The University defines four levels for classifying data based on the impact that compromise of this data would have. The following explanations are in response to queries based on personal data. For fuller information see the Information Classification Tables link below.
Level 3: High or Very High Impact
Data of the type where:
- there is a pressing requirement to limit who has access to it
- there is need to define who is on the access list specifically
- there is a need to ensure that the above list is complete (that is, it is known for certain there aren't other people who can see it by nature of their jobs – for example, HR or systems administrators).
Level 2: Medium Impact
Data of the type where restricted access is required, but it is acceptable for systems administrators and super users to also have access to it.
Level 1: Low Impact
Data of the type that is not quite 'public' or publicised data, perhaps because it includes some degree of personal data, but required for people to do their work in the University, for example:
- a photoboard of personnel in a building, with their job titles
- a telephone list of staff in a department
- a lecture list, with lecturer names and rooms for students in a certain tripos.
Level 0: Negligible Impact
All data that doesn't fall into one of the classifications above.
Ultimately, the data owner decides the data security classification
Once that decision is made, the appropriate storage can be determined, along with the access controls (that is: who has access and how granular that access is).
Further information