Scope, Purpose & Objectives

Trinity Rawdon recognises that information is an asset which has a value and in some cases must be protected. Information classification means categorising information based on its sensitivity and value. This is determined by the adverse impact on individuals and Trinity Rawdon if that information were to be accessed, disclosed, altered or destroyed without authorisation.

Information classification is essential to:

1. Informing what level of controls are necessary to protect the confidentiality, integrity and availability of the information;
2. Ensuring a consistent approach to the management and protection of information;
3. Identifying the risk and impact of and correct response to an incident based upon what type of information is involved.

This policy applies to all Trinity Rawdon information in all its forms. For example: on paper, verbal, e-mails, files, records, minutes.

For the purposes of this policy the words information and data are interchangeable and have the same meaning.

The purpose of this document is to:

• explain how you should classify and label information within Trinity Rawdon;
• explain what controls you need to put in place when handling information of a
particular classification.

RISKS & ISSUES

Trinity Rawdon recognises that there are inherent risks and legal implications associated with people accessing and handling its information. This policy aims to mitigate the following risks:

• accidental or intentional unauthorised disclosure, alteration or destruction of information
• unauthorised access to information
• loss of information

Loss or disclosure of certain information could have a significant effect on the reputation of Trinity Rawdon and may result in financial loss especially in relation to a breach of GDPR – General Data Protection Regulation.

Policy and Statement
INFORMATION CLASSIFICATION

The classification of information should be directly related to its value and sensitivity and the legal requirements of Trinity Rawdon.

There are 3 classifications that can be applied to Trinity Rawdon information:

1. Confidential
2. Restricted
3. Public

A detailed description of each security classification can be found in Appendix A

LABELLING

Information classified as Public is not required to be marked although this may be advisable. Trinity Rawdon information should be labelled with its appropriate information security classification where that classification is Restricted or Confidential.

A file or group of sensitive documents must carry the highest marking contained within it. For example, a file or email chain containing information classified as Public and Restricted must be covered by the higher marking of Restricted.

The classification level applied will determine the level of security controls needed for the protection of that information. Therefore applying too high a level of classification will impose unnecessary effort. Equally applying too low a classification will put sensitive information at risk.

Printed Reports

Printouts of information that carries a security classification of Restricted or Confidential will display the security marking clearly on every page. e.g in the header and/or footer or written/stamped on each page

Electronic Documents and Messages

Electronic documents should carry the same or similar marking as details in Printed Reports. Classified information sent within emails must include the classification level in the subject line of the email. If being sent external to Trinity members, or to anyone who may be unaware
of our handling requirements, state the required controls within the body of the email. Where the information is contained in an attachment, this must clearly state the classification of the document.

INFORMATION HANDLING

For each security classification level a set of controls must be in place to ensure that the information asset involved is appropriately protected at all times.

The handling of all information assets must follow these basic principles:

• Ensure compliance with applicable legal, regulatory, contractual and international obligations, this includes the Retention Schedule within our Privacy Notice in order to comply with the General Data Protection Regulations;
• Handle with care to avoid loss, damage or inappropriate access;
• Share information responsibly i.e. the recipient should be authorised to see the information. Particular care should be taken when sharing information with external parties or the public; for example, emails, faxes and letters should only be sent to named recipients at known addresses.
• Use individual and personal email addresses which can be tied down to and controlled by one person.
• Sensitive information should not be sent to Company accounts which may be subject to scrutiny by unauthorised individuals.
• Public networks such as free WiFi should not be used to send information classified above Public as these are insecure and subject to interception.
• Use appropriately assured methods of protection e.g. encryption, password protection; Note: If documents are sent encrypted or password protected, the recipient must be sent the password via an alternative method, preferably via a phone call or text
• Provide meaningful guidance to recipients on specific sensitivities and handling requirements;
• Store information securely when not in use e.g. clear from desks, lock screens when information and assets are left unattended;
• Where taken outside Rawdon or the home environment information should be stored securely and not left unattended;
• Take precautions to prevent overlooking or inadvertent access when in public places e.g. do not work on sensitive documents in public places and lock screens when not in use;
• Verbal Information also needs to be managed.
• When discussing Trinity business in public or by telephone, appropriate discretion should be exercised.
• Details of sensitive material should be kept to a minimum;
• Agreement of what can be discussed, to whom and when documented in minutes
• Information that is not freely available in the public domain should be securely deleted or destroyed.
• Any breach of information security e.g. involving theft, loss or inappropriate access should be reported to the Minister or a member of the Leadership Team.

Detailed information security handling requirements are outlined in Appendix C

Role and Responsibilities

The table below outlines key responsibilities with respect to the classification and handling of
information:

Adherence and Responsibilities

This document will be reviewed and updated as appropriate to changes to the risk environment relating to information security. Changes will be made available.

If you suspect that security or access to your information has been compromised or any of this policy’s requirements have been breached by you or other users, please report it to the Minister or a member of the Leadership Team

APPENDIX A DETAILED INFORMATION SECURITY CLASSIFICATIONS

Note 1: Further details on how to classify personal information into the above classifications can be found in Appendix B.
Note 2: The sensitivity of information may change over time and may need to be reclassified e.g. information may be embargoed and classified as ‘restricted’ until it is published, but will then become ‘public’

APPENDIX B PERSONAL INFORMATION

Any personal information likely to cause substantial damage or distress to an individual or individuals if there is unauthorised or unlawful processing or accidental loss, destruction or damage should be classified as CONFIDENTIAL.

This includes:

• “Sensitive personal information” as defined by GDPR.
• Large volumes of RESTRICTED personal information (i.e. personal information of more than 100 individuals).
• Any other information where there is a risk of substantial harm to an individual if information is not handled correctly, such as to personal safety, damage to property, financial harm, risk of fraud, harassment or stalking, or reputational damage.
• Children’s information (information of those under the age of 16).
• This may include financial data.

All personal information other than where it is classified as CONFIDENTIAL should be classified as RESTRICTED . If unlikely to cause substantial damage or distress, financial information may be classified as Public.

Two types of personal information may be classified as PUBLIC.

(A) Personal information consisting only of the following details of a small number of adults (individuals over the age of 16):

  •  The names, email addresses and/or identifiers (not tied to any other information or personal information).
  • Personal information of low sensitivity publicly available or in the public