You are on page 1of 7

Data Classification Standard

Version Approved by Approval date Effective date Next review


2.0 XX XX XX XX 2021

Standard Statement
The UNSW Data Classification Standard is a framework for assessing data
sensitivity, measured by the adverse business impact a breach of the data
would have upon the University. It has been created to help effectively
manage information in daily mission-related activities across the University
Purpose community.
The standard outlines the minimum level of protection necessary when
performing certain activities, based on the classification, which is determined
through consideration of the information type, importance, usage and way it is
handled.
This Standard applies to:
- all data or information that is created, collected, stored or processed by
UNSW, in any form, including electronic or non-electronic formats (e.g. paper,
digital text, image, audio, video, microfilm, etc.) during the course of
conducting University business (e.g. administrative, financial, education,
Scope research, teaching, or service)
- all University employees including faculty staff, student employees, and
other individuals such as agents, affiliates, vendors, and independent
contractors, third-party agents of the University and any other University
affiliates who are authorised to access UNSW data. in their handling of
University data.

Are Local Documents on this ☐ Yes, subject to any areas specifically restricted. ☒ No
subject permitted?

Standard

1. UNSW Classifications
There are five levels of security classification at UNSW. These classifications reflect the level of risk to
the organisational interest, the national interest, and to individuals, from unauthorised disclosure, or
compromise of the confidentiality, of information. These classifications include:

• Top Secret
• Secret
• Highly Sensitive
• Sensitive
• Protected

They are described in the following table. All data at the University shall be assigned one of these
classifications. Collections of diverse information should be classified as to the most secure classification
level within the aggregated information. UNSW does not use dissemination limiting markers (DLMs) in its
Data Classification Standard.

DRAFT Data Classification Standard Page 1 of 7


Version: 2.0 Effective XX Month Year [Consultation draft 3 December 2018 to 7 January 2019]
Data
Description Example Data Types
Classification

Research, including defence and


Data that if breached owing to strategic goods and technology
accidental or malicious activity would
have a catastrophic impact on the
University’s activities and objectives.

This classification requires the highest


Top Secret
degree of protection as compromise of
the confidentiality of information could
be expected to cause exceptionally
grave damage to the national interest,
university or individuals.

Data that if breached owing to Export controlled research, e.g.


accidental or malicious activity would cybersecurity research, or research,
have an extreme impact on the including defence and strategic
University’s activities and objectives goods and technology
Secret
This classification should be used when
compromise of the confidentiality of
information could be expected to cause
grave damage to the national interest,
university or individuals.

Information about children and


Data that if breached owing to young persons
accidental or malicious activity would
have a very high impact on the Credit card/TFN
University’s activities and objectives.
Data subject to regulatory control
This classification should be used when
compromise of the confidentiality of Medical/Health data
information could be expected to cause
Highly Sensitive serious damage to the national interest, Research Data (containing personal
university or individuals. medical data)

This classification describes the


intended audience from a restricted
UNSW organisational unit or external
perspective. Dissemination is based on
strict academic, research or business
need.

DRAFT Data Classification Standard Page 2 of 7


Version: 2.0 Effective XX Month Year [Consultation draft 3 December 2018 to 7 January 2019]
Data
Description Example Data Types
Classification

Data that if breached owing to Exam material


accidental or malicious activity would
have a high impact on the University’s Exam results
activities and objectives.
Organisational financial data
This classification should be used when
the compromise of the confidentiality of Research data (containing personal
information could be expected to cause data)
Sensitive significant damage to the national
interest, university or individuals. Student and Staff HR data

This classification describes the De-identified Medical/Health Data


intended audience from a restricted
UNSW organisational unit or external
perspective. Dissemination is based on
strict academic, research or business
need.

Data that if breached owing to Business unit process and


accidental or malicious activity would procedure
have a low impact on the University’s
activities and objectives. ITC system design and configuration
information
This classification should be used when
the compromise of the confidentiality of Unpublished intellectual property
information could be expected to cause
Protected
damage to the national interest,
university or individuals.

This classification describes the


intended audience from a broad UNSW
organisational unit or external
perspective. Dissemination is based on
academic, research or business need.

