Information Classification get help

(Draft)

The treatment of Public (White), For Official Use Only (Amber), and Confidential (Red) university information is outlined on this page.  This standard is applicable to university records; in general, it does not apply to research information or teaching materials.

Information Life Cycle and SFU Archives

University records evolve through a natural life cycle from creation to archival retention or destruction.

  1. Records are created for operational use by SFU, with an associated retention schedule depending on the type of record and the business requirements of SFU, often influenced by legislative requirements.
  2. When the retention schedule dictates the end of operational use of the records, some records may be removed to the SFU Archives.
  3. SFU Archives uses its own selection criteria to determine which business records are to be selected for permanent preservation.
  4. Records past the end of their operational use but not selected for preservation by Archives are destroyed.

Public (White)

Definition

Information deemed to be public by legislation or policy.

Examples: the university's annual financial report, academic calendar, employee contact information, public announcements, and public web site. 

Confidentiality Low
Access Restrictions No restrictions on access
Transmission No special handling required
Storage No special safeguards
Disposal Recycled

For Official Use Only (Amber)

Definition

Information not approved for general circulation.

Examples: internal memos, minutes of meetings, internal project reports, unit budgets, and accounting information; in short, everything that does not fall into one of the other two categories. 

Confidentiality Medium
Access Restrictions Access limited to employees and other authorized users
Transmission No special handling required
Storage Stored within a controlled access system (e.g. password protected file or file system, or a locked filing cabinet)
Disposal Shredded, erased

Confidential (Red)

Definition

Information protected by legal contract, legislation, or regulation.

Examples: specific information disclosed through contracts with third parties, personally identifiable information governed by FIPPA, medical information including clinical patient data, and cardholder data protected by the PCI-DSS.

Confidentiality High
Access Restrictions Access limited to authorized users with a demonstrated need to know.  Other restrictions may apply as dictated by legal contract, legislation, or regulation.
Transmission Encryption required. Hard copies must use secure methods for external
transportation. Other restrictions may apply as dictated by  legal contract, legislation, or regulation.
Storage Stored within a controlled access system (e.g. password protected file or file system, or a locked filing cabinet). Encryption required for any portable medium such as USB drives or notebooks. Other restrictions may apply as dictated by  legal contract, legislation, or regulation.
Disposal Shredded, pulped, degaussed (removal of magnetic information), or securely erased.  Records of disposal may need to be maintained. Other restrictions may apply as dictated by  legal contract, legislation, or regulation.