Standard: Information and Data Classification
Purpose
The purpose of this standard is to operationalise the Data Governance Policy and Procedure through a framework for assessing information and data sensitivity, measured by the adverse business impact a breach of the information or data would have upon the University.
Definitions
A complete list of definitions relevant to this standard is contained within the Data Governance Policy and Procedure.
Standard
- All information and data, whether created or collected, is allocated a classification so that it is managed, use and secured in a manner appropriate to its importance and sensitivity.
- To ensure appropriate protection throughout its lifecycle, Data Domain Stewards are accountable for ensuring all information and data, within their data domain, is protected and classified when it is created, saved or completed, commensurate with its sensitivity and value.
- Data Domain Stewards are responsible for setting the information and data classification scheme for their data domain at the lowest reasonable level in accordance with the classification table below:
Classification | Description | Potential Impact |
Public
| Information or data available and intended for the public consumption. Examples include:
| Negligible adverse impact to the University if disclosed |
Internal | Dissemination of this information or data would only be based on academic, research or business need but would have a broad internal audience. Examples include:
| May cause minor/low impact on the reputation of the University, other organisation or an individual if disclosed |
Sensitive | Dissemination of this information or data would only be based on strict academic, research or business need and would have a limited audience. Examples include:
| Would cause medium impact to the University, staff or students if disclosed |
Highly Sensitive | Information that, if disclosed without authorisation, could cause a severe degradation of core organisational capability or which is restricted under the Privacy Act 1988, is legally privileged or subject to other restricted legislation (for example, the Defence Trade Controls Act). Dissemination of this information or data would only be based on very strict academic, research or business need and would have a limited audience. Examples include:
| Would cause a high impact (significant risks or liabilities) to the University, staff or students if disclosed. |
- Custodians are responsible for applying required and suggested safeguards to protect information and data in accordance with its classification.
- Producers and users are responsible for complying with this standard, and the Data Governance Policy.
- Each information and data classification requires different handling procedures that provide appropriate levels of protective security.
- Sensitive and Highly Sensitive Information and Data require special handling requirements, especially during electronic transmission and physical transfer.
- Data domain stewards, custodians, producers, and users need to ensure authorised access to Information and Data of different classification is appropriately managed.
- For further information regarding information and data management and security, refer to Information technology security policy and Acceptable use of information technology policy.
- Access may be given under relevant legislation such as Privacy, Archives, Freedom of Information, including restrictions as required under those Acts.
Information |
Printable version (PDF) |
Title | Information and data classification |
Document Type | Standard |
Document Number | ANUP_6750451 |
Version | |
Purpose | To operationalise the data governance policy and procedure through a framework of the University for assessing information and its sensitivity. |
Audience | Staff, Students |
Category | Administrative |
Topic/ SubTopic | Governance & Structure |
Effective Date | 28 Oct 2022 |
Next Review Date | 28 Oct 2027 |
Responsible Officer: | University Librarian and Director, Scholarly Information Services |
Approved By: | Vice-Chancellor |
Contact Area | Library, Archives and University Records |
Authority: |
Australian National University Act 1991 Archives Act 1983 Crimes Act 1914 (Cth) Higher Education Support Act 2003 Electronic Transactions Act 1999 Education Services for Overseas Students Act 2000 Evidence Act 1995 Telecommunications Act 1997 |
Delegations | 0 |