Course catalogues

Faculty and staff directory


information
Data that if breached owing to
accidental or malicious activity would Published research data
have an insignificant impact on the
Public University’s activities and objectives.

(Unclassified) This classification describes university


information that is not expected to
cause harm and does not require a
security classification

2. UNSW Classifications relating to national and business interests and their


potential impact levels
The following table describes classifications that relate to national and business interests and their potential
impact. It includes information about the various levels of potential impact on University Operations.

DRAFT Data Classification Standard Page 3 of 7


Version: 2.0 Effective XX Month Year [Consultation draft 3 December 2018 to 7 January 2019]
Protected (Impact- Sensitive (Impact- High) Highly Sensitive (Impact - Top Secret/Secret
Medium) Very High) (Impact – extreme/
Catastrophic)
Could be expected to Could be expected to cause Could be expected to cause Could be expected to
cause damage to the significant damage to the National serious damage to the cause exceptionally
National interest, interest, University or individuals by: National interest, University or grave damage to the
University or individuals by: National interest,
individuals by: University or
individuals, by:
Impacts on National and UNSW Security
• causing minor • causing damage to national and • causing serious damage • causing
damage to university security to national and university exceptionally grave
national and security damage to national
university security and university
security
Impacts on University Operations
Operational
capacity • causing a severe degradation • causing a severe
• causing a in, or loss of, organisational degradation in, or loss of,
degradation in, or capability to an extent and organisational capability to
loss of, duration that the University an extent and duration
organisational cannot perform one or more of that the University cannot
capability to an its functions for an extended perform more than two of
extent and time its functions
duration that the
University has
impact on one or
more of its
functions
University Assets
• resulting in harm • resulting in major long-term
to University harm to University assets
assets
University Finances
• resulting in • resulting in large financial loss • resulting in massive
substantial to University financial loss to University
financial loss to
University
Australian Financial and Economic Impacts
• undermining the • undermining the financial • undermining the financial
financial viability viability of, or causing viability of a number of
of, or causing substantial financial damage to, major Australia-based or
financial damage a number of major Australia- Australian-owned
to, a major based or Australian-owned organisations or
Australia-based organisations or companies companies in the same
or Australian- sector
owned
organisation or
company, or
disadvantaging a
number of major
Australian
organisations or
companies
• resulting in short- • causing long-term damage to • causing major, long-term
term material the Australian economy to an damage to the Australian
damage to estimated total of $10 to $100 economy to an estimated
national finances million total in excess of $100
or economic million
interests to an
estimated total of
$1 to $10 million
• causing material • causing major, short-term • causing major, long-term
damage to damage to global trade or damage to global trade or
international commerce, leading to short term commerce, leading to
trade or recession or hyperinflation in prolonged recession or
commerce, with Australia hyperinflation in Australia
the potential to
directly and
noticeably
DRAFT Data Classification Standard Page 4 of 7
Version: 2.0 Effective XX Month Year [Consultation draft 3 December 2018 to 7 January 2019]
reducing
economic growth
in Australia

