Why we need Information security classifications

28 July 2021

Information Security Classifications categorise any information, files, data, etc. based on confidentiality needs. Information Security Classifications determine the controls that should be applied to information – this includes restrictions on audience and sharing and technical controls such as encryption. 

At UQ, we have five classifications, which you should consider during the ‘create, capture, and classify’ stage of the information lifecycle:

  • UNOFFICIAL: information that is not related to UQ, and is of a personal nature (e.g. dinner plans). 
  • OFFICIAL – PUBLIC:  UQ information that is available to the public or community. This includes the academic calendar, course profiles, marketing and published materials.
  • OFFICIAL – INTERNAL: UQ information that only needs to be visible to UQ consumers but would cause little or no harm if exposed. This type of information requires authentication to access (i.e. is only available to those with a University login). This includes the team leave calendar, employee numbers and positions.
  • SENSITIVE: information related to UQ, its students, and employees, that would cause harm if released publicly (e.g. tax file and bank account numbers, exam material). This is the default classification for research data, however this can vary based on the information and its level of confidentiality.
  • PROTECTED: information related to UQ, its students, and employees that would cause serious harm if released publicly. It should only be accessed based on very strict need (e.g. health records, commercially significant research results).  

The Data Strategy and Governance website provides examples of types of information which fall under each classification. 

Applying Information Security Classifications with Office 365 Sensitivity Labels

Office 365 Sensitivity Labels will be rolled out to all UQ staff in September 2021, allowing you to easily add an Information Security Classification (and its associated protections) to your emails and Office 365 documents. It’s important to understand what Information Security Classifications UQ have, and when they should be applied, to use Office 365 Sensitivity Labels properly. Find out more on data.uq.edu.au