View Current

Information Classification and Protection Policy

This is the current version of this document. To view historic versions, click the link in the document's navigation bar.

Section 1 - Executive Summary 

(1) The University of Newcastle (University) routinely gathers, stores, processes, communicates, and disposes of information. That information must be protected from unauthorised disclosure, damage and loss. At the same time, information must be readily available to those who need it. 

(2) Establishing an information classification scheme and the controls appropriate for each classification level is essential for protecting information throughout its lifecycle. 

(3) Formalising information classification and protection requirements also enables the University to meet its legal obligation to manage personal information in accordance with the Privacy and Personal Information Protection Act 1998, the Health Records and Information Privacy Act 2002, the State Records Act 1998, and the University's Records Governance Policy and Privacy Policy

Top of Page

Section 2 - Purpose 

(4) This document articulates the University's Information Classification Scheme for information assets and the controls that should be applied at each classification level. 

(5) The appropriate information classification level is determined by the Information Owner and reflects the value and sensitivity of the information as per the Records Governance Policy and Privacy Policy; and the impact to the University if the information is compromised. 

(6) This policy is intended to protect the confidentiality, integrity and availability of information.

Top of Page

Section 3 - Scope 

(7) This Policy applies to all information created, processed, stored, or communicated by the University and controlled entities in both physical and electronic form. The scope of this policy also extends to data and records. 

Top of Page

Section 4 - Audience 

(8) All University staff, students, volunteers, contractors, vendors, and members of advisory and governing bodies, in all campuses and locations of the University and at all times while engaged in University business or otherwise representing the University

Top of Page

Section 5 - Information Handling Principles 

(9) The following principles apply to the creation, storage, processing, and communication of all University information and assets, regardless of physical or logical location, storage medium, technology used, format, or the purpose(s) they serve, and will guide all aspects of managing University information assets:  

  1. information is a core strategic asset and is aligned to support business needs, informed decision making and customer outcomes;
  2. information assets are secure, valued, authentic, ethically managed, trustworthy, and ready for use and re-use for as long as they are needed; 
  3. information assets are managed using a defined lifecycle, from creation to classification, storage, use, archival, and destruction;
  4. information is managed in line with external and internal statutory requirements;
  5. information assets are discoverable across the University and used by those with legitimate need; 
  6. University systems, processes and people protect privacy and confidentiality of our information assets and protect against unauthorised disclosure, alteration, deletion or misuse. 
Top of Page

Section 6 - Information Handling Requirements 

Information Classification 

(10) Information must be managed to ensure the confidentiality, integrity, and availability of that information, and to meet the University's legal and regulatory responsibilities. 

(11) The University uses classifications to define the acceptable use and handling of information. 

(12) Information classifications take into account: 

  1. the broader goals of the University relating to the generation and sharing of information; 
  2. the value of information to the University; and 
  3. the risks associated with sharing information. 

(13) Information Owners are responsible for determining the value of information, assigning classification labels and overseeing the protection of information throughout its lifecycle. 

(14) Information assets must be classified in terms of legal requirements, sensitivity, criticality, and risk to the University

(15) All information assets are subject to classification and must be classified upon their creation by the Information Owner. For assistance, please contract Strategy, Planning and Performance or the Cyber Security team.

(16) If information is received from an external source, the information must be classified by the Information Custodian. 

(17) Information assets must be re-classified by the Information Owner upon significant change in legal requirements, sensitivity, criticality, or risk to the University

(18) Any disputes regarding the appropriate classification of information will be resolved by the Legal and Compliance team. 

(19) Information assets should only be stored, processed, and communicated on system(s) designed to support the classification level and appropriate management of that information. 

(20) Information assets must be classified using the University's Information Classification Scheme, which is described in Table 1. 

