Information Classification Levels Schedule 1
Section 1 - Information Classification Levels Schedule 1
Security Classification
Management Classifications – Governance
Management Classifications – Retention
Management Classifications – Privacy
Management Classifications – Legal Privilege
Management Classifications – Information Domain
View Document
This is the current version of this document. You can provide feedback on this policy document by navigating to the Feedback tab.
Classification
Definition
Operational Impact
Refer to Risk Management tools to determine the impact.
Examples
Level 0 – Public
Lowest level of confidentiality
Information which has been authorised by the Information Trustee for public access and circulation
Unauthorised disclosure causes minor or negligible impact to RMIT
• Course outline published via RMIT website
• Publicly available campus brochures and campus maps
• Financial statements, published via annual report
• Press releases
• Advertised job postings
• Academic Staff Profiles published via RMIT website
Level 1 - Trusted
Standard level of confidentiality
Information that is intended to be used internally in the day-to-day operations within RMIT Group .
The Information Custodian and intended recipients understand the information handling context and risks.
Unauthorised disclosure may result in moderate or minor impact to RMIT such as:
• Minor financial harm
• Minor harmful reputational damage
• Minor regulatory penalties or loss of key licenses and/or funding
• Minor interruption of critical operational system/processes
• Minor impact to research activity
• Minor risks to the safety or wellbeing of individuals
• Project delivery artefacts
• Course administration records
• Campus ventilation maps
• Work in progress financial statements, not finalised
• Proposed press releases, pending approvals
• Previously advertised job postings, closed for applicants
• Staff profiles, published for internal use
• Staff newsletters
• Day-to-day email correspondence
Level 2 – Protected
Increased level of confidentiality
Information that has an increased level of confidentiality and intended to be used by authorised individuals for an authorised purpose on a need-to-know basis.
This security level provides an additional security mechanism to limit information proliferation. The intended recipient must seek Information Custodian approval before sharing or disclosing the information.
Unauthorised disclosure may result in severe or major impact to RMIT such as:
• Major financial harm
• Major harmful reputational damage
• Major regulatory penalties or loss of key licenses and/or funding
• Major interruption of critical operational system/processes
• Major impact to research activity
• Major risks to the safety or wellbeing of individuals
• University Policy, during targeted consultation
• Project Business Cases, during approval process
• HR cases, via People Connect
• Records from procurement activities being executed via approved procurement plans
• Unreleased student results
• Staff salaries and bank details
• Third party information, protected by contractual agreements (e,g, NDA)
• Commercially sensitive information
Level 3 – Restricted
Highest level of confidentiality
Information that has the highest level of confidentiality and intended to be used by a small, limited number of authorised individuals on a need-to-know basis.
The intended recipient must obtain Information Trustee authorisation prior to handling, sharing, and disclosing information.
Unauthorised disclosure may result in extreme or severe impact to RMIT such as:
• Severe financial harm
• Significant harmful reputational damage
• Extreme regulatory penalties or loss of key licenses and/or funding
• Significant interruption of critical operational system/processes
• Significant impact to research activity
• Severe risks to the safety or wellbeing of individuals
• Student grievances
• Confidential out-of-court settlements
• Campus Security, CCTV records
• Restricted information under advice by Chancellery, Council or University Governance forums.
Classification
Definition
Examples
Institutional Data
Information or data governed by the Information Governance Policy.
• Course outline published via RMIT website
• Publicly available campus brochures and campus maps
• Theses submitted to RMIT by HDR candidates as part of HDR Submission and Examination Procedure
• Published research submitted to RMIT by researchers as part of the Dissemination of Research Outputs Procedure
Research Data
Information or data governed by the Research Policy.
• Publicly available campus brochures and campus numerical, descriptive or visual record of an experiment
• Primary materials such as assays, test results, transcripts, laboratory and field notes, visual diaries, journals, audio and visual recordings, oral history sound files, performance recordings, archival data and metadata, websites, photographs and images
• Analysed test-results, field notes and recordings
• Peer-reviewed academic articles
Unofficial Information
Information or data unrelated to RMIT work duties or functions, allowable under the Information Technology - Acceptable Use Standard and the Information Technology and Security Policy.
• Images of family holidays and pets
• Personal email
Classification
Definition
Examples
Relevant for Retention & disposals controls
Master information or data outlined in the RMIT Retention of Disposal Authority (RDA), Section 5 of the RMIT Retention and Disposal Standard, which must be retained due to obligations within the Public Records Act 1973 (Vic).
• Records of actions taken to address child sexual abuse that has occurred or is alleged to have occurred.
• Summary record of grant applications
• Records relating to the borrowing of money by RMIT
• Enterprise bargaining and workplace agreements / awards
• Environmental monitoring of hazardous substances listed in relevant Occupational Health and Safety legislation.
• Research data which is classed in Section 5 of the RMIT Retention and Disposal Standard
Irrelevant for Retention & disposals controls
Information or data that does not fall under RMIT Retention of Disposal Authority (RDA), Section 5 of the RMIT Retention and Disposal Standard including Information or data that may be deleted under NAP principles.
