Information security classifications
What are information security classifications?
Note: Privacy legislation defines a category of ‘sensitive’ personal information which has associated consent requirements. This consent requirement is not related to information security classifications and is not an indicator of the confidentiality.
Information defined as ‘sensitive’ for the purposes of privacy consent management, may have a security classification of Sensitive or Protected, depending on the confidentiality and risks associated with a breach.
UQ’s sensitivity labels are related to the information security classification, and not privacy consent requirements.
Information security classifications categorise UQ information based on confidentiality. These classifications are designed to ensure that UQ information is only accessible to authorised individuals and they are used to inform UQ's information management practices and controls. For more information, read the Information Security Classification Procedure.
If you create or capture UQ information, you are responsible for classifying that information based on the information security classification table below. Staff can apply these classifications to Microsoft 365 documents and emails using the sensitivity labels function.
UQ information must also be managed throughout its lifecycle in accordance with its security classification – view the Data Handling Procedure for a breakdown of requirements at each stage.
You can also take the Data governance and management essentials training for guidance on how to manage information more securely and effectively.
UQ information security classifications
If you are classifying a collection of information, classify based on the highest (most confidential) classification level of information within the collection.
If you are unsure which security classification applies to information, email the Data Strategy and Governance team for guidance.
Classification | Description | Examples | Examples - personal information |
---|---|---|---|
UNOFFICIAL | Information that is unrelated to UQ study or work. | Reference information downloaded from external sources. |
|
PUBLIC | Information that if lost, or accessed or disclosed without authorisation, either accidentally or due to malicious activity (data breach) would have an insignificant impact. The information is authorised for public access, however it may not be made available to the public. |
| UQ staff contact information (name, UQ email, UQ phone) |
OFFICIAL | Information that if subject to a data breach, would be unlikely to cause harm to UQ, another organisation or an individual if released publicly. The information has a restricted audience, and access must only be authorised based on academic, research or business need (e.g. specific teams). |
| UQ student contact information (name, UQ email, UQ phone) |
SENSITIVE | Information that if subject to a data breach, could reasonably be expected to cause harm to UQ, another organisation or an individual if released publicly. The information has a restricted audience, and access must only be authorised based on strict academic, research or business need (e.g. specific individuals or groups). |
|
|
PROTECTED | Information that if subject to a data breach, could reasonably be expected to cause serious harm to UQ, another organisation or an individual if released publicly. The information has a restricted audience, and access must only be authorised based on very strict academic, research or business need (e.g. only the individuals required). |
|
|
Sensitivity labels
UQ staff can classify Microsoft 365 documents and emails using sensitivity labels. The sensitivity labels are assigned to a Microsoft 365 document or email to indicate its information security classification.
In addition to labelling your documents and emails, the SENSITIVE and PROTECTED labels also automatically apply security controls to protect the information further (e.g. encryption, restrictions on access).
Visit the Sensitivity labels page to learn how to assign labels and understand the controls that are applied to each label.
More information and resources
- Refer to the Information Security Classification Procedure and Data Handling Procedure for more information.
- View our guide on file storage for more information on what storage solutions are appropriate for different information security classifications.
- Visit the Sensitivity labels page and view our guidance on applying sensitivity labels.
- View the information security classification decision tree for guidance on which classification applies.