Information security classifications

What are information security classifications?

Note: Privacy legislation defines a category of ‘sensitive’ personal information which has associated consent requirements. This consent requirement is not related to information security classifications and is not an indicator of the confidentiality.

Information defined as ‘sensitive’ for the purposes of privacy consent management, may have a security classification of Sensitive or Protected, depending on the confidentiality and risks associated with a breach.

UQ’s sensitivity labels are related to the information security classification, and not privacy consent requirements.

Information security classifications categorise UQ information based on confidentiality. These classifications are designed to ensure that UQ information is only accessible to authorised individuals and they are used to inform UQ's information management practices and controls. For more information, read the Information Security Classification Procedure.

If you create or capture UQ information, you are responsible for classifying that information based on the information security classification table below. Staff can apply these classifications to Microsoft 365 documents and emails using the sensitivity labels function.

UQ information must also be managed throughout its lifecycle in accordance with its security classification – view the Data Handling Procedure for a breakdown of requirements at each stage.

You can also take the Data governance and management essentials training for guidance on how to manage information more securely and effectively.

Top of page

UQ information security classifications

If you are classifying a collection of information, classify based on the highest (most confidential) classification level of information within the collection.

If you are unsure which security classification applies to information, email the Data Strategy and Governance team for guidance.

Classification	Description	Examples	Examples - personal information
UNOFFICIAL	Information that is unrelated to UQ study or work.	Reference information downloaded from external sources.	Personal holiday itinerary Email for personal dinner reservation
PUBLIC	Information that if lost, or accessed or disclosed without authorisation, either accidentally or due to malicious activity (data breach) would have an insignificant impact. The information is authorised for public access, however it may not be made available to the public.	University strategy Policies and procedures Published course outline Academic calendar Published research data	UQ staff contact information (name, UQ email, UQ phone)
OFFICIAL	Information that if subject to a data breach, would be unlikely to cause harm to UQ, another organisation or an individual if released publicly. The information has a restricted audience, and access must only be authorised based on academic, research or business need (e.g. specific teams).	Organisational unit processes and procedures Administrative documents (e.g. organisational structure, team leave calendar) Design templates	UQ student contact information (name, UQ email, UQ phone)
SENSITIVE	Information that if subject to a data breach, could reasonably be expected to cause harm to UQ, another organisation or an individual if released publicly. The information has a restricted audience, and access must only be authorised based on strict academic, research or business need (e.g. specific individuals or groups).	Organisational financial or project data (e.g. budgets, business cases) Exam material Exam results Unpublished research data	Core operational personal information of staff, students and others that doesn’t meet PROTECTED criteria – e.g. address, date of birth, enrolment, bank account details, phone number, assessment submissions Human research data that doesn’t meet PROTECTED criteria An individual’s political opinions or philosophical beliefs An individual’s membership of a political association, trade union, trade association
PROTECTED	Information that if subject to a data breach, could reasonably be expected to cause serious harm to UQ, another organisation or an individual if released publicly. The information has a restricted audience, and access must only be authorised based on very strict academic, research or business need (e.g. only the individuals required).	Credit card data Commercially significant research results National security information	An individual’s health, genetic and biometric data Personal information regarding children and other vulnerable persons Criminal history Sexual orientation or practices Racial or ethnic origin Religious beliefs or affiliations

Top of page

Sensitivity labels

UQ staff can classify Microsoft 365 documents and emails using sensitivity labels. The sensitivity labels are assigned to a Microsoft 365 document or email to indicate its information security classification.

In addition to labelling your documents and emails, the SENSITIVE and PROTECTED labels also automatically apply security controls to protect the information further (e.g. encryption, restrictions on access).

Visit the Sensitivity labels page to learn how to assign labels and understand the controls that are applied to each label.

Top of page

More information and resources

Refer to the Information Security Classification Procedure and Data Handling Procedure for more information.
View our guide on file storage for more information on what storage solutions are appropriate for different information security classifications.
Visit the Sensitivity labels page and view our guidance on applying sensitivity labels.
View the information security classification decision tree for guidance on which classification applies.

Top of page