Information Classification Levels Schedule 1
Source: https://policies.rmit.edu.au/document/view.php?id=301 Parent: https://policies.rmit.edu.au/browse.php
View Document
- Current Version
- Status and Details
- Associated Information
- Historic Versions
- Future Versions
- Feedback
Information Classification Levels Schedule 1
- Section 1 - Information Classification Levels Schedule 1
- Security Classification
- Management Classifications – Governance
- Management Classifications – Retention
- Management Classifications – Privacy
- Management Classifications – Legal Privilege
- Management Classifications – Information Domain
This is the current version of this document. You can provide feedback on this policy document by navigating to the Feedback tab.
Section 1 - Information Classification Levels Schedule 1
Security Classification
| Classification | Definition | Operational Impact Refer to Risk Management tools to determine the impact. | Examples |
|---|---|---|---|
| Level 0 – Public Lowest level of confidentiality | Information which has been authorised by the Information Trustee for public access and circulation | Unauthorised disclosure causes minor or negligible impact to RMIT | • Course outline published via RMIT website • Publicly available campus brochures and campus maps • Financial statements, published via annual report • Press releases • Advertised job postings • Academic Staff Profiles published via RMIT website |
| Level 1 - Trusted Standard level of confidentiality | Information that is intended to be used internally in the day-to-day operations within RMIT Group. The Information Custodian and intended recipients understand the information handling context and risks. | Unauthorised disclosure may result in moderate or minor impact to RMIT such as: • Minor financial harm • Minor harmful reputational damage • Minor regulatory penalties or loss of key licenses and/or funding • Minor interruption of critical operational system/processes • Minor impact to research activity • Minor risks to the safety or wellbeing of individuals | • Project delivery artefacts • Course administration records • Campus ventilation maps • Work in progress financial statements, not finalised • Proposed press releases, pending approvals • Previously advertised job postings, closed for applicants • Staff profiles, published for internal use • Staff newsletters • Day-to-day email correspondence |
| Level 2 – Protected Increased level of confidentiality | Information that has an increased level of confidentiality and intended to be used by authorised individuals for an authorised purpose on a need-to-know basis. This security level provides an additional security mechanism to limit information proliferation. The intended recipient must seek Information Custodian approval before sharing or disclosing the information. | Unauthorised disclosure may result in severe or major impact to RMIT such as: • Major financial harm • Major harmful reputational damage • Major regulatory penalties or loss of key licenses and/or funding • Major interruption of critical operational system/processes • Major impact to research activity • Major risks to the safety or wellbeing of individuals | • University Policy, during targeted consultation • Project Business Cases, during approval process • HR cases, via People Connect • Records from procurement activities being executed via approved procurement plans • Unreleased student results • Staff salaries and bank details • Third party information, protected by contractual agreements (e,g, NDA) • Commercially sensitive information |
| Level 3 – Restricted Highest level of confidentiality | Information that has the highest level of confidentiality and intended to be used by a small, limited number of authorised individuals on a need-to-know basis. The intended recipient must obtain Information Trustee authorisation prior to handling, sharing, and disclosing information. | Unauthorised disclosure may result in extreme or severe impact to RMIT such as: • Severe financial harm • Significant harmful reputational damage • Extreme regulatory penalties or loss of key licenses and/or funding • Significant interruption of critical operational system/processes • Significant impact to research activity • Severe risks to the safety or wellbeing of individuals | • Student grievances • Confidential out-of-court settlements • Campus Security, CCTV records • Restricted information under advice by Chancellery, Council or University Governance forums. |
Management Classifications – Governance
| Classification | Definition | Examples |
|---|---|---|
| Institutional Data | Information or data governed by the [Information Governance Policy](https://policies.rmit.edu.au/document/view.php?id=53). | • Course outline published via RMIT website • Publicly available campus brochures and campus maps • Theses submitted to RMIT by HDR candidates as part of HDR Submission and Examination Procedure • Published research submitted to RMIT by researchers as part of the Dissemination of Research Outputs Procedure |
| Research Data | Information or data governed by the [Research Policy](https://policies.rmit.edu.au/document/view.php?id=28). | • Publicly available campus brochures and campus numerical, descriptive or visual record of an experiment • Primary materials such as assays, test results, transcripts, laboratory and field notes, visual diaries, journals, audio and visual recordings, oral history sound files, performance recordings, archival data and metadata, websites, photographs and images • Analysed test-results, field notes and recordings • Peer-reviewed academic articles |
| Unofficial Information | Information or data unrelated to RMIT work duties or functions, allowable under the Information Technology - Acceptable Use Standard and the Information Technology and Security Policy. | • Images of family holidays and pets • Personal email |
Management Classifications – Retention
| Classification | Definition | Examples |
|---|---|---|
| Relevant for Retention & disposals controls | Master information or data outlined in the RMIT Retention of Disposal Authority (RDA), Section 5 of the RMIT Retention and Disposal Standard, which must be retained due to obligations within the Public Records Act 1973 (Vic). | • Records of actions taken to address child sexual abuse that has occurred or is alleged to have occurred. • Summary record of grant applications • Records relating to the borrowing of money by RMIT • Enterprise bargaining and workplace agreements / awards • Environmental monitoring of hazardous substances listed in relevant Occupational Health and Safety legislation. • Research data which is classed in Section 5 of the RMIT Retention and Disposal Standard |