• RMIT store stock inventory
• Copies of records
• Drafts and transitory documents, where the content is reproduced elsewhere, and the information will not be needed to show how the work has progressed or actions approved
Classification
Definition
Examples
Contains Personally Identifiable Information (PII)
Information and data subject to the Privacy Policy and/or contains Personally Identifiable Information (PII).
• Tax-file number
• Medicare number
• Student complaints and grievances
Does NOT contain Personally Identifiable Information (PII)
Information and data not subject to the Privacy Policy.
• Project delivery artefacts
• Previously advertised job postings, closed for applicants
Classification
Definition
Examples
Legally privileged information
Information and data subject to legal privilege.
• Advice provided to RMIT Group by a lawyer
Information that is NOT legally privileged
Information and data not subject to legal privilege
• College of Business and Law course materials
Classification
Definition
Examples
Person
Data and information relating to an individual and their identity, typically defining who they are in relation to the RMIT Group. Refer to the RMIT Information Domain Register for more details.
• A record of a person including first name, surname and date of birth
Internal Organisation
Data and information relating to a subset of the RMIT Group, typically representation an organisation of capabilities that enable the achievement of RMIT Group goals. Refer to the RMIT Information Domain Register for more details.
• Data and Information about an academic organisation
External Organisation
Data and information relating to an external entity, not identified as a person or as part of RMIT Group, that has a relationship with RMIT University. Refer to the RMIT Information Domain Register for more details.
• Information on RMIT education delivery partners
• Data and information on regulatory bodies
Supplies, vendors, partners
Location
Master data representing RMIT Group places and spaces. Refer to the RMIT Information Domain Register for more details.
• Room numbers
• Campus identifies
Curriculum
Data and information relating to courses, programs, training packages, modules and their units across the RMIT Group. Refer to the RMIT Information Domain Register for more details.
• Master record of accredited or approved courses, programs, training packages, modules and their units
• Information on course proposals and curriculum content which are not approved or did not proceed to approval stage.
Learning & Teaching
Data and information relating to the delivery and provision of courses, programs, training packages, modules and their units across the RMIT Group. Refer to the RMIT Information Domain Register for more details.
• Class lists and attendance registers.
• Assessment results
• Course delivery materials
Student Management
Data and information relating to student administration across the RMIT Group. Refer to the RMIT Information Domain Register for more details.
• Data and information about student enrolment, re-enrolment, student transfers, credit transfer, recognition of prior learning, deferment, exemptions, withdrawals, leave of absence
Research Management
Data and information relating to the administration and management of research activities of the RMIT Group. Refer to the RMIT Information Domain Register for more details.
• Data on funding details, citations of outputs and publications related to the research
• Joint venture agreements, memorandums of understanding.
Finance
Data and information relating to financial management across RMIT Group. Refer to the RMIT Information Domain Register for more details.
• Annual financial statements and associated background documentation
• Procurement records
Human Resources (HR)
Data and information relating to RMIT Group staff, including recruitment, staffing, training, development, performance appraisals, salary administration, misconduct and termination. Refer to the RMIT Information Domain Register for more details.
• Staff records
• Position descriptions
Assets & Facilities
Data and information relating to the security, maintenance and development of RMIT Group property, land and assets. Refer to the RMIT Information Domain Register for more details.
• Information about removal, storage and disposal of hazardous materials and waste
• Data about hire or bookings of RMIT buildings, gardens, equipment, vehicles or other infrastructure.
• Surveillance camera footage
Advancement
Data and information relating to RMIT Group alumni, donor relations and gifts. Refer to the RMIT Information Domain Register for more details.
• Donor transactions
Marketing & Communications
Data and information relating to marketing and communications of the RMIT Group. Refer to the RMIT Information Domain Register for more details.
• Marketing campaigns
• Staff newsletters
• Social media posts
Planning & Performance
Data and information relating to projects and performance of the RMIT Group. Refer to the RMIT Information Domain Register for more details.
• Summary documentation of projects
• Data and Information on project registers
Service & Operations
Data and information relating to the service activities across the RMIT Group. Refer to the RMIT Information Domain Register for more details.
• Student Services activities
• Operation service catalogue
Governance
Data and information relating to the policies, risks and incidents across the RMIT Group. Refer to the RMIT Information Domain Register for more details.
• Riskware data
Legal & Compliance
Data and information relating to the contracts, agreements and legal activities across the RMIT Group. Refer to the RMIT Information Domain Register for more details.
• Summary records for all contracts managed by the University. Includes contract registers and systems
Library & Collections
Data and information relating to the collection and preservation of long-term records and artefacts across the RMIT Group. Refer to the RMIT Information Domain Register for more details.
• Information on the preservation, protection, maintenance, restoration and enhancement of information resources and artefacts
• Master set of commissioned photographs and moving images on RMIT Group activities
• Destruction of Information templates
Group
Data and information relating to RMIT Group communities. Refer to the RMIT Information Domain Register for more details.
• Data about student clubs