Information Categories and Safe Information Sharing Policy

To meet its research and innovation ambitions, to support meaningful partnerships, and for the efficient, fair, and effective operation of University functions and services, the University manages, handles and shares large volumes of information between staff, between staff, doctoral researchers and students, and between staff, doctoral researchers, students and (external) third parties.

Data and information are a vital asset for the University, they require adequate protection regardless of form (digital or physical) or means by which they are shared.  For the purpose of this policy, the terms “information” and “data” are used interchangeably and may refer to both.

This policy aims to balance the open nature of the organisation with minimising the risk of loss, unauthorised disclosure, modification or removal of information maintained by the University. This applies also to the delivery of the University’s Freedom of Information (FOI) responsibilities, each request must be assessed individually, considering the risk, potential harm or public interest for releasing information.

By providing clear guidelines for handling and sharing information. As well as a categorisation scheme for university information to aid decisions about applying the right level of security to information.

This policy applies to all members of staff, doctoral researchers, students and third parties who have access to Loughborough University information and relevant business systems.

This policy covers the sharing of information, categorised at different security levels, and mechanisms used to share such data. It covers all forms of information, whether held and shared in hardcopy or digital format, including routine data sharing activities and specific data sharing requirements. For example:

• Research data shared with colleagues both internal and external to the University (third parties) as part of a collaboration or agreement,
• Information shared with the police in response to a legitimate request (i.e., under the Data Protection Act or Regulation of Investigatory Powers Act (RIPA),
• Information shared in the event of an emergency; and
• Information sharing as part of automated IT processes.

Compliance with this policy will assist the University to meet its information security requirements as well as its legal obligations in respect of data protection, and in so doing reduce risk to the institution’s information and data assets.

This policy sets out the protections that should be applied to the different types of information and data handled within the University. Applying a set of consistent principles will assist in ensuring that information and data is processed securely and help to prevent or minimise the impact of any breaches that occur.

The University’s information and data shall be categorised in terms of their:

• Sensitivity: the potential impact if the information were to be disclosed, altered, or destroyed without authorisation, 
• Confidentiality: Who should have access to the information, 
• Integrity: the importance of maintaining the accuracy and completeness of the information,
• Availability: the level of criticality for information to be accessible when needed,
• Regulatory Compliance: Any legal or regulatory requirements that apply to the information; and
• Business Impact: the potential impact if the information were compromised.

The categories and their corresponding handling procedures ensure proper management and security of information are outlined, below:

Category 1: Public

Available to anyone anywhere in the world regardless of their connection with the University.

Examples

• Already published information (e.g. public University website)
• Prospectuses, newsletters etc.
• Charter, Statutes, Ordinances & Regs
• Most general policies & procedures
• Staff Research interests
• Open Access Research Data
• Job vacancies
• Contact details for public staff roles

Control Measures

• Can be disclosed or drawn to the attention of anyone.
• For most purposes, the format should preserve the integrity of the information (e.g. share in PDF format rather than Word/Excel). However, open access research data will be made available in a readily analysable form (e.g Excel, .csv, Word or .txt).
• Contact details will be for specific public-facing roles only.

Category 2: Not Sensitive

Information which is not pro-actively published but which is not confidential or sensitive. Can be shared openly amongst staff, students and third parties on request.

Examples

• Some internal procedural/operational documentation
• Some Committee papers/review documents/discussion papers which are not openly published (especially after the elapse of time)
• Statistical reports where there are no competitive issues
• Internal non-confidential research reports.

Control Measures

• May be stored in any formats and systems which are efficient for the user/process concerned.
• If shared, the format should preserve the integrity of the information where appropriate (e.g. Marketing information/official institutional information should be shared in PDF format rather than Word/Excel).
• It would be good practice to seek the consent of the originator before circulating further.

Category 3: Confidential

Unauthorised disclosure would cause a breach of legal responsibilities, financial and/or reputational damage to LU or to the individuals involved.
May be shared internally and externally on a restricted and secure basis.
This category includes most information defined as confidential in Section 27 of the Academic and Academic Related staff Conditions of Service - unless such information falls within the Highly Confidential category below.

Examples

• Personal staff and student data, including disciplinary information, PDR information, and sensitive ‘Special Category’ personal data as defined in the UK GDPR and Data Protection Act (2018) e.g., race and ethnicity data, political opinion, trade union membership, genetic data, religious or philosophical beliefs, biometric data used to identify individual’s, data concerning health (mental and physical health), or data concerning a person’s sex life or sexual orientation.
• Research data or other intellectual property covered by confidentiality agreements or with potential for commercial exploitation by LU (Theses, dissertations etc.).
• Commercial contracts or information relating to their negotiation.
• Sensitive policy/committee documents/correspondence (e.g. relating to major changes/new developments/discontinuation of activities, financial issues)
• Examination papers prior to examinations being taken.

