The UNSW Data Classification Standard is a framework for assessing data sensitivity, measured by the adverse business impact a breach of the data would have upon the University. This standard for the University community has been created to help effectively manage information in daily mission-related activities.
Determining how to protect and handle information depends on a consideration of the information’s type, importance, and usage. The standards outline the minimum level of protection necessary when performing certain activities, based on the classification of the information being handled.
The classification applies to University employees (faculty, staff, student employees) and other covered individuals (e.g., affiliates, vendors, independent contractors, etc.) in their handling of University data, information and records in any form (paper, digital text, image, audio, video, microfilm, etc.) during the course of conducting University business (administrative, financial, education, research or service).
Data and system owners at UNSW are required to determine the data classification for the systems and data repositories for which they have responsibility. Such assessment should be done at least bi-annually. The data classification assessment will then determine how the UNSW Data Handling Guidelines apply to the system or data repository that has been classified. Following are the steps required to complete the data classification process for UNSW systems or data repositories. The process of data classification is governed by the UNSW Link to the Data Governance Policy or the Research Data Governance & Materials Handling Policy.
Data Classification
Here is a link to the Data Classification Standard.
Implementing Data Classification Information plays an integral role in the business of the University. Responsibility for classifying information for data protection therefore lies at the highest level of the business unit, in collaboration with The Data Governance Office. Data sensitivity is determined by the context within which the data exists.
Sensitivity cannot be determined by subject (e.g. name, phone number, etc.), record type (e.g. application form, email, etc.), or record media (e.g. electronic, paper, etc.). Sensitivity is determined by the purpose and manner in which the information is collected and used. For example, an employee’s name and work contact information is not sensitive in the context of an address book or directory. However, if this information is in the context of disciplinary action, legal action or a human rights complaint, the same information may be highly sensitive.
Data classification itself should be carried out by the business-owner and according to established business, legal, regulatory and University-specific requirements. Implementing data classification first requires an understanding of the business functions and processes in place within the organization. The business-owner is in the best position to articulate and make decisions about the business, legal and regulatory context of the data under its care. Implementing data classification requires:
- Documenting clearly the processes and activities which create and use records.
- Documenting legal, operational, policy, procedural and regulatory requirements of the business unit.
- Assessing the risks of confidentiality breaches.
- Organising information assets in ways which allow them to be managed in groups, rather than at the individual or file level.
- Establishing the appropriate classification levels for data resulting from business processes.
- Establishing policies and procedures for managing, classifying and safeguarding data. Refer to the UNSW Data Classification Standard and Data Handling Guidelines for details.
- Securing data according to established policies and procedures. Once the business rules for managing information have been established by the business system and data repository owners, they must be communicated to Data Governance and IT so that appropriate security safeguards can be applied. Data Owners are responsible for establishing and applying security safeguards in collaboration with business system and data repository owners.
Data Classification Prerequisites
- Roles and responsibilities for classifying and handling data have been clearly articulated.
- Business processes have been identified and documented.
- Risks to confidential information have been identified.
- Policies and procedures relating to classification of data have been established and communicated.
- Minimum security safeguards have been established for different levels of security.
Steps
There are five essential activities a successful data classification effort:
- Identify: Identify the data
- Locate: Identify where the data resides and identify who is the Data Owner
- Classify: Categorise and determine which data needs to be protected
- Handling: Determine what data handling guidelines need to be adopted for the data
- Value: Assign a value to the data
Multi-Factor Authentication for Sensitive and Highly Sensitive Data
If you are storing Sensitive or Highly Sensitive data in One Drive please contact the IT Service Centre to assist you in setting up multi-factor authentication to provide a more secure service.
zID Usage Guideline
This Guideline provides staff with advice to ensure that zIDs are appropriately used in accordance with the UNSW Privacy Framework and Data Governance Policy.
According to the Privacy and Personal Information Protection Act 1998 (NSW) (the “PPIP Act”), Section 4 of the PPIP Act defines ‘personal information’ as: “Information or an opinion (including information or an opinion forming part of a database and whether or not in a recorded form) about an individual whose identity is apparent or can be reasonably be ascertained from the information or opinion”.
UNSW considers the zID to be personal information, and for this data to be classified as private within the UNSW Data Classification scheme.
