Main Menu

Security

Information Security



The University is committed to ensuring its’ information is always managed securely and in accordance with the best practice requirements of the NSW Standard on records management. The standard requires that the University’s records are protected from unauthorised or unlawful access, destruction, loss, deletion or alteration.


The University’s Data Classification Standard provides the framework for the protection of University information based on its’ sensitivity as defined by type, importance and usage. This framework is further informed by both the Record Security Guideline and the Data Handling Guidelines.



RAMS Data Classification



When capturing records to the University’s recordkeeping system RAMS, the information being captured can be mapped to one of the UNSW Data classification levels: Unclassified, Private, Sensitive and Highly Sensitive; to define its sensitivity and to enable controls appropriate to the level of sensitivity to be put in place.

These controls are applied in RAMS through the use of pre-defined Access Groups, an opt-in method of specifying access rights to electronic records captured within the system. Access Groups provide the primary means by which to control access to University records in RAMS.

This process of data classification should be an inherent part of the capture of records, whenever creating a new records container, or when records of a higher sensitivity are to be captured to a container, or evidence of a new business activity is required to be captured.



Record Classification Table


This table maps the University’s Data classifications against the required controls in RAMS, whether transmission of this information by email is appropriate and how frequently the security controls of this information should be reviewed. More information on these Data Classifications is available here


 
Data Classification Examples
RAMS Access Control
required?
Example RAMS Access
Controls
Is Email transmission
permitted?
Review period
Unclassified
  • Published research data
  • Course catalogues
  • Faculty and staff directory
    information
Optional, required for business purposes only.
 
For published research data information
 
View Document:<Unrestricted>
View Metadata:<Unrestricted>
Yes Not required
Private
  • Business unit procedure
  • Unpublished intellectual property
Optional, required for business purposes only.
 
For business unit procedures
 
View Document:<Division or subgroup>
View Metadata:<Division or subgroup>
 
Yes Every 2 years
Sensitive
  • UNSW Financial data
  • Exam results
  • Student and Staff information
 
Mandatory.
 
Access Control must be applied to restrict all Units/Departments that require access to this information.
 
 
UNSW financial data
 
View Document:<Division or subgroup>
View Metadata:<Division or subgroup>
 
No Every 1 year
Highly Sensitive
  • Medical
  • Children and young persons
  • Credit Card
Mandatory.
 
Access Control must be applied to restrict only those positions and/or business unit(s) that require access to this information.
 
 
Medical data or credit card
 
View Document:<Special Access Group or individual positions>
View Metadata:<Special Access Group or individual positions>
No Every 6 months

Personal Information



Personal information is defined as, “Information or an opinion about an individual whose identity is apparent or can be reasonably be ascertained from the information or opinion”.

Special consideration needs to be given to the management of personal information contained in records being captured and managed using the University’s business systems. This information will frequently be classified as Sensitive, sometimes Highly Sensitive, and should always be destroyed as soon as it is appropriate to do so. Capture and correct classification within RAMS ensures this is managed at a system level.

The following table can be used to guide an initial classification of commonly found types of personal information:



 
Data Type Description Preliminary Classification
Student data
 
Personally identifying information about students, including items such as Tax File Number (TFN), and contact information, courses and programs.
 
Sensitive
Staff data
 
Personally identifying information about staff, including items such as Tax File Number (TFN), contact information, and bank account details.
 
Sensitive
Patient data
 
Personally identifying information about patients, any medical treatments and results.
 
Highly sensitive

Legacy RAMS Security Controls



For reference, the hardcopy security controls used in RAMS (previously known as ‘TRIM’) were:


1.1 Security Levels



Security Levels provided the primary method for restricting access to hardcopy University records. Any document has an inherent level of security based on its content. Any container would inherit the security level of its most restricted content, as would all other records within the same container.

To view records of a certain security level, a staff member is required to have the same, or a higher level of security applied to their profile.


Security Level Scope Notes UNSW Data Classification Standard equivalent
Restricted
 
The Restricted classification is for those records documenting staff grievances, privacy issues, FOI requests and legal advice. Information which could:
  • Compromise Legal professional privilege.
  • Breach staff confidentiality in the complaint resolution procedure.
  • Compromise information provided under Freedom of Information requests.
 
Private
Protected
 
The Protected classification is for those records that relate to Audit requirements. Information which could:
  • Substantially undermine the financial viability of UNSW.
  • Facilitate the commission of serious crime.
  • Seriously impede the development or operation of UNSW and major Government policies.
 
Sensitive
Highly Protected
 
The Highly Protected classification is for those records that relate to the governance of the University, industrial relations matters, controlled entities and commercial research ventures and highly sensitive commercial business documents or contracts. Information which could:
  • Threaten life directly
  • Seriously prejudice public order
  • Substantially damage the University or state or national finances or economic and commercial interest.
 
 Highly Sensitive

1.2 Security Caveats



Security Caveats provided a secondary means for the restriction of hardcopy records. The Security Caveats that may be applied to hardcopy records can be seen below. They enable a container to be restricted to a specific subset of staff based on role, such as limiting access to Human Resources (HR) records to HR staff only.

Their primary use at UNSW is for the control of access to hardcopy legal, personnel and student records.

A security caveat may be applied with a Security Level, and a user seeking access to the record would be required to meet both sets of criteria (Security Level, Security Caveat) to locate and to view the container.

All staff members receive automated access to relevant Security Levels and Caveats based on their position. Any staff member wishing to confirm their access may contact records@unsw.edu.au for further information.


Security Caveat Acronym Scope Notes
 
Commercial-in-Confidence
 
CIC For hardcopy commercially sensitive records only
 
Governance-in-Confidence
 
GIC For hardcopy records of UNSW Council, Academic Board and associated Committees only
 
Legal-in-Confidence
 
LIC For hardcopy Legal Files only
 
Personnel-in-Confidence
 
PIC For hardcopy Personnel files only
 
Security-in-Confidence
 
SIC For hardcopy security-related files only
 
Student-in-Confidence
 
STIC For hardcopy Student files only

Quicklinks