersede this guidance and those obligations should be treated as exceptions. Staff should ensure they are aware of any contractual obligations and treat those as having precedence; if in doubt, staff should seek guidance from local Data Protection Officers. Hence the current policy on the use of research storage services is: subject only to the exclusions below, data under Data Classification Levels 0, 1 and 2 above CAN be stored in research storage services.
Data excluded from the above includes:
- Data classified as Level 3 above
- Patient Identifiable Data (including other identifiable data which is subject to the Clinical School’s mandatory data security policy which can be found at http://www.medschl.cam.ac.uk/research/information-governance/)
- Data that is subject to a specific contractual agreement that specifies a particular storage method (that is not research storage services).