Information security classifications
What are information security classifications?
Information security classifications categorise UQ information based on confidentiality. These classifications are designed to ensure that UQ information is only accessible to authorised individuals and they are used to inform UQ's information management practices and controls. For more information, read the Information Security Classification Procedure.
If you create or capture UQ information, you are responsible for classifying that information based on the information security classification table below. Staff can apply these classifications to Microsoft 365 documents and emails using the sensitivity labels function.
UQ information must also be managed throughout its lifecycle in accordance with its security classification – view the Data Handling Procedure for a breakdown of requirements at each stage.
You can also take the Data governance and management essentials training for guidance on how to manage information more securely and effectively.
UQ information security classifications
If you are classifying a collection of information, classify based on the highest (most confidential) classification level of information within the collection.
If you are unsure which security classification applies to information, email the Data Strategy and Governance team for guidance.
| Classification | Description | Example data types |
|---|---|---|
| UNOFFICIAL | Information that is unrelated to UQ study or work. |
|
| PUBLIC | Information that if lost, or accessed or disclosed without authorisation, either accidentally or due to malicious activity (data breach) would have an insignificant impact. The information is authorised for public access, however it may not be made available to the public. |
|
| OFFICIAL | Information that if subject to a data breach, would be unlikely to cause harm to UQ, another organisation or an individual if released publicly. The information has a restricted audience, and access must only be authorised based on academic, research or business need (e.g. specific teams). |
|
| SENSITIVE | Information that if subject to a data breach, could reasonably be expected to cause harm to UQ, another organisation or an individual if released publicly. The information has a restricted audience, and access must only be authorised based on strict academic, research or business need (e.g. specific individuals or groups). |
|
| PROTECTED | Information that if subject to a data breach, could reasonably be expected to cause serious harm to UQ, another organisation or an individual if released publicly. The information has a restricted audience, and access must only be authorised based on very strict academic, research or business need (e.g. only the individuals required). |
|
Sensitivity labels
UQ staff can classify Microsoft 365 documents and emails using sensitivity labels. The sensitivity labels are assigned to a Microsoft 365 document or email to indicate its information security classification.
In addition to labelling your documents and emails, the SENSITIVE and PROTECTED labels also automatically apply security controls to protect the information further (e.g. encryption, restrictions on access).
Visit the Sensitivity labels page to learn how to assign labels and understand the controls that are applied to each label.
More information and resources
- Refer to the Information Security Classification Procedure and Data Handling Procedure for more information.
- View our guide on file storage for more information on what storage solutions are appropriate for different information security classifications.
- Visit the Sensitivity labels page and view our guidance on applying sensitivity labels.
- View the information security classification decision tree for guidance on which classification applies.