Table 1 – The University of Newcastle Information Classification Scheme 

Impact Type Severity
  Lowest <----------> Highest
Impact Insignificant to Minor Moderate Major Severe
Security – What advantage does this information provide? Little or no advantage. Might provide some advantage. Definite advantage. Significant advantage.
Likelihood of malicious persons searching for this information. Low or no likelihood. Low Medium High
If this asset or information is disclosed, stolen or lost.
Provision of business operation and service. Some localised inconvenience, but no impact to the University. Disruption to operations with no permanent or significant effect on University. Some impact on the University's operational performance. Less impact on strategic goals in the medium term. Significant effect on operational performance. Achievement of operational and strategic goals in the medium term jeopardised. Existence of the University under threat.
Compliance / Legal Breach of legislation, contract, rule or policy that does not have any penalty or litigation impact. Breach of legislation contract, rule or policy that may have an impact on the relationships with third party or the legislator, but no long lasting effect. No litigation or prosecution and/or penalty. Regulatory consequence limited to standard inquiries. Breach of legislation, contract rule or policy leading to escalated legal enquiries. Regulatory or legal consequence limited to additional questioning or review by legislator. Breach of legislation contract, rule or policy leading to possible legal action. Possible litigation or criminal prosecution and/or penalty. External enquiry or regulatory review and/or possible negative sanction by a regulatory body. Breach of legislation, contract, rule or policy leading to significant and costly legal action with widespread potential impact for the University. Litigation or criminal prosecution and/or substantial major negative sanction by a regulatory body.
Employees / WHS No impact to employees / WHS. Continuity of employment concerns across the University. WHS incident requiring significant medical attention. WHS event reported and investigated. Significant (up to 15%) loss of staff contained to one College / division. Widespread damage to staff morale. WHS event causing serious injury, or negative environmental impact, and the relevant external authority notified. Significant loss of staff extending to the entire University (over 15%). WHS event causing serious permanent injury, death or environmental. Impact leading to costly action and widespread impact on the University and/or senior staff.
Financial Less than 1% of budget or up to $25k. 1 to 2% of budget or $25-50k. 2-5% budget or $250k-$1m. 5-10% budget or $1m – $5m. Over 10% of budget or over $5m.
Reputation No impact to reputation. Student and/or community concern. National media coverage and external criticism. Reputation impacted with some stakeholders. Loss of student confidence in a School or College. Sustained adverse national media and public coverage. Reputation impacted with a significant number of stakeholders. Breakdown in strategic and or business partnership. Loss of student confident in the University. Reputation and standing of the University affected nationally and internationally. Serious public outcry and/or international coverage. Reputation impacted with majority of key stakeholders. Significant breakdown in strategic and or business partnerships.
Service Levels Loss of less than one day’s teaching, research and/or business functions. Loss of one full day of teaching, research and/or business functions. Loss of 1-7 days of teaching, research and/or business functions. Loss of two weeks to two months of teaching, research and/or business functions. Loss of over two months of teaching, research and/or business functions.
Example information types College and staff directory information. Course catalogues. Published research data. Course descriptions.  Business unit process and procedure. Unpublished intellectual property. ITC system design and configuration information. Departmental intranet. Student and staff HR data. Organisational financial data. Current exam material. Research data (containing personal data). Data subject to regulatory control. Employee relations and complaints information. Medical, Children & Young person’s information. Credit card information. Research data (containing personal medical data).
Recommended information classification Public X-in-confidence Restricted Highly restricted 

Alignment with Government Security Classification

(21) The University's Information Classification Scheme broadly aligns with the NSW and Commonwealth Information Classification schemes as per Table 2.

Table 2 – Alignment of University Information Classification Scheme with Government Security Classification

University NSW Government Commonwealth Government
Public Unofficial and Official Unofficial and Official
X-in-Confidence Official: Sensitive Official: Sensitive
Restricted Protected Protected
Highly-Restricted Secret Secret
N/A Top Secret Top Secret

(22) The NSW and Commonwealth classifications and associated protections must be applied when dealing with state and federal government information. In these scenarios, guidance on implementing appropriate controls must be sought from the Information Owner and from the University's Cyber Security team. 

Information Ownership 

(23) The ownership of information must be clearly identified, stated, and discoverable. 

(24) In cases where the Information Owner must change, the incumbent must ensure adoption of new ownership responsibilities. 

(25) In cases where information ownership cannot be clearly established, the organisational value of information cannot be clearly identified, and the information has not been accessed in greater than twelve months, the information may be considered inactive.

Information Retention 

(26) Information retention periods vary subject to legislative requirements (see the University's Records Governance Policy), University policy, and organisational and community value.

(27) Over-retention of information exposes the University to intolerable legal, reputational, and financial risk

(28) Storage of sensitive or high-risk information should be minimised. Methods of minimising the retention of such information include: 

  1. determining a legitimate need to obtain and store the information; 
  2. utilising a University approved third-party organisation or system to store that information; and 
  3. employing methods of zero-knowledge proof. Zero-knowledge proof is about proving the validity of sensitive information without revealing it apart from the fact that it is true. An example is encryption.

(29) Information that is considered inactive may be subject to review and destruction in accordance with the Records Governance Policy. Digital Technology Solutions (DTS) will facilitate the destruction of inactive data using methods commensurate with legislative requirements and University policy.

(30) Information Owners must securely delete information following the expiry of specified retention periods, using methods commensurate with legislative requirements and University information protection requirements (see Section 7). 

Top of Page

Section 7 - Information Protection Requirements 

Information Protection Requirements 

(31) Information protections are defined for each classification level and must be applied throughout the information lifecycle.

(32) Information protection requirements are described in Table 4. 

