University data classification decision tree and model

Decision tree

This is an interactive diagram. You can click on a shape to get more information. Public Highly restricted Unrestricted Highly restricted Restricted Restricted Restricted Highly restricted Intended for public disclosure? Would the data present a safety risk? Does the data set include sensitive data? Does the data set include sensitive personal data? Are there any ethical or moral issues connected to the data? Is the data set subject to other contractual, legislative or regulatory conditions? Have we agreed to stored data as per definition of ‘Highly Restricted’?

Flowchart for Research Data Classifications

Top

Classification model

ClassificationDescriptionImpact of unauthorised disclosureTypes of dataAppropriate IT facilities might include
Public

Publicly available information

None:
  • No confidentiality issues
  • Must still be accurate and protected from unauthorised change
  • Website/internet content
  • Marketing/publicity
  • Research activity details
  • Well-managed University and personally-owned PCs, mobile devices and removal media (external storage)
  • University email services
  • Appropriately-secured web servers
  • LAMP service
Unrestricted

Information that is not in the public domain but would cause minimal harm should unauthorised disclosure occur

Low:

  • No sensitive data
  • No compliance restrictions
  • Disclosure might be inappropriate but of little significance

 

  • Internal correspondence
  • Data which would be released as part of Freedom of Information request
  • Data which is not subject to legal, regulatory, commercial, contractual embargo
  • Data not yet prepared for formal publication
  • Policies and procedures
  • Well-managed University and personally-owned PCs and mobile devices
  • Encrypted removal media
  • University email services
  • Appropriately-secured web servers
  • LAMP service
  • Research Filestore (R:drives)
  • Alice (HPC)
  • Specialist IT facilities (e.g. MRI)
  • LAMP service
  • VPN from fully managed laptop
Restricted

Information which could cause harm or distress, to individuals or the University should unauthorised disclosure occur

Medium:

  • Distress or embarrassment to small numbers of individuals
  • A degree of damage to the University’s reputation or operations
  • Breach of legislation, regulation or contract with possibility of some financial penalty
  • Potential to prevent specific current or future research activity
  • Data subject to legal, regulatory, contractual embargo (unless a higher degree of restriction is specified)
  • Data with ethical/moral implications e.g. identifiable deceased data subjects

IT services for which the University has the CyberEssentials certification:

  • Fully-managed Windows 7/Linux desktops (no local admin rights)
  • Fully-managed laptops if permitted
  • Enhanced security Research Filestore (R:drive)
  • Enhanced security HPC (Alice)
  • Filedrop

Specialist IT facilities (e.g. MRI) with approved and agreed Standard Operating Procedure

Appropriate University system e.g. Student Record System

Highly restricted

Information which is likely to cause serious harm to individuals or the University should unauthorised disclosure occur

High:

  • Risk to safety or well-being of individuals.
  • Significant distress to individuals
  • Substantial legal consequence to individuals or the University
  • Substantial financial penalties
  • Substantial damage to University reputation or operations
  • Institution-wide block on research, funding, data sharing or collaboration
  • Data which poses risk to personal safety
  • Patient identifiable data
  • Sensitive personal data (subject to DPA)
  • Protected characteristics
  • Data subject to legal, regulatory, contractual embargo for which highest degree of restriction is specified
ISO27001 secure IT service coming soon.

Top

Guidance for University data classification

Intended for public disclosure?

You should ask yourself:

  • Has the data come from an open, publicly-accessible source?
  • Do I intend to publish the data ‘as-is’ in a publicly-accessible location?
  • Is there anything confidential in the data?

Top

Would the data present a safety risk?

You should ask yourself:

  • If the data was accidentally disclosed, would it pose a risk to the data subject(s) personal safety? There are very many scenarios where research data could put personal safety at risk, but a few examples might be data containing:
    • The views of people living under politically unstable regimes and/or war-zones
    • Details of victims and/or perpetrators of crime
    • Interviews with domestic violence survivors
  • If the data was accidentally disclosed, would it pose a risk to anyone else’s personal safety? Again, there are many scenarios where this could be the case, but some examples are:
    • Risk to researchers or other staff from data disclosing too much specific detail of research into sensitive/emotive areas e.g. animal testing, counter-terrorism
    • Risk to users of university buildings from data disclosing too much detail of specific locations of sensitive/emotive research facilities

Top

Does the data set include sensitive data?

You should ask yourself whether there is anything within the data set that makes it unsuitable for widespread access. This could include:

  • Data that identifies individuals
  • Subject matter such as:
    • Pornography or other ‘adult’ material
    • Extremist or terrorist related material
    • Commercially-sensitive material
    • Video of traffic accidents

Top

Does the data set include sensitive personal data?

This relates to data identifying living people and containing ‘protected characteristics’ as defined by the Information Commissioner’s Office and protected under data protection and other legislation such as the Equality Act 2010.

You should ask yourself whether the data identifies individuals or enables identification of individuals to be derived and contains any of the following:

  • Racial or ethnic origin
  • An individual’s political opinion (where not in the public domain?) or membership of trade union
  • Religious, faith or similar beliefs
  • Physical or mental health or condition
  • Gender, sexual orientation etc
  • Criminal offences, alleged criminal offences, convictions etc.

Top

Are there any ethical or moral issues connected to the data?

Even where data is not protected by specific legislation such as Data Protection Act, you should ask yourself:

  • Does the data contain details that could be hurtful, distressing or offensive to individuals should it be disclosed? Examples of such data might be:
    • Specifics about cause of death of identified individuals
    • Sensitive personal data relating to deceased individuals

Top

Is the data set subject to other contractual, legislative or regulatory conditions?

Data must be protected and managed in the way we have agreed as a condition of receiving the data. You should ask yourself:

  • Is there a contract (e.g. data sharing contract) with specific restrictions on my handling of the data?
  • Have we agreed that another organisation may audit us as a condition of receiving the data?
  • Is the data subject to a higher-level contract e.g. the University’s NHSDigital (formerly HSCIC) framework contract?
  • Is the data part of a commercial contract which might impose restrictions?
  • Does the regulatory body of my research area impose restrictions on my handling of the data?

Share this page: