1. Purpose
This Data Management and Classification Policy requires a data owner to work with departments to classify their data according to its sensitivity and criticality.
An appointed senior data owner is the person who is accountable for the data across the Organization. This person is usually a member of upper management who has a vested interest in making sure the data is labeled correctly and ultimately secured appropriately. This person must understand the importance to the University and usage of the data to classify it correctly. This person also must be well versed in the applicable law, regulations, or contractual requirements of the data. Once the data owner classifies the data, he or she should review the classification periodically (annually) to verify the classification still applies.
This policy sets out how this classification is to be performed.
2. Roles and Responsibilities
The data owner will help departments classify their data and ensure that the data inventory with respect to their data is accurate and up to date.
3. Scope
This policy applies to both electronic and physical data.
4. Data Classification Procedure
As per ISO 27002 the purpose of information classification is to ensure that information/data receives an appropriate level of protection.
Following on from this, Stamford International University (“University”) classifies its data based on the level of impact that would be caused by inappropriate access and/or data loss.
There are four classifications as follows:
- Confidential / Sensitive data
- Internal Use Only data
- Public
Classification of data is independent of its format.
The following table provides an indication of how classifications get assigned through considering the impact of various risks.
Risk | IMPACT IS CONSIDERED FROM FOUR MAIN PERSPECTIVES- LEGAL, REPUTATIONAL, FINANCIAL, AND OPERATIONAL and PERSONAL SAFETY (REFER TO APPENDIX II FOR FURTHER GUIDANCE) | ||
| Inappropriate access causing breach of confidentiality/data protection rules | Minor | Moderate | Serious |
| Inappropriate access resulting in unauthorized amendments | Minor | Moderate | Serious |
| Data loss | Minor | Moderate | Serious |
| UNAUTHORISED DISCLOSURE | Minor | Moderate | Serious |
 |  |  | |
| RESULTING DATA CLASSIFICATION | Public Data | Internal Use Only | Confidential Data |
| | | |
| DATA CLASSIFICATION EXAMPLES | 1: Public Websites. 2: Social media data. | 1: Internal Notices /Training data 2: Internal telephone contact list 3: Financial Department and University Budgets. | 1: Finance Data. 2: HR Data. 3: Customer Personal Data 4: Strategic roadmaps 5: Intellectual property |
Public Data
Public data is information that may be open to the public. It is defined as information with no existing local, national, or international legal restrictions on access or usage. Public data can be made available to all University’s employees –and to all individuals and third parties.
By way of illustration only, some examples of public data include:
- Publicly posted content on all external facing web sites.
- Publicly posted press release.
- Publicly posted marketing and press releases of the University.
Internal Only Use
Internal only use data is confidential information that must be protected due to proprietary, ethical, or privacy considerations, and must be protected from unauthorized access, modification, transmission, storage, or other use. Internal use data is information that is restricted to the University’s employees who have a legitimate purpose for accessing such data.
By way of illustration only, some examples of official use data include:
· Internal Notices /Training data.
· Internal telephone contact list.
· Financial budgets.
Confidential Data
Confidential data is information or data protected by statutes, regulations, and/or contractual obligation. Confidential data may be disclosed to authorized individuals on a need-to-know basis only.
The following table describes the types of confidential data and gives examples of each type. The examples in given in this table are by way of illustration only and this is not an exhaustive list.
| Confidential Data Type: | Description: | Example: |
| University secret data | Commercially sensitive data for which we have an institutional obligation to protect | High value data that comprises intellectual properties, for business, commercials, or research projects i.e., trade secret, formular, commercial contracts |
| Personal Data | Data relating to a living individual who is or can be identified from the data | Name Address Credit Card Number CCTV Footage Customer Records Personnel and Payroll Records Bank Account Details |
| Special Categories of Personal Data | There are specific categories of data which are defined by the PDPA (Personal Data Protection Act) as sensitive personal data | Physical or mental health data, disability, racial, ethnic, origin, political opinions, cult, religious or philosophical beliefs, sexual behavior, criminal records, biometric data, genetic data, Trade Union information. |
Confidential data, when stored in an electronic format, must be protected with strong passwords, and stored on servers that have appropriate access control measures in order to protect against loss, theft, unauthorized access, and unauthorized disclosure.
Technical considerations for electronically storing Special Categories of Personal Data should be considered on a case-by-case basis, the data owner should consult with the IT Department Manager to ensure the appropriate technical protections and control measures are in place for protecting this type of data in line with the University’s obligations under relevant policies and procedures.
Confidential data, when stored in a physical paper format, must be protected with storage that is locked and access is limited to those employees that need access to perform their roles. Filing cabinets and data rooms must have a records management system. Physical documents are of equal importance under the PDPA.
Confidential data must not be disclosed to parties without explicit management authorization from the data owner, Confidential data must only be used for the purpose for which it was originally gathered.
Classification record of the data inventory as per the template in Appendix 1 should clearly indicate the data classification assigned to individual data sets for the University’s processes. It is the responsibility of individual data owners to input into the data inventory.
Appendix 1
| Process Name | Data Set | Data Owner | Data Storage Location | Data Processor name | Data Classification: Public, internal, Confidential/sensitive | Data Retention Period | Data Disposal Technique |
Appendix II
Impact Assessment – Guidance on classifying data
Internal, Confidential and Sensitive information must be classified appropriately to protect it from unauthorised access, interception, copying, modification, transmission, or destruction.
- Strategic business strategy, Intellectual property, and other information – only available to members of the project and those that clearly need access. Confidential,
- University-wide project communications – Internal
- Sensitive roadmap, financial, forecasting, customer, or other information – Sensitive, only available to key project members or specific departments
| Classification Level | Financial | Reputational | Personnel / Safety | Operational | Legal |
| Confidential + Sensitive | Serious commercial disadvantage or loss, including financial or legal penalties | Serious reputational damage – will lead to negative perception and University value drop | Danger to personal safety or rights/freedoms. Will significantly impact rights and freedoms of individuals on a large scale Prolonged distress, discomfort, or embarrassment to an individual | Long-term disruption to operations and service, including likely loss of business contracts | Major breach of a statutory obligation (such as Data Protection) |
| Internal | Some financial risk | Minor reputational risk Technical breach of duty of confidence | Short-term discomfort or embarrassment to an individual | Commercial disadvantage or loss Short-term disruption to our operations and service May require public damage limitation | Possible breach of a statutory obligation (such as Data Protection) |
| Public | Minimal financial risk | Minimal or no risk to our reputation | No discomfort or embarrassment to individuals. | Minimal or no risk to our operations or service delivery | No breach of statutory obligations Minimal risk if data is altered |