Table 4 – Information Protection Requirements 

Information Handling and Protections
Control Category Description of Controls Public X-In-Confidence Restricted Highly Restricted
General Storage and processing facilities are in Australia.   X X X
Only University-approved solutions are used to store, process and communicate information assets.   X X X
Access Controls No restriction on viewing. X      
Role-based access to information.   X X X
Access to authorised users only.   X X X
Authentication required for access.   X X X
Information Owner must grant permission for access.     X X
Authorisation by Information Owner required for modification. X X X X
Non-disclosure agreement required to be signed by third parties.   X X X
Access should be removed as soon as it is no longer required.     X X
Copying / Printing (paper and electronic forms). No restrictions. X      
Should not be left unattended on a printer.   X X X
Information should only be printed when there is a legitimate need.   X X X
Electronic and physical copies must be labeled according to their classification.   X X X
Copies must be limited to authorised individuals.   X X X
Physical security Facility that provides access to information assets must be locked or logged out when unattended or unused.   X X X
Information assets to be stored in approved and supported environments.   X X X
Physical access must be monitored, logged, and limited to authorised individuals.     X X
Access to information assets by third parties Remote access by third party limited to authenticated VPN, or via supervised session utilising Zoom, Webex or similar.   X X X
Unsupervised remote access by third party, such as an application vendor, for technical support is not allowed, unless covered by an appropriate formal agreement stipulating information handling requirements equivalent to or stronger than those in this document.   X X X
Storage of information PC hard drives and removable media must be encrypted.   X X  
Information should not be stored or processed on PCs, portable devices, and removable media.       X
Strongest available encryption must be used.     X X
Only the minimum required personally identifiable information (PII) can be stored. Methods to achieve this include deleting unrequired PII, scrambling, masking and encrypting data.     X X
Transmission of information Information must not be transmitted or shared unless encrypted.   X X X
Strongest available encryption must be used.     X X
Use of information assets for testing Production information cannot be used for testing purposes unless approved by DTS and appropriate controls are applied to testing environments.   X X X
Personally identifiable information used for testing must be de-identified where possible.     X X
Backups Daily backups required. X X X X
Geographically dispersed storage required.     X X
Disposal All disposals of information (electronic and hard copy) must be made in accordance with Records Governance Policy. X X X X
Paper-based information must be shredded and placed in managed confidential bins.   X X X
Wipe, erase or destroy electronic media such as hard drives, USBs, CD and DVDs.   X X X
Information that is no longer required for business or legal needs should be disposed of to reduce the risk of data breaches and done so in accordance with the Records Governance Policy.   X X X
Top of Page

Section 8 - Roles and Responsibilities 

Information owner 

(33) The Information Owner is the person responsible for the business use of the information asset. The Information Owner is the authoritative head of the respective College, School, Division or Unit within the University

(34) The Information Owner is responsible for collecting, creating, retaining and maintaining information within their assigned area of control, coupled with the responsibility to protect that information on behalf of the University

(35) The Information Owner may assign some operational responsibilities within their team but will retain overall responsibility. 

(36) The Information Owner is required to: 

  1. determine the statutory requirements regarding privacy and retention and any risks associated with the information; 
  2. assign an appropriate classification based on Section 6, Table 1; 
  3. define the method for applying classification labels based on Section 6, Table 2; 
  4. authorise access to the information based on Section 6, Table 4 (c); 
  5. specify any additional handling controls needed to ensure the confidentiality, integrity, and availability of the information; 
  6. communicate the control requirements to the information custodian and to users of the information; 
  7. continually evaluate the use and value of information to avoid over retention; 
  8. develop an information disaster recovery or business continuity plan for the Information Custodian, which identifies: 
  9. any potential risks; and 
  10. vital information. 

Information Custodian 

(37) Information Custodians are those individuals who control information assets and business information systems regardless of physical or logical location, storage medium, technology used, format, or the purpose(s) they serve. In most cases, Digital Technology Solutions will act as the Information Custodian. 

(38) The Information Custodian defines information systems architecture and provides technical consulting assistance to Information Owners so that information systems can be built and operated to best meet business objectives. 

(39) Information Custodians are responsible for safeguarding the information assets in their possession, including implementing access control systems to prevent inappropriate disclosure, as well as developing, documenting, and testing disaster recovery or business continuity plans as defined by Information Owners

(40) In cases in which the information being stored is paper-based, the Information Custodian responsibilities will logically fall to the business unit gathering the information. For such systems, DTS or Records Governance Services (RGS) can offer guidance and provide opportunities for digitisation. 

Information User 

(41) Information Users are individuals who have been granted explicit authorisation by the relevant Information Owner to access, use, alter, or destroy information belonging to the University

(42) Information User’s are responsible for: 

  1. using the information only for the purpose intended and authorised by the Information Owner
  2. complying with all controls established in University policies; 
  3. ensuring that Restricted and Highly-Restricted information is not disclosed to anyone without the permission of the Information Owner
  4. only destroying information in accordance with the requirements of the Records Governance Policy

(43) When dealing with information classified by an external organisation, advice must be sought from the Cyber Security team to ensure appropriate controls are applied.