Control Measures

• Stored in secure, access restricted, password protected, and supported corporate IT business systems (or locked locations if hardcopy).
• May be shared between authorised staff/Doctoral Researchers for legitimate business purposes.
• May be shared with third parties where appropriate permission has been given (personal data) or where covered by explicit agreements between relevant parties (e.g. research collaborations, funding bodies etc.).
• See further info on secure storage and information sharing in Staff Responsibilities and Information Sharing policies.

Category 4: Highly Confidential

Exceptionally confidential information which would cause major financial loss, and reputational damage or significant distress to the data subject if used in an unauthorised manner.
A very limited number of individuals will have access.

Examples

• Information obtained or generated through a partnership covered by the Official Secrets Act (1989), e.g., a contract with the MoD involving the transfer and processing of data classified under the UK Government Security Classifications Policy as Official, Secret or Top Secret.  Or a contract/partnership requiring extreme security measures (e.g. some NHS data such as patient level research data or medical records), or where there is a professional obligation e.g., duty of confidentiality to maintain a trusted relationship.

Control Measures

• A specific agreement will set out the individuals with access and will detail data storage, sharing mechanisms and working practices.
• The Loughborough University Secure Research Network will be applied to devices being used for research, teaching and any other processing activity where Cyber Essentials Plus (CE+) certification is a contractual requirement. More information on the Secure Research Network can be found on the IT Services pages.

Given the volume of information managed by the University, users are not expected to physically label all information with a security category.  However, they are expected to by familiar with the security categories and to use them to inform their working practices.  

All ‘highly confidential’ (level 4 category) information should be labelled as such and handled with stringent security measures.

Draft documents should normally be considered as ‘Confidential’ (Level 3 category) until they have been finalised or approved through the relevant line management or governance arrangements.

Where a decision is taken to share information, it is the responsibility of those releasing the information, including the Data Owner, to ensure that the recipient understands the confidentiality of the information and will abide by the provisions of this policy, including any handling requirements specified by the Data Owner as well as their authorisation to share data, as per Section 5 of this policy.

The University’s Information Governance Framework (Data Protection Policy, Appendix 2) details roles and responsibilities in respect of the management of its key data assets.  In relation to this policy, they should be assigned as follows:

Examples of data owners:

·      A document created by a member of staff on an aspect of their job for their own use. The data owner of this document is the member of staff who created it,

• The data held within LUSI (student records system). The data owner for this data is the Academic Registrar,
• The data held within Agresso (finance system). The data owner for this data is the Director of Finance,
• Principle Investigators (PI) on research projects are the Data Owners of research data created or collected by the team during the project; or
• Research data provided to the University by an external body. In the case of research projects, data may be shared or transferred with or from external bodies, and the rules governing the ownership, sharing or transferring will be determined by the Research Collaboration Agreement.

It is important to note that the Data Owner may not own the intellectual property associated with the information, it may belong to someone else.  Where data users have a query regarding intellectual property, they must consult the University’s Intellectual Property Commercialisation Policy prior to processing it.  Please see further information and avenues of support below.

Before any new or substantially different data processing (including sharing), or publishing information and data categorised as ‘Not Sensitive’, ‘Confidential’ or ‘Highly Confidential’, permission must be sought from the Data Owner. This permission may be implicit in standard working practices or explicit in project specific agreements. However, for any non-standard or unusual use of university information, permission must be sought on an individual basis. If data ownership is unclear, consult the Information Governance Team for guidance.

Data protection law define some types of personal data as inherently high risk, either because the harm is more likely, or the potential harm is more severe, or a combination of both.  Prior to new or substantially revised processing these special categories of personal data, defined in Article 9 of the UK GDPR, and categorised in this policy as ‘Confidential’ or ‘Highly Confidential’, a data protection impact assessment must always be conducted.   

Loughborough University implements physical and logical access controls across IT systems and data networks and access should be managed in accordance with the University's Policy on the Management of User Access to Information.

All staff and doctoral researchers accessing information categorised as ‘Not Sensitive’, ‘Confidential’, or ‘Highly Confidential’ must have completed the University’s mandatory information security training at the mandated frequency.

