You need to understand the impact associated with your data being lost, disclosed or corrupted before you can decide where best to store it. We have tools that can help you to classify your data and make an informed choice.
Who should classify data
The person who owns or is the custodian of the data on behalf of the University is responsible for classifying it. If a committee is the data owner, then a member of the committee should be the designated data owner.
It wouldn’t be appropriate for someone else – including UIS – to classify your data because you understand its value the best.
How to classify your data
We have two tools that can help you classify your data. You can either:
- use the risk assessment and classification form we provide as part of the Information Security Risk Assessment (ISRA)
- find the appropriate impact rating and classification level from our impact tables.
Additional steps for personal data
If your dataset includes personal data – including, special category personal data you should also consider performing a Data Protection Impact Assessment (DPIA). This will help you to understand the impact on the data subject themselves, whereas the ISRA focuses on the impact on you and the University.
How to choose the best storage for your data
Once you have classified your dataset, you can use our guidance for handling data to help you decide where to store it.
We have guidance for each classification level: