View Document

Information Classification Levels Schedule 1

This is the current version of this document. You can provide feedback on this policy document by navigating to the Feedback tab.

Section 1 - Information Classification Levels Schedule 1

Security Classification

Classification
Definition
Operational Impact
Refer to Risk Management tools to determine the impact.  
Examples
Level 0 – Public
 
Lowest level of confidentiality 
Information which has been authorised by the Information Trustee for public access and circulation
Unauthorised disclosure causes minor or negligible impact to RMIT
•    Course outline published via RMIT website
•    Publicly available campus brochures and campus maps
•    Financial statements, published via annual report
•    Press releases
•    Advertised job postings
•    Academic Staff Profiles published via RMIT website
Level 1 - Trusted
 
Standard level of confidentiality 
Information that is intended to be used internally in the day-to-day operations within RMIT Group.
The Information Custodian and intended recipients understand the information handling context and risks.
Unauthorised disclosure may result in moderate or minor impact to RMIT such as:
•    Minor financial harm
•    Minor harmful reputational damage
•    Minor regulatory penalties or loss of key licenses and/or funding
•    Minor interruption of critical operational system/processes
•    Minor impact to research activity
•    Minor risks to the safety or wellbeing of individuals
•    Project delivery artefacts 
•    Course administration records 
•    Campus ventilation maps 
•    Work in progress financial statements, not finalised 
•    Proposed press releases, pending approvals 
•    Previously advertised job postings, closed for applicants 
•    Staff profiles, published for internal use 
•    Staff newsletters 
•    Day-to-day email correspondence 
 
Level 2 – Protected
 
Increased level of confidentiality 
Information that has an increased level of confidentiality and intended to be used by authorised individuals for an authorised purpose on a need-to-know basis.
This security level provides an additional security mechanism to limit information proliferation. The intended recipient must seek Information Custodian approval before sharing or disclosing the information.
Unauthorised disclosure may result in severe or major impact to RMIT such as:
•    Major financial harm
•    Major harmful reputational damage
•    Major regulatory penalties or loss of key licenses and/or funding
•    Major interruption of critical operational system/processes
•    Major impact to research activity
•    Major risks to the safety or wellbeing of individuals
 
•    University Policy, during targeted consultation 
•    Project Business Cases, during approval process 
•    HR cases, via People Connect 
•    Records from procurement activities being executed via approved procurement plans 
•    Unreleased student results 
•    Staff salaries and bank details 
•    Third party information, protected by contractual agreements (e,g, NDA) 
•    Commercially sensitive information 
 
Level 3 – Restricted
 
Highest level of confidentiality 
Information that has the highest level of confidentiality and intended to be used by a small, limited number of authorised individuals on a need-to-know basis.
The intended recipient must obtain Information Trustee authorisation prior to handling, sharing, and disclosing information. 
Unauthorised disclosure may result in extreme or severe impact to RMIT such as:
•    Severe financial harm
•    Significant harmful reputational damage
•    Extreme regulatory penalties or loss of key licenses and/or funding
•    Significant interruption of critical operational system/processes
•    Significant impact to research activity
•    Severe risks to the safety or wellbeing of individuals
 
•    Student grievances
•    Confidential out-of-court settlements
•    Campus Security, CCTV records
•    Restricted information under advice by Chancellery, Council or University Governance forums.

Management Classifications – Governance

Classification
Definition
Examples
Institutional Data 
Information or data governed by the Information Governance Policy
 
  
•    Course outline published via RMIT website 
•    Publicly available campus brochures and campus maps 
•    Theses submitted to RMIT by HDR candidates as part of HDR Submission and Examination Procedure
•    Published research submitted to RMIT by researchers as part of the Dissemination of Research Outputs Procedure
Research Data 
Information or data governed by the Research Policy
 
  
•    Publicly available campus brochures and campus numerical, descriptive or visual record of an experiment
•    Primary materials such as assays, test results, transcripts, laboratory and field notes, visual diaries, journals, audio and visual recordings, oral history sound files, performance recordings, archival data and metadata, websites, photographs and images
•    Analysed test-results, field notes and recordings
•    Peer-reviewed academic articles 
 
Unofficial Information 
Information or data unrelated to RMIT work duties or functions, allowable under the Information Technology - Acceptable Use Standard and the Information Technology and Security Policy.
•    Images of family holidays and pets
•    Personal email
 

Management Classifications – Retention

Classification
Definition
Examples
Relevant for Retention & disposals controls
Master information or data outlined in the RMIT Retention of Disposal Authority (RDA), Section 5 of the RMIT Retention and Disposal Standard, which must be retained due to obligations within the Public Records Act 1973 (Vic).
 
•    Records of actions taken to address child sexual abuse that has occurred or is alleged to have occurred.
•    Summary record of grant applications
•    Records relating to the borrowing of money by RMIT
•    Enterprise bargaining and workplace agreements / awards
•    Environmental monitoring of hazardous substances listed in relevant Occupational Health and Safety legislation.
•    Research data which is classed in Section 5 of the RMIT Retention and Disposal Standard
Irrelevant for Retention & disposals controls
Information or data that does not fall under RMIT Retention of Disposal Authority (RDA), Section 5 of the RMIT Retention and Disposal Standard including Information or data that may be deleted under NAP principles.
•    RMIT store stock inventory  
•    Copies of records 
•    Drafts and transitory documents, where the content is reproduced elsewhere, and the information will not be needed to show how the work has progressed or actions approved 

Management Classifications – Privacy

Classification
Definition
Examples
Contains Personally Identifiable Information (PII)
Information and data subject to the Privacy Policy and/or contains Personally Identifiable Information (PII).
 
 
•    Tax-file number 
•    Medicare number
•    Student complaints and grievances 
 
Does NOT contain Personally Identifiable Information (PII)
Information and data not subject to the Privacy Policy.
•    Project delivery artefacts
•    Previously advertised job postings, closed for applicants

Management Classifications – Legal Privilege

Classification
Definition
Examples
Legally privileged information
Information and data subject to legal privilege.
 
•    Advice provided to RMIT Group by a lawyer
Information that is NOT legally privileged
Information and data not subject to legal privilege   
•    College of Business and Law course materials 
 

Management Classifications – Information Domain

Classification
Definition
Examples
Person 
Data and information relating to an individual and their identity, typically defining who they are in relation to the RMIT Group. Refer to the RMIT Information Domain Register for more details. 
•    A record of a person including first name, surname and date of birth 
Internal Organisation  
Data and information relating to a subset of the RMIT Group, typically representation an organisation of capabilities that enable the achievement of RMIT Group goals. Refer to the RMIT Information Domain Register for more details. 
•    Data and Information about an academic organisation 
External Organisation 
Data and information relating to an external entity, not identified as a person or as part of RMIT Group, that has a relationship with RMIT University. Refer to the RMIT Information Domain Register for more details. 
•    Information on RMIT education delivery partners 
•    Data and information on regulatory bodies 
Supplies, vendors, partners 
Location 
Master data representing RMIT Group places and spaces. Refer to the RMIT Information Domain Register for more details. 
•    Room numbers  
•    Campus identifies  
Curriculum 
Data and information relating to courses, programs, training packages, modules and their units across the RMIT Group. Refer to the RMIT Information Domain Register for more details. 
•    Master record of accredited or approved courses, programs, training packages, modules and their units  
•    Information on course proposals and curriculum content which are not approved or did not proceed to approval stage. 
Learning & Teaching 
Data and information relating to the delivery and provision of courses, programs, training packages, modules and their units across the RMIT Group. Refer to the RMIT Information Domain Register for more details. 
•    Class lists and attendance registers.  
•    Assessment results  
•    Course delivery materials 
Student Management 
Data and information relating to student administration across the RMIT Group. Refer to the RMIT Information Domain Register for more details. 
•    Data and information about student enrolment, re-enrolment, student transfers, credit transfer, recognition of prior learning, deferment, exemptions, withdrawals, leave of absence 
Research Management 
Data and information relating to the administration and management of research activities of the RMIT Group. Refer to the RMIT Information Domain Register for more details. 
•    Data on funding details, citations of outputs and publications related to the research 
•    Joint venture agreements, memorandums of understanding. 
Finance 
Data and information relating to financial management across RMIT Group. Refer to the RMIT Information Domain Register for more details. 
•    Annual financial statements and associated background documentation 
•    Procurement records  
Human Resources (HR) 
Data and information relating to RMIT Group staff, including recruitment, staffing, training, development, performance appraisals, salary administration, misconduct and termination. Refer to the RMIT Information Domain Register for more details.  
•    Staff records 
•    Position descriptions  
Assets & Facilities 
Data and information relating to the security, maintenance and development of RMIT Group property, land and assets. Refer to the RMIT Information Domain Register for more details. 
•    Information about removal, storage and disposal of hazardous materials and waste 
•    Data about hire or bookings of RMIT buildings, gardens, equipment, vehicles or other infrastructure. 
•    Surveillance camera footage 
Advancement 
Data and information relating to RMIT Group alumni, donor relations and gifts. Refer to the RMIT Information Domain Register for more details.  
•    Donor transactions  
Marketing & Communications  
Data and information relating to marketing and communications of the RMIT Group. Refer to the RMIT Information Domain Register for more details. 
•    Marketing campaigns 
•    Staff newsletters  
•    Social media posts  
Planning & Performance 
Data and information relating to projects and performance of the RMIT Group. Refer to the RMIT Information Domain Register for more details. 
•    Summary documentation of projects 
•    Data and Information on project registers 
Service & Operations  
Data and information relating to the service activities across the RMIT Group. Refer to the RMIT Information Domain Register for more details. 
•    Student Services activities  
•    Operation service catalogue  
Governance  
Data and information relating to the policies, risks and incidents across the RMIT Group. Refer to the RMIT Information Domain Register for more details. 
•    Riskware data 
Legal & Compliance 
Data and information relating to the contracts, agreements and legal activities across the RMIT Group. Refer to the RMIT Information Domain Register for more details.
•    Summary records for all contracts managed by the University. Includes contract registers and systems 
Library & Collections 
Data and information relating to the collection and preservation of long-term records and artefacts across the RMIT Group. Refer to the RMIT Information Domain Register for more details. 
•    Information on the preservation, protection, maintenance, restoration and enhancement of information resources and artefacts 
•    Master set of commissioned photographs and moving images on RMIT Group activities 
•    Destruction of Information templates  
Group 
Data and information relating to RMIT Group communities. Refer to the RMIT Information Domain Register for more details. 
•    Data about student clubs