Impacts on Government Policies


• impedes the
development or
operation of
major
government
policies
• disadvantaging • significantly disadvantaging • severely disadvantaging • resulting in the
Australia in Australia in international Australia in major collapse of internal
international negotiations or strategy international negotiations political stability of
negotiations or or strategy Australia or friendly
strategy countries
• resulting in a loss • temporarily damaging the • threatening directly the • directly provoking
of confidence in internal stability of Australia or internal stability of international conflict
government friendly countries Australia or friendly or causing
countries leading to exceptionally grave
widespread instability damage to relations
with friendly
governments
• causing short • causing significant damage or • raising international
term damage or disruption to diplomatic relations tension, or causing severe
disruption to including resulting in formal damage or disruption, to
diplomatic protest or retaliatory action diplomatic relations
relations
Impacts on Personal Safety
• endangering • endangering individuals - the • threatening life directly –
individuals - the compromise of information the compromise of
compromise of could lead to serious harm or information could
information could life-threatening injuries to reasonably be expected to
lead to harm to individuals lead to loss of life of an
an individual individual or small group
Impacts on Crime Prevention
• impeding the • causing major, long-term • causing major, long-term
investigation of, impairment to the ability to impairment to the ability to
or facilitating the investigate serious offences investigate serious
commission of an organised crime
offence undertaken by an
organised crime group as
defined in the Convention
Against Transnational
Organised Crime
Impacts on Defence Operations
• causing damage • causing damage to the • resulting in severe • causing
to the non- operational effectiveness or damage to the operational exceptionally grave
operational security of Australian or allied effectiveness or security of damage to the
effectiveness or forces that could result in risk to Australian or allied forces operational
security of life effectiveness or
Australian or security of
allied forces Australian or allied
causing re-supply forces
problems that
could result in
risk to life
Impacts on Intelligence Operations
• causing damage to Australian or • causing severe damage to • causing
allied intelligence capability Australian or allied exceptionally grave
intelligence capability damage to the
effectiveness of
extremely valuable
security or
intelligence
operations
DRAFT Data Classification Standard Page 5 of 7
Version: 2.0 Effective XX Month Year [Consultation draft 3 December 2018 to 7 January 2019]
Impacts on National Infrastructure
• damaging or • damaging or disrupting • shutting down or
disrupting in significant university, national substantially disrupting
some extent of infrastructures significant university,
university, State national infrastructure
or Territory
infrastructure

Table reference - Australian Government Protective security governance guidelines – Business Impact Levels

3. Alignment with Government Security Classification


The following table shows how the UNSW Data Classification Standard aligns with NSW State and
Commonwealth classifications:

UNSW NSW State Commonwealth


Top Secret TOP SECRET TOP SECRET
Secret SECRET SECRET
Highly Sensitive Not used Not used
Sensitive CONFIDENTIAL CONFIDENTIAL
Protected PROTECTED PROTECTED
Public Unclassified Information not requiring additional
protection

4. When to apply security classification to data

Most UNSW official information (e.g. published course related information, published research data)
does not need increased security and may be marked ‘Public’ or left unmarked. This should be the
default position for newly created material, unless there is a specific need to protect the confidentiality of
the information.
University employees, and other covered individuals, are to determine in which circumstances security
classifications are to be applied to its information. Review by the relevant Data Owner or Data Steward
may be appropriate.
People are not entitled to access information merely because it would be convenient for them to know or
because of their status, position, rank, or level of authorised access.
Top Secret, Secret, Highly Sensitive and Sensitive classified information has special handling
requirements, especially during electronic transmission or physical transfer. It is only to be used and
stored in physical environments that provide a fitting level of protective security. For details on physical
and electronic security requirements, see the Information & Security Management System Policy and
Standards.

5. Responsibilities
Data Owners are responsible for appropriately classifying data.
Data Stewards are responsible for determining the appropriate data classification and applying required
and suggested safeguards.
Data users are responsible for complying with the Data Governance Policy and related Standards and
Guidelines.

Accountabilities

DRAFT Data Classification Standard Page 6 of 7


Version: 2.0 Effective XX Month Year [Consultation draft 3 December 2018 to 7 January 2019]
Responsible Officer Director, UNSW Planning & Performance

Contact Officer Chief Data & Analytics Officer, UNSW Planning & Performance

Supporting Information
This Standard supports the University’s compliance with the following legislation:
Legislative Compliance
Nil

Parent Document (Policy) Data Governance Policy

Supporting Documents Data Handling Guideline

IT Security Policy – Information Security Management System (ISMS)


IT Security Standards
Recordkeeping Policy
Related Documents UNSW Privacy Management Plan
Commonwealth Protective Security Framework (PSPF)
NSW Digital Information Security Policy

Superseded Documents Data Classification Standard, version 1.1

File Number 2016/09759

Definitions and Acronyms

Nil

Revision History
Version Approved by Approval date Effective date Sections modified
1.0 President and Vice-Chancellor 11 March 2016 1 March 2016 New Standard

Minor information management


1.1 President and Vice-Chancellor 21 February 2017 1 January 2017
amendment

2.0 Reviewed

DRAFT Data Classification Standard Page 7 of 7


Version: 2.0 Effective XX Month Year [Consultation draft 3 December 2018 to 7 January 2019]

You might also like