Hardcopy Format

The University discourages the sharing of Confidential and Highly Confidential Information in hardcopy form due to the inherent risks of unauthorised further sharing and insecure maintenance or disposal. If such sharing is unavoidable, it is necessary to ensure appropriate storage and disposal arrangements are in place, and comply with the Policy on the Management of User Access Information and Data Protection Policy (Section 13, Retention and Disposal of Data).

Digital Format

Information is most frequently shared digitally, this poses risks such as inappropriate redistribution, multiple storage locations, version discrepancies, and extended retention.  Careful consideration of the media format and method of sharing with authorised recipients is required to mitigate these risks and promote responsible data handling and sharing.

Confidential Information (level three) and Highly Confidential Information (level four)

The sharing of confidential information is necessary for operational activities.  When planning to share confidential information, careful consideration needs to be given to the content and context of the information, including its sensitivity and the intended recipients.  

When sharing information, especially confidential or highly confidential information, prioritise secure corporate systems or use technologies such as Microsoft 365, which allow granular sharing controls.  For example, OneDrive, allows document sharing with ‘view only’ permissions and bespoke retention settings.  Emails and attachments are not secure methods for sharing information, they can result in the misdelivery of information, further uncontrolled dissemination, and a lack of clear accountability.

Sharing Information Internally

For sharing confidential information with other individuals within the University, the use of our Corporate Information Systems should be prioritised (e.g., student information can be shared via Co-Tutor or LUSI, and staff data can be shared using iTrent).  Where corporate systems are unavailable, Microsoft OneDrive with appropriate access permissions applied, should always be used.  These methods of sharing restrict access to authorised individuals and mitigate the risks associated with the creation of multiple copies.

Sharing Information with External Partners

When it is necessary to share information with external partners, and it is not appropriate to grant them access to the University network as per the Policy on the Management of User Access to Information, information should be shared via OneDrive with appropriate access permissions applied. 

To uphold the integrity and security of shared information and data, when collaborating with a partner or group where the partner is the lead entity, due diligence checks need to be conducted prior to any information exchange to ensure it will be stored and managed in a manner compliant with UK data protection legislation.  Consideration must be given to data crossing international borders, See. Section 8 (Compliance) of this policy.

All users are advised to follow the steps identified in the ‘Email Good Practice’ document.

Cloud Services

Where possible, confidential information should only be stored or shared onsite or via cloud-based storage services managed by IT Services, this is currently Microsoft 365.

Projects and services involving external partners may require the sharing of Confidential information using Cloud based information storage systems other than Microsoft 365.

The following cloud-based storage systems are NOT managed by IT Services and may not comply with UK data protection law:  

• Dropbox,
• SpiderOak,
• Google Drive; or
• Amazon Cloud Drive.

If it is necessary to use an unsupported cloud service to share confidential information with external partners because there are no other viable options available, data users MUST ensure:  

• Cloud-based storage is only to be used with the explicit approval of the data owner,
• The software licensing terms, or an explicit contract is held between the University and the service provider that includes appropriate Data Protection assurances in-line with UK Data Protection equivalency requirements. As controls change frequently, please contact the IT Service Desk for advice,
• All confidential information is encrypted prior to being stored, transmitted or shared (please contact IT Services for current guidance on the procedure for encrypting documents),
• No encryption passwords are stored within the same storage provider,
• Decryption of encrypted information must never take place within the cloud environment,
• For research data, any relevant contractual terms are consulted and complied with, as some organisations prohibit the use of cloud-based storage for research data,
• When sharing Confidential information, passwords are not shared via unsecure channels such as email,
• The encrypted version of the information is not the sole source and that secure back-ups are stored on an IT Services managed location, such as Microsoft 365; and
• Once the sharing of the Confidential Information is no longer required, that it is removed from the cloud-based storage.

If there is any doubt about the correct categorisation of the information in accordance with this policy, advice should be sought from information governance staff in the Academic Registry (dp@lboro.ac.uk).

IT Services (IT.Services@lboro.ac.uk) may be asked to advise on appropriate sharing technology where information is Confidential or Highly Confidential and where cloud-based storage is the only viable option.

Mobile/Removable Storage and Devices

These are defined as all types of electronic storage which are not physically fixed inside a computer or laptop; or the device itself is easily moved. They include the following:

• Memory cards (like those used in cameras), USB pen drives etc.,
• Removable or external hard disk drives,
• Newer Solid State (SSD) drives,
• Mobile devices (smart phones, tablets, etc); or
• Optical disks i.e. DVD and CD.

If saving and sharing information via one of the above media is considered essential as it is deemed to offer significant advantages over use of one of the previously recommended, more secure approaches, the user must ensure:

• That anti-virus software is present and up to date on machines which data is taken from and machines which data is transferred to; and
• Confidential information must always be transported in an encrypted form on mobile or removable devices to protect their security and integrity.

