Data Classification Standard

The UNSW Data Classification Standard is a framework for assessing data sensitivity, measured by the adverse business impact a breach of the data would have upon the University. This standard for the University community has been created to help effectively manage information in daily mission-related activities.

Determining how to protect and handle information depends on a consideration of the information’s type, importance, and usage. The standards outline the minimum level of protection necessary when performing certain activities, based on the classification of the information being handled.

The classification applies to University employees (faculty, staff, student employees) and other covered individuals (e.g., affiliates, vendors, independent contractors, etc.) in their handling of University data, information and records in any form (paper, digital text, image, audio, video, microfilm, etc.) during the course of conducting University business (administrative, financial, education, research or service).

Data and system owners at UNSW are required to determine the data classification for the systems and data repositories for which they have responsibility. Such assessment should be done at least bi-annually. The data classification assessment will then determine how the UNSW Data Handling Guidelines apply to the system or data repository that has been classified. Following are the steps required to complete the data classification process for UNSW systems or data repositories. The process of data classification is governed by the UNSW Data Governance Policy and Data Classification Standard.

Implementing Data Classification Information plays an integral role in the business of the University. Responsibility for classifying information for data protection therefore lies at the highest level of the business unit, in collaboration with The Data Governance Office. Data sensitivity is determined by the context within which the data exists.

Sensitivity cannot be determined by subject (e.g. name, phone number, etc.), record type (e.g. application form, email, etc.), or record media (e.g. electronic, paper, etc.). Sensitivity is determined by the purpose and manner in which the information is collected and used. For example, an employee’s name and work contact information is not sensitive in the context of an address book or directory. However, if this information is in the context of disciplinary action, legal action or a human rights complaint, the same information may be highly sensitive.

Data classification itself should be carried out by the business-owner and according to established business, legal, regulatory and University-specific requirements. Implementing data classification first requires an understanding of the business functions and processes in place within the organization. The business-owner is in the best position to articulate and make decisions about the business, legal and regulatory context of the data under its care. Implementing data classification requires:

Documenting clearly the processes and activities which create and use records.
Documenting legal, operational, policy, procedural and regulatory requirements of the business unit.
Assessing the risks of confidentiality breaches.
Organising information assets in ways which allow them to be managed in groups, rather than at the individual or file level.
Establishing the appropriate classification levels for data resulting from business processes.
Establishing policies and procedures for managing, classifying and safeguarding data. Refer to the UNSW Data Classification Standard and Data Handling Guidelines for details.
Securing data according to established policies and procedures. Once the business rules for managing information have been established by the business system and data repository owners, they must be communicated to Data Governance and IT so that appropriate security safeguards can be applied. Data Owners are responsible for establishing and applying security safeguards in collaboration with business system and data repository owners.

Data Classification Prerequisites

Roles and responsibilities for classifying and handling data have been clearly articulated.
Business processes have been identified and documented.
Risks to confidential information have been identified.
Policies and procedures relating to classification of data have been established and communicated.
Minimum security safeguards have been established for different levels of security.

Steps

There are five essential activities a successful data classification effort:

Identify: Identify the data
Locate: Identify where the data resides and identify who is the Data Owner
Classify: Categorise and determine which data needs to be protected
Handling: Determine what data handling guidelines need to be adopted for the data
Value: Assign a value to the data

Multi-Factor Authentication for Sensitive and Highly Sensitive Data

If you are storing Sensitive or Highly Sensitive data in One Drive please contact the IT Service Centre to assist you in setting up multi-factor authentication to provide a more secure service.

Data Classification table

DataClassification	Description	Example Data Types
Highly Sensitive	Data that if breached owing to accidental or malicious activity would have a high impact on the University’s activities and objectives. This label describes the Intended audience from a restricted UNSW organisational unit or external perspective. Dissemination is based on strict academic, research or business need.	Data subject to regulatory control Medical Children & Young persons Financial information Research Data (containing personal medical data)
Sensitive	Data that if breached owing to accidental or malicious activity would have a medium impact on the University’s activities and objectives. This label describes the Intended audience from a restricted UNSW organisational unit or external perspective. Dissemination is based on strict academic, research or business need.	Student and Staff HR data Organisational financial data Exam material Exam Results Credit Card Research Data (containing personal data)
Private	Data that if breached owing to accidental or malicious activity would have a low impact on the University’s activities and objectives. This label describes the Intended audience from a broad UNSW organisational unit or external perspective. Dissemination is based on academic, research or business need.	Business unit process and procedure Unpublished Intellectual property ITC system design & configuration information
Public	Data that if breached owing to accidental or malicious activity would have an insignificant impact on the University’s activities and objectives. This label describes the Intended audience.	Faculty and staff directory information Course catalogues Published research data

