What are information security classifications?

Information security classifications categorise UQ information based on confidentiality. These classifications are designed to ensure that UQ information is only accessible to authorised individuals and they are used to inform UQ's information management practices and controls. For more information, read the Information Security Classification Procedure.

If you create or capture UQ information, you are responsible for classifying that information based on the information security classification table below. Staff can apply these classifications to Microsoft 365 documents and emails using the sensitivity labels function.

UQ information must also be managed throughout its lifecycle in accordance with its security classification – view the Data Handling Procedure for a breakdown of requirements at each stage. 

You can also take the Data governance and management essentials training for guidance on how to manage information more securely and effectively. 

Top of page

UQ information security classifications

If you are classifying a collection of information, classify based on the highest (most confidential) classification level of information within the collection.

If you are unsure which security classification applies to information, email the Data Strategy and Governance team for guidance.
 

ClassificationDescriptionExample data types
UNOFFICIALInformation that is unrelated to UQ study or work. 
  • Personal holiday itinerary 
  • Email for personal dinner reservation
PUBLIC

Information that if lost, or accessed or disclosed without authorisation, either accidentally or due to malicious activity (data breach) would have an insignificant impact. 

The information is authorised for public access, however it may not be made available to the public.

  • University strategy 
  • Policies and procedures
  • Published course outline 
  • Academic calendar
  • Published research data 
  • UQ staff contact information (name, UQ email, UQ phone)
OFFICIAL

Information that if subject to a data breach, would be unlikely to cause harm to UQ, another organisation or an individual if released publicly. 

The information has a restricted audience, and access must only be authorised based on academic, research or business need (e.g. specific teams).

  • UQ student contact information (name, UQ email, UQ phone) 
  • Organisational unit processes and procedures 
  • Administrative documents (e.g. organisational structure, team leave calendar)
  • Design templates 
SENSITIVE

Information that if subject to a data breach, could reasonably be expected to cause harm to UQ, another organisation or an individual if released publicly. 

The information has a restricted audience, and access must only be authorised based on strict academic, research or business need (e.g. specific individuals or groups).

  • Personal information of staff, students and others (e.g. Tax File Numbers, passport details, address, date of birth, bank account details, personal email address, phone number) 
  • Organisational financial or project data (e.g. budgets, business cases) 
  • Exam material
  • Exam results 
  • Unpublished research data
PROTECTED

Information that if subject to a data breach, could reasonably be expected to cause serious harm to UQ, another organisation or an individual if released publicly. 

The information has a restricted audience, and access must only be authorised based on very strict academic, research or business need (e.g. only the individuals required).

  • Medical data 
  • Personal information regarding persons under the age of 18 
  • Credit card data 
  • Commercially significant research results 
  • National security information
  • Work cover forms

 

Top of page

Sensitivity labels

UQ staff can classify Microsoft 365 documents and emails using sensitivity labels. The sensitivity labels are assigned to a Microsoft 365 document or email to indicate its information security classification. 

In addition to labelling your documents and emails, the SENSITIVE and PROTECTED labels also automatically apply security controls to protect the information further (e.g. encryption, restrictions on access). 

Visit the Sensitivity labels page to learn how to assign labels and understand the controls that are applied to each label. 

Top of page

More information and resources

Top of page