Users should also refer to Section 8 Encryption (Cryptography), in the IT Operations Management Policy for more information about the use of encryption.

Users wishing to transport and/or share Confidential information using removable storage devices MUST also ensure:

• The data on the device is encrypted to the highest recommended encryption standard (AES-256). Please contact IT Services for further assistance,
• Compliance with any certified level of encryption required under a research or other grant or contract. If such requirements are stipulated, please contact IT Services for further assistance,
• Mobile devices containing Confidential information should not be sent off site without the prior agreement of the data owner. IT Services should be consulted to ensure the level of security is appropriate for the type of data being transferred,
• Removable storage devices used to store Confidential information shall only be used where there is a clear business need, and with the authorisation of the Data Owner,
• Data stored on removable storage devices are the responsibility of the individual who operates the device.  They must ensure proper management, security, and backup of the data.  Including, responsibility for any issues or breaches of policy or legislation related to the information held on the device,
• The device should not be used to store information which is not securely backed-up to the University network, as should the encryption password be forgotten, the information will be irretrievable,
• The device is physically protected against loss, damage, abuse or misuse when in use, storage and transit,
• Should any removable device holding confidential information become damaged, it should be given to IT Services for secure disposal,
• In the event that the device is lost or stolen, it should be reported in accordance with the Policy on the Management of Information Security Incidents and Review of Policies; and
• When the business purpose has been satisfied, the information is securely removed/deleted through a destruction method that makes the recovery of data impossible.  Information about the procedure for removal of Waste Electrical and Electronic Equipment (WEEE) is available from the Estates and Facilities Management, Sustainability Team (See. Waste Electrical and Electronic Equipment).

Where electronic media containing Confidential information needs to be posted to third parties; services that provide tracking and auditing must be used. The decrypting password should not be in the same package as the media in question. Passwords should normally be provided to third parties either in person or via a telephone call.

In the event that a personally owned device is used to access or share University owned information, then the University reserves the right to remotely wipe the device if it becomes damaged, lost or the University becomes concerned that the security of the information has been compromised. (See. also Policy on Mobile and Remote Working).

Data Protection

The UK General Data Protection Regulation (GDPR) and Data Protection Act 2018 set out the obligations that apply to Loughborough University when handling personal data.  Individual’s handling personal data must follow the University’s policies and procedures in respect of Data Protection when applying this policy. For example, responding to subject access requests from individuals for access to their personal information.

The University recognises the importance of protecting personal data especially when it is transferred across international borders.  In the event of a transfer of personal data to a country not covered by UK ‘adequacy regulations’, appropriate safeguards as defined by Article 46 of the UK GDPR, and a risk assessment to consider whether, in the circumstances of the transfer, the relevant protections for people under UK data protection law will be upheld, must be conducted.  

Freedom of Information

Anyone has a right to request information from the University under the FOI Act 2000, the legislation favours disclosure.  Each request for information must be assessed according to the particular circumstances of the information or data requested.  The data category applied (as per this policy) will not act as an automatic bar to disclosure.  However, the reason for applying the categorisation will be considered and may support any evidence of harm and/or public interest when considering exemptions.

Trusted Research

Consideration must also be given to the economic and national security implications of an export of data, if it falls within the Export Control or National Security and Investment Act legislation.  Please see further information and avenues of support on the Safer Partnerships and Trusted Research page.

Sharing Personal Data in the event of an emergency

The University may disclose personal data to third parties in emergency situations to prevent loss of life or serious physical, emotional, or mental harm.  Such emergencies may include, but are not limited to, preventing serious physical harm to a person, loss of life, protection of public health, safeguarding vulnerable adults or children, responding to an emergency, or an immediate need to protect national security.  In these circumstances, data should be shared as necessary and proportionate to the situation.  It is recognised that in such cases, the harm caused by not sharing information may outweigh the harm caused by sharing it.  

As part of our accountability duty, any actions taken in these circumstances should be documented after the event and the Information Governance Team (DP@lboro.ac.uk) informed, if it is not possible to do so at the same time.

Any breaches of this policy will be investigated and resolved in accordance with the Management of Information Security Incidents and Review of Policies policy.

In 2024, the Information Governance Sub-Committee set an automatic review period of five years for all policies it has governance over, unless there are substantial changes in legislation, University processes, or risks that warrant a more immediate review.

The Safe Information Sharing and Information Categories and Controls Policy is scheduled for review in November 2029.