Information Classification Controls (Draft)

RRC Public

This information is not confidential and may be shared or made available to the public. It is intended for public consumption.

Examples:

• Marketing material
• Course Information
• Published Policies
• Published Strategy

Labeling

Where appropriate, it is recommended to label even RRC Public documents to ensure that
a) Sensitive information does not get added to the document;
b) Users understand that it is able to be shared and distributed freely; and
c) There is no confusion about the sensitivity of the information.

Use labels that indicate RRC Public. [see labeling]

Sharing

Public documents can be shared with anyone as required, without controls or restrictions.

Securing Electronic Storage

Public documents can be stored on any RRC Polytech authorized system or tool including our public website and with third-parties if required. External media may also be used for storage.

Documents should be deleted when no longer required. The content owner is responsible for appropriate archival storage.

Physical (Paper) Storage

Public documents can be stored in public and non-public locations.

Internal documents should be placed in recycling for destruction. The content owner is responsible for appropriate archival storage.

Restricting Access

Access restrictions are not required.

Sharing Electronic Documents

Public document can be shared using any approved RRC process or tool, including email, OneDrive, Teams, the College Intranet, rrc.ca, and third-party tools as required.

For more information concerning the Information Classification Directive and Standard.
For more information concerning Information Sharing and Data Storage.

[RRC Internal]
[RRC Protected]
[RRC Restricted]

RRC Internal

This Information is relevant to an internal RRC Polytech audience and not confidential within the College. This information is not intended to be shared externally but poses no harm if it is made public. It may be intended for internal or limited groups within the College.

Examples:

• Staff News
• Blank staff forms
• Staff training material
•  Staff Forum (Intranet) content

Labeling

Use labels that indicate RRC Internal. [see labeling]

Sharing

Internal documents can be shared freely amongst RRC staff. Caution should be taken, and often permission sought, when sharing Internal document outside of RRC

Securing Electronic Storage

Information should be stored on RRC Polytech Supported or authorized systems (including our enterprise systems, OneDrive, Teams, SharePoint, Outlook, shared network drives, and College supplied devices).

Documents should be deleted when no longer required. The content owner is responsible for appropriate archival storage.

Physical (Paper) Storage

Internal documents must not be left unattended in a public area.
Adherence to ‘clean desk’ practices are recommended.

Internal documents should be placed in confidential shredding for destruction. The content owner is responsible for appropriate archival storage.

Restricting Access

Additional access restriction (above the College’s general access controls) are not required.

Sharing Electronic Documents

Internal document can be shared using any approved RRC process or tool, including email, Maestro, OneDrive, Teams, and the College Intranet.

For more information concerning the Information Classification Directive and Standard.
For more information concerning Information Sharing and Data Storage.

[RRC Public]
[RRC Protected]
[RRC Restricted]

RRC Protected

This Information is confidential, sensitive externally, and access is limited to specific roles or groups of individuals. The inappropriate release of this information would reasonably be expected to cause minimal to moderate harm to individuals, businesses, other third parties, or the College.

Generally, this is the minimum classification for any document governed by legislation, e.g., the Personal Health Information Act (PHIA).

Examples:

• Vendor contracts
• Employment records
• Student records
• Planning documents
• Building floorplans
• Donor prospect files

 Labeling

Documents that are RRC Protected should include labels that indicate RRC Protected [see labeling]

Sharing

Protected documents can be shared with specific groups or amongst known individuals who would have reasonable need to access the information. When in doubt, check with the document creator.

Securing Electronic Storage

Protected Information should be stored on RRC Polytech Supported and authorized systems (including our enterprise systems, OneDrive, Teams, SharePoint, Outlook, shared network drives, and College supplied devices).

External storage like USB or External hard drives should be avoided or, if required, they should be encrypted.

Documents should be stored on encrypted devices only. All College owned computers are encrypted by default. If a document is being stored on a non-college device, ensure the device’s storage is encrypted [how to check if your device is encrypted].

Documents should be deleted when no longer required. The content owner is responsible for appropriate archival storage.

Note that Destruction of documents containing Personal Information or Personal Health Information, must be done in accordance with RRC Policy G3 – Freedom of Information and Protection of Privacy.

Physical  Storage

RRC Protected documents must be kept in a non-public area. Ensure adherence to ‘clean desk’ practices when working with protected data. Protected information must be kept in a locked cabinet or similar storage when not in use.

RRC Protected documents should be placed in confidential shredding for destruction. The content owner is responsible for appropriate archival storage.

