What are information security classifications?

Information security classifications are designed to categorise UQ’s information assets (physical or digital) based on its confidentiality, availability and integrity needs. A holistic, risk-based approach will consider the impact a compromise to the information asset might have on the University’s broader profile.  

All data and information at UQ must have an information security classification applied.  

See which information security classification to apply

Information Security Classifications are typically applied during the ‘create, capture and classify’ stage of the information lifecycle.

At UQ, the following information security classifications exist: 

Classification Description Example data types
OFFICIAL - PUBLIC

Information that if breached owing to accidental or malicious activity would have an insignificant impact. 

The information is authorised for public access, however it may not be made available in the public domain.

University strategy; published course outlines; academic calendar; published research data.

OFFICIAL - INTERNAL

Information that if breached owing to accidental or malicious activity would be unlikely to cause harm to UQ, another organisation or an individual if released publicly. 

The information has a restricted audience, and access must only be authorised based on academic, research or business need.  

Identity information of staff members or students (e.g. employee number or position title); internal correspondence; business unit process and procedure; team leave calendar.

SENSITIVE

Information that if breached owing to accidental or malicious activity could reasonably be expected to cause harm to UQ, another organisation or an individual if released publicly. 

The information has a restricted audience, and access must only be authorised based on strict academic, research or business need. 

Student and staff human resources data (e.g. Tax File Numbers, passport details, bank account details); organisational financial data; exam material; exam results; unpublished research data.

PROTECTED

Information that if breached owing to accidental or malicious activity could reasonably be expected to cause serious harm to UQ, another organisation or an individual if released publicly. 

The information has a restricted audience, and access must only be authorised based on very strict academic, research or business need. 

Health records; personal data regarding persons under the age of 18; credit card data; commercially significant research results.

The way information is then handled, shared, protected and treated is dependent upon its information security classification. 

Top of page

Why are information security classifications important?

Information security classifications inform the implementation of appropriate security and other mechanisms to control the information from being leaked, manipulated or becoming unavailable. 

Top of page

Which information security classification should you apply?

Follow the decision tree to determine which information security classification you should apply: 

Information security classification decision tree (PDF, 81.8 KB)

Top of page

Information security classifications in Office 365

UQ is in the process of rolling out Office 365 Sensitivity Labels in Office 365.

Office 365 Sensitivity Labels are persistent labels assigned to an Office 365 document or email, that indicate its Information Security Classification. Additional controls to protect the information (e.g. encryption, restriction on access/sharing) are also applied to some labels. 

This will help protect information and enable better clarity over the confidentiality of documents.

Learn more about Office 365 Sensitivity Labels at UQ

Top of page