| Irrelevant for Retention & disposals controls | Information or data that does not fall under RMIT Retention of Disposal Authority (RDA), Section 5 of the RMIT Retention and Disposal Standard including Information or data that may be deleted under NAP principles. | • RMIT store stock inventory • Copies of records • Drafts and transitory documents, where the content is reproduced elsewhere, and the information will not be needed to show how the work has progressed or actions approved |
Management Classifications – Privacy
| Classification | Definition | Examples |
|---|---|---|
| Contains Personally Identifiable Information (PII) | Information and data subject to the Privacy Policy and/or contains Personally Identifiable Information (PII). | • Tax-file number • Medicare number • Student complaints and grievances |
| Does NOT contain Personally Identifiable Information (PII) | Information and data not subject to the Privacy Policy. | • Project delivery artefacts • Previously advertised job postings, closed for applicants |
Management Classifications – Legal Privilege
| Classification | Definition | Examples |
|---|---|---|
| Legally privileged information | Information and data subject to legal privilege. | • Advice provided to RMIT Group by a lawyer |
| Information that is NOT legally privileged | Information and data not subject to legal privilege | • College of Business and Law course materials |
Management Classifications – Information Domain
| Classification | Definition | Examples |
|---|---|---|
| Person | Data and information relating to an individual and their identity, typically defining who they are in relation to the RMIT Group. Refer to the RMIT Information Domain Register for more details. | • A record of a person including first name, surname and date of birth |
| Internal Organisation | Data and information relating to a subset of the RMIT Group, typically representation an organisation of capabilities that enable the achievement of RMIT Group goals. Refer to the RMIT Information Domain Register for more details. | • Data and Information about an academic organisation |
| External Organisation | Data and information relating to an external entity, not identified as a person or as part of RMIT Group, that has a relationship with RMIT University. Refer to the RMIT Information Domain Register for more details. | • Information on RMIT education delivery partners • Data and information on regulatory bodies Supplies, vendors, partners |
| Location | Master data representing RMIT Group places and spaces. Refer to the RMIT Information Domain Register for more details. | • Room numbers • Campus identifies |
| Curriculum | Data and information relating to courses, programs, training packages, modules and their units across the RMIT Group. Refer to the RMIT Information Domain Register for more details. | • Master record of accredited or approved courses, programs, training packages, modules and their units • Information on course proposals and curriculum content which are not approved or did not proceed to approval stage. |
| Learning & Teaching | Data and information relating to the delivery and provision of courses, programs, training packages, modules and their units across the RMIT Group. Refer to the RMIT Information Domain Register for more details. | • Class lists and attendance registers. • Assessment results • Course delivery materials |
| Student Management | Data and information relating to student administration across the RMIT Group. Refer to the RMIT Information Domain Register for more details. | • Data and information about student enrolment, re-enrolment, student transfers, credit transfer, recognition of prior learning, deferment, exemptions, withdrawals, leave of absence |
| Research Management | Data and information relating to the administration and management of research activities of the RMIT Group. Refer to the RMIT Information Domain Register for more details. | • Data on funding details, citations of outputs and publications related to the research • Joint venture agreements, memorandums of understanding. |
| Finance | Data and information relating to financial management across RMIT Group. Refer to the RMIT Information Domain Register for more details. | • Annual financial statements and associated background documentation • Procurement records |
| Human Resources (HR) | Data and information relating to RMIT Group staff, including recruitment, staffing, training, development, performance appraisals, salary administration, misconduct and termination. Refer to the RMIT Information Domain Register for more details. | • Staff records • Position descriptions |
| Assets & Facilities | Data and information relating to the security, maintenance and development of RMIT Group property, land and assets. Refer to the RMIT Information Domain Register for more details. | • Information about removal, storage and disposal of hazardous materials and waste • Data about hire or bookings of RMIT buildings, gardens, equipment, vehicles or other infrastructure. • Surveillance camera footage |
| Advancement | Data and information relating to RMIT Group alumni, donor relations and gifts. Refer to the RMIT Information Domain Register for more details. | • Donor transactions |
| Marketing & Communications | Data and information relating to marketing and communications of the RMIT Group. Refer to the RMIT Information Domain Register for more details. | • Marketing campaigns • Staff newsletters • Social media posts |
| Planning & Performance | Data and information relating to projects and performance of the RMIT Group. Refer to the RMIT Information Domain Register for more details. | • Summary documentation of projects • Data and Information on project registers |
| Service & Operations | Data and information relating to the service activities across the RMIT Group. Refer to the RMIT Information Domain Register for more details. | • Student Services activities • Operation service catalogue |
| Governance | Data and information relating to the policies, risks and incidents across the RMIT Group. Refer to the RMIT Information Domain Register for more details. | • Riskware data |
| Legal & Compliance | Data and information relating to the contracts, agreements and legal activities across the RMIT Group. Refer to the RMIT Information Domain Register for more details. | • Summary records for all contracts managed by the University. Includes contract registers and systems |
| Library & Collections | Data and information relating to the collection and preservation of long-term records and artefacts across the RMIT Group. Refer to the RMIT Information Domain Register for more details. | • Information on the preservation, protection, maintenance, restoration and enhancement of information resources and artefacts • Master set of commissioned photographs and moving images on RMIT Group activities • Destruction of Information templates |
| Group | Data and information relating to RMIT Group communities. Refer to the RMIT Information Domain Register for more details. | • Data about student clubs |