Link to the zID Usage Guideline
|
DataClassification |
Description |
Example Data Types |
|
Highly Sensitive |
Data that if breached owing to accidental or malicious activity would have a high impact on the University’s activities and objectives. This label describes the Intended audience from a restricted UNSW organisational unit or external perspective. Dissemination is based on strict academic, research or business need. |
Data subject to regulatory control Medical Children & Young persons Financial information Research Data (containing personal medical data) |
|
Sensitive |
Data that if breached owing to accidental or malicious activity would have a medium impact on the University’s activities and objectives. This label describes the Intended audience from a restricted UNSW organisational unit or external perspective. Dissemination is based on strict academic, research or business need. |
Student and Staff HR data Organisational financial data Exam material Exam Results Credit Card Research Data (containing personal data) |
|
Private |
Data that if breached owing to accidental or malicious activity would have a low impact on the University’s activities and objectives. This label describes the Intended audience from a broad UNSW organisational unit or external perspective. Dissemination is based on academic, research or business need. |
Business unit process and procedure Unpublished Intellectual property ITC system design & configuration information |
|
Public |
Data that if breached owing to accidental or malicious activity would have an insignificant impact on the University’s activities and objectives. This label describes the Intended audience. |
Faculty and staff directory information Course catalogues Published research data |
| Step | Details |
|---|---|
|
Identify Data Owners |
Responsibility for ensuring that Information or Data Assets have a security classification is authorised by the Data Owner. Information Assets should be classified by the Information System Owner at the earliest possible opportunity according to the sensitivity of the Information Asset. In the case of Information Assets externally generated, and not otherwise classified, the University officer who receives the Information Asset should approach the Information System Owner to classify the Information Asset and guide its control within the University. |
|
Identify Information Assets |
Identify the Information Asset and review the Data Governance Policy, Data Classification Standard and Preliminary Data Classification before commencing the data classification process. |
|
Assess data vulnerabilities/risks |
Perform a risk assessment and consider the vulnerabilities that are attributed to each Information Asset (refer to Data Classification Standard). Relevant data security issues for the Data Owner to consider might include:
|
|
Apply data classification to Information Asset |
The highest security classification level determined by the impact assessment must be applied to that Information Asset. Unlike a risk assessment, data security classification is determined by the perceived level of impact to the organisation or individual (refer to Data Classification Standard). |
|
Apply controls |
Listed below are details of controls which should be applied to ensure that appropriate protection is given to the Information Asset.
|
|
Audit logs |
To maintain confidentiality and integrity of classified Information Assets a strict audit logging process is to form part of the Information Asset Register. This audit log must be carefully designed to ensure it is capable of providing a 'trail of evidence' which can be used to investigate inappropriate or illegal access. Audit log access controls must be in place with explicit user authentication needed to view the audit log database. |
|
Disposal of Information Assets |
To ensure security and confidentiality, the disposal of Information Assets in any form must follow the guidelines outlined on the UNSW Records and Archives Office disposal guidelines. |
Data owners can use the table below as an initial classification of data that may be in use within their data area. Data types that have classifications mandated (due to applicable laws, regulations or contracts) and those that are in common use throughout the University are included. Data owners must add any other data types used in the data area or system undergoing data classification.
| Data type | Description | Preliminary Classification | Justification |
|---|---|---|---|
|
Student data |
Personally identifying information about students, including items such as Tax File Number (TFN), and contact information, courses and programs |
Sensitive |
Privacy Act 1988 (Cth) |
|
Staff data |
Personally identifying information about students, including items such as Tax File Number (TFN), and contact information, bank account details |
Sensitive |
Privacy Act 1988 (Cth) |
|
Patient data |
Personally identifying information about patients, any medical treatments and results |
Highly sensitive |
Privacy Act 1988 (Cth) Privacy and Personal Information Protection Act 1998 (NSW) |
|
Financial data |
Personal financial information including bank account details, credit card numbers, Tax File Numbers (TFNs), superannuation account numbers. |
Sensitive |
The following questionnaire is a guideline only. It is intended to provide an overview of the kind of questions that ought to be considered during the process of data classification. It is not intended to provide an exhaustive list of the questions that one could possibly ask about your data and its classification.
| Question | Yes | Notes | ||
|---|---|---|---|---|
| 1 |
Does the data contain Personally Identifying Information about staff, students, alumni, or 3rd parties? |
e.g. how someone is performing, |
Then your data is at least classified as SENSITIVE |
|
| 2 |
Does the data contain financial information such as credit card or Tax File numbers? |
Then your data is at least classified as SENSITIVE |
||
| 3 |
Does the data contain information about persons under the age of 18 years of age? |
Then your data is at least classified as SENSITIVE |
||
| 4 |
Does the data contain information about aboriginality or similar? |
Then your data is at least classified as SENSITIVE |
||
| 5 |
Does the data contain information about patient treatment records or medical information? |
Then your data is at least classified as HIGHLY SENSITIVE |
||
| 6 |
Does the data contain information about individually identified research subjects? |
Then your data is at least classified as SENSITIVE |
||
| 7 |
Does the data contain information about UNSW systems or security? |
Then your data is at least classified as SENSITIVE |
||
| 8 |
Does the data contain information about commercial in confidence dealings? |
e.g. industry partners or collaborators, other institutions |
Then your data is at least classified as PRIVATE |
|
| 9 |
Does the data contain information about intellectual property or contractual obligations regarding confidentiality? |
Then your data is at least classified as PRIVATE |
||
| 10 |
Does the data contain information about export-controlled data? |
e.g. crypto research |
Then your data is at least classified as PRIVATE |
Data Classification decision tree and data types will help data and system owners at UNSW who are required to determine the data classification for the systems and data repositories for which they have responsibility.
To access the decision tree and data types example sheet, please click here.