Data Classification Procedure

Step	Details
Identify Data Owners	Responsibility for ensuring that Information or Data Assets have a security classification is authorised by the Data Owner. Information Assets should be classified by the Information System Owner at the earliest possible opportunity according to the sensitivity of the Information Asset. In the case of Information Assets externally generated, and not otherwise classified, the University officer who receives the Information Asset should approach the Information System Owner to classify the Information Asset and guide its control within the University.
Identify Information Assets	Identify the Information Asset and review the Data Governance Policy, Data Classification Standard and Preliminary Data Classification before commencing the data classification process.
Assess data vulnerabilities/risks	Perform a risk assessment and consider the vulnerabilities that are attributed to each Information Asset (refer to Data Classification Standard). Relevant data security issues for the Data Owner to consider might include: data control data encryption blending of data with other customer data business process if a security breach does occur or if data is damaged or destroyed data backup frequency/conventions/standards/accessibility availability of an audit trail to demonstrate that University data is reliable.
Apply data classification to Information Asset	The highest security classification level determined by the impact assessment must be applied to that Information Asset. Unlike a risk assessment, data security classification is determined by the perceived level of impact to the organisation or individual (refer to Data Classification Standard).
Apply controls	Listed below are details of controls which should be applied to ensure that appropriate protection is given to the Information Asset. The need-to-know principle requires that Information Assets should only be available to those who need to use or access the Information Asset to do their work. A clear desk policy requires that classified Information Assets are secured and that unauthorised Users are not able to access any electronic material, System or network to which the User had been connected. Where the University is required to handle private, sensitive or highly sensitive classified (or equivalent external organisation data classification) Information Assets from external organisations, the Information Assets must be treated in the following ways: Retain the data classification as forwarded. Manage the Information Assets according to the Confidentiality Agreement, between the organisations. The originator of the data transfer is responsible for ensuring that its Information Assets will be properly protected. For each classification, several data handling requirements are defined to appropriately safeguard the Information. The Data Handling Guideline defines the required safeguards for protecting data and information collections based on their classification.
Audit logs	To maintain confidentiality and integrity of classified Information Assets a strict audit logging process is to form part of the Information Asset Register. This audit log must be carefully designed to ensure it is capable of providing a 'trail of evidence' which can be used to investigate inappropriate or illegal access. Audit log access controls must be in place with explicit user authentication needed to view the audit log database.
Disposal of Information Assets	To ensure security and confidentiality, the disposal of Information Assets in any form must follow the guidelines outlined on the UNSW Records and Archives Office disposal guidelines.

Preliminary Data Classification

Data owners can use the table below as an initial classification of data that may be in use within their data area. Data types that have classifications mandated (due to applicable laws, regulations or contracts) and those that are in common use throughout the University are included. Data owners must add any other data types used in the data area or system undergoing data classification.

Data type	Description	Preliminary Classification	Justification
Student data	Personally identifying information about students, including items such as Tax File Number (TFN), and contact information, courses and programs	Sensitive	Privacy Act 1988 (Cth) Privacy and Personal Information Protection Act 1998 (NSW)
Staff data	Personally identifying information about students, including items such as Tax File Number (TFN), and contact information, bank account details	Sensitive	Privacy Act 1988 (Cth) Privacy and Personal Information Protection Act 1998 (NSW)
Patient data	Personally identifying information about patients, any medical treatments and results	Highly sensitive	Privacy Act 1988 (Cth) Privacy and Personal Information Protection Act 1998 (NSW) Health Records and Information Privacy Act 2002 (NSW) Australian Medical Association (AMA) Code of Ethics
Financial data	Personal financial information including bank account details, credit card numbers, Tax File Numbers (TFNs), superannuation account numbers.	Sensitive	Payment Card Industry Data Security Standard (PCI DSS) Tax File Number Guidelines 2011

Data Classification Questionnaire

The following questionnaire is a guideline only. It is intended to provide an overview of the kind of questions that ought to be considered during the process of data classification. It is not intended to provide an exhaustive list of the questions that one could possibly ask about your data and its classification.

	Question		Yes
1	Does the data contain Personally Identifying Information about staff, students, alumni, or 3rd parties?	e.g. how someone is performing,	Then your data is at least classified as SENSITIVE
2	Does the data contain financial information such as credit card or Tax File numbers?		Then your data is at least classified as SENSITIVE
3	Does the data contain information about persons under the age of 18 years of age?		Then your data is at least classified as SENSITIVE
4	Does the data contain information about aboriginality or similar?		Then your data is at least classified as SENSITIVE
5	Does the data contain information about patient treatment records or medical information?		Then your data is at least classified as HIGHLY SENSITIVE
6	Does the data contain information about individually identified research subjects?		Then your data is at least classified as SENSITIVE
7	Does the data contain information about UNSW systems or security?		Then your data is at least classified as SENSITIVE
8	Does the data contain information about commercial in confidence dealings?	e.g. industry partners or collaborators, other institutions	Then your data is at least classified as PRIVATE
9	Does the data contain information about intellectual property or contractual obligations regarding confidentiality?		Then your data is at least classified as PRIVATE
10	Does the data contain information about export-controlled data?	e.g. crypto research	Then your data is at least classified as PRIVATE