What is Information Classification?
Information classification is a way to communicate the sensitivity of information that you create or come in contact with, providing a framework for how all of RRC Polytech’s information assets are classified. The purpose of an information classification system is to recognize that different information requires different levels of controls, helping employees take appropriate actions to protect information and ensure proper safeguards are in place.
Information classification covers all information, whether physical or digital:
- Physical information is usually paper including posters and diagrams. Physical information is also the objects or media used to store digital information, such as USB keys, CD/DVDs, and hard drives.
- Digital information refers to documents, spreadsheets, presentations, video and audio recordings, email and social media. This information may be stored on a network folder, OneDrive, email, systems, or physical media such as USB keys, hard drives, etc.
Your Role in Information Classification
We all play a role in protecting and securing RRC Polytech’s data from risk, including unauthorized access, modification, use, disclosure, removal and destruction. In order to help ensure our data is protected from potential breaches, RRC Polytech has developed a four-level information classification system. Classifying information helps the author communicate the sensitivity of the information to people who may come in contact with it. And it helps those people treat it appropriately, making sure our sensitive information is always secured.
Information Classification Levels
- Information that is not confidential and is created to be shared or made available to the public. E.g., marketing materials or published policies and/or strategies.
- Information with this label can be freely shared without restriction.
- Most staff are unlikely to create this kind of information unless it is specifically part of their job. Usually, this information is created as part of formal processes.
- Information that is relevant to an internal RRC Polytech audience and not confidential within the College. This information is not intended to be shared externally but poses no harm if made public, e.g., Staff News posts or Staff Forum (Intranet) content.
- The majority of the documents staff create are likely to be internal.
- In general, this information can be shared with RRC Polytech employees as required.
- Information that is confidential, sensitive externally, and access is limited to specific roles or groups of individuals at RRC Polytech, e.g., vendor contracts or student and/or employee records, business plans, etc.
- Protected documents tend to be limited to your own workgroup or a few other specific workgroups or individuals
- Highly confidential information both externally and internally within the College. This information is restricted to specific named individuals or very specific roles, e.g., legal files, personal health information and planning document drafts.
- Most staff rarely create restricted documents.
Information Classification Labelling
Documents should be clearly labelled by the author with the appropriate information classification. They may also include actions required by the user regarding disclosure or sharing of the information.
- Documents and systems should include a prominent label indicating the classification of the information, e.g., “RRC Internal” or “RRC Public.”
- Where possible, the label should include a hyperlink to the corresponding information classification level page, which contains details and the appropriate controls. As follows:
- Documents should include a label:
- In the footer of the document, centred; or
- On the cover page of a document, centred at the bottom; or
- Appropriately prominent as to be easily found.
Labelling for RRC Restricted Information
Documents that are RRC Restricted should include a cover or title page to ensure information is not accidently disclosed. This cover page should include the following information:
THIS DOCUMENT IS CLASSIFIED AS RRC RESTRICTED AND CONTAINS CONFIDENTIAL INFORMATION INTENDED FOR <specific individuals> ONLY. DISCLOSURE OF THIS INFORMATION IN ANY FORM IS NOT PERMITTED WITHOUT THE EXPRESS PERMISSION OF <author or leader>.
To learn more about information classification and disclosure visit rrc.ca/rrc-restricted.
Variants are acceptable, providing they indicate:
- That the information is confidential; and
- Who the information is intended for (or generally “a specific audience”)
- That disclosure is not permitted; and
- Who is permitted to authorize disclosure; and
- A link to the website defining what RRC Restricted means.
Labelling for Systems and Electronic Information
Systems and other electronic tools should indicate the classification:
- Of a particular screen of information; and/or
- Of the system at the login or main access screen.
What Should You Do When You Suspect a Breach Has Taken Place?
A breach is defined as information that is disclosed, or potentially disclosed, inappropriately or to inappropriate or unintended audiences.
Need More Information?
Please review the directive concerning Information Classification located on the ITS Book of Standards pages within Staff Forum.
For any questions regarding information classification, please contact Neil Fogg, Manager, ITS Information Protection, at firstname.lastname@example.org.