The University defines 4 levels for classifying data based on the impact that compromise of this data would have.
The following explanations include possible examples of data at each level of classification, but this is only written as a guide. It is recommended that you check the impact level of your data using the University and ISRA impact table before deciding on its classification. Ultimately the data owner decides the data security classification.
You can find out how to classify and store your data.
Very High Impact (Level 3)
Data of the type where:
- a data sharing agreement requires storage on an ISO 27001 platform
- the data is requiring equivalent security to NHS data
- other examples of very high impact data could be:
- highly restricted unpublished research data
- unpublished research with highly valuable intellectual property
- data under contract or restrictions given by Ministry of Defence
See the recommended storage options for very high impact, level 3 data
High Impact (Level 2 or Level 3)
Data of the type where:
- there is a pressing requirement to limit who has access to it
- there is need to define who is on the access list specifically
- there is a need to ensure that the access list is complete (that is, it is known for certain there aren't other people who can see it by nature of their jobs – for example, HR or systems administrators).
- examples could be:
- special category data under UK GDPR. You can read the full definition of special category data on the Information Commissioner's Office website.
- confidential personal data not captured within the legal definition of special category data. For example disciplinary data, copies of passports and information related to the Prevent duty.
- confidential and highly sensitive information of a non-personal nature that is held in pursuit of University business. For example, commercially sensitive information, most financial data, grant costing forms, unpublished research data or results with the potential for commercialisation.
- examination questions and unpublished examination marks
- legally privileged information
- most reserved business meeting notes, minutes, documents and papers
See the recommended storage options for high impact, level 2 or level 3 data
Medium Impact (Level 2)
Data of the type where restricted access is required, but it is acceptable for systems administrators and super users to also have access to it. Examples could be:
- personal data (not defined as subject category data) as defined in UK GDPR and including any keys to pseudonymised datasets from personal data
- most unreserved business meeting notes, minutes, documents, and papers
- information of a non-personal nature that is held in pursuit of University business. For example, contract negotiations and documentations, unpublished research results, and also some teaching materials even if recorded for student use.
- information relating to activities subject to the provisions of the Animals (Scientific Procedures) Act 1986 other than under section 24 of that Act
See the recommended storage options for medium impact, level 2 data
Low Impact (Level 1)
Data of the type that is necessary but low impact if it was disclosed, modified, lost or destroyed. This is usually everyday working data that is not quite 'public'. This includes some degree of personal data that is required for people to do their work in the University. Examples could be:
- a photoboard of personnel in a building, with their job titles
- a telephone list of staff in a department
- a lecture list, with lecturer names and rooms for students in a certain tripos.
- some minutes of meetings, some memoranda, some site licenced software
- some publications and websites prior to publication
- teaching materials recorded for student use
- Anonymised data and pseudonymised personal data separated from its 'key' (that would enable the re-identification of the individuals) unless this data is more valuable. For example, unpublished research results which could result in valuable intellectual property.
See the recommended storage options for low impact, level 1 data
Negligible Impact (Level 0)
All data that would have negligible impact to the University should it be disclosed, modified, lost or destroyed. For example:
- publicly accessible data, e.g. data sources downloaded from the internet
- general working files, whether old or not, but containing no personal data or anything in the levels above
You should consider deleting this data, or at least archiving it.
Further information
Information Security Risk Assessment
Information classification tables