Note that Destruction of documents containing Personal Information or Personal Health Information, must be done in accordance with [RRC Policy G3 – Freedom of Information and Protection of Privacy].

Restricting Access

Access to restricted information must be controlled through secured systems or tools.

Documents should be stored in Teams, shared drives with controlled access.

Consider using document-level restrictions to control document access.   [link to instructions]

Consider using password protection if sharing with external entities.  [link to instructions]

Sharing Electronic Documents

RRC Protected documents can be shared via Teams or OneDrive Links. Generally, emailing RRC Protected document should be avoided.  Care should be taken when sharing with external entities — the use of password protection should be considered.

[Instructions on how to password and encrypt documents can be found here.

Instructions on how to share a OneDrive file can be found here.

For more information concerning the Information Classification Directive and Standard.

For more information concerning Information Sharing and Data Storage.

[RRC Public]

[RRC Internal]

[RRC Restricted]

RRC Restricted

 This information is Highly confidential. This information is restricted to specific named individuals or very specific roles.

Unauthorized access could reasonably be expected to cause serious harm to individuals, businesses, other third parties, or the College. Significant controls are required to protect information.

Examples:

• Personal Health Information
• Draft strategic plans
• Legal files
• Payroll data
• Network system information
• Research data

Labeling

Documents that are RRC Polytech Restricted should include a cover or title page to ensure information is not accidently disclosed. This cover page should be clearly labelled by the author with an “RRC Restricted” classification and include actions required by the specific named individuals (access list) regarding disclosure or sharing of the information

[see labeling]

Sharing

Restricted documents should only be shared by the content owner or other designated individual. Recipients of restricted information should not share it without specific and express permission.

Securing Electronic Storage

RRC Restricted documents should be stored using OneDrive; or on a secure file share or restricted access teams site providing the document also has [access restrictions {link to instruction on how to restrict access to documents}] in place.

External storage like USB or External hard drives should be avoided or, if required, they should be encrypted.

Documents should be stored on encrypted devices only. All College owned computers are encrypted by default. If a document is being stored on a non-college device, ensure the device’s storage is encrypted [how to check if your device is encrypted].

Documents should be deleted when no longer required. The content owner is responsible for appropriate archival storage. Note that Destruction of documents containing Personal Information or Personal Health Information, must be done in accordance with RRC Policy G3 – Freedom of Information and Protection of Privacy.

Restricting Access

Documents must have access restrictions {link to instruction on how to restrict access to work/excel/ppt/adobe documents}] that limit access to select individuals or very specific groups of users.

Sharing Electronic Documents

Restricted documents should not be emailed. They should be shared with Microsoft OneDrive links, or links to the file on a shared folder. Access should be shared at the most restricted level possible – meaning read-only, no download where reasonable.

Instructions on how to share a OneDrive file can be found here.

If RRC Restricted data must be shared with external entities, documents should be emailed as a password protected/encrypted document.

Instructions on how to password and encrypt documents can be found here.

Physical (Paper) Storage

Restricted data must be kept in a locked filing cabinet, in a non-public area when not in use. Ensure adherence to ‘clean desk’ practices when working with restricted data.

Restricted document should be destroyed instead of retained wherever possible. Restricted documents should be placed in confidential shredding. The content owner is responsible for appropriate archival storage. Note that Destruction of documents containing Personal Information or Personal Health Information, must be done in accordance with RRC Policy G3 – Freedom of Information and Protection of Privacy.

Sharing Electronic Documents

Restricted documents should not be emailed. They should be shared with Microsoft OneDrive links, or links to the file on a shared folder. Access should be shared at the most restricted level possible – meaning read-only, no download where reasonable.

Instructions on how to share a OneDrive file can be found here.

If RRC Restricted data must be shared with external entities, documents should be emailed as a password protected/encrypted document.

Instructions on how to password and encrypt documents can be found here.

Physical  (Paper) Storage

Restricted data must be kept in a locked filing cabinet, in a non-public area when not in use. Ensure adherence to ‘clean desk’ practices when working with restricted data.

Restricted document should be destroyed instead of retained wherever possible. Restricted documents should be placed in confidential shredding. The content owner is responsible for appropriate archival storage. Note that Destruction of documents containing Personal Information or Personal Health Information, must be done in accordance with RRC Policy G3 – Freedom of Information and Protection of Privacy.

For more information concerning the Information Classification Directive and Standard.

For more information concerning Information Sharing and Data Storage.

[RRC Public]

[RRC Internal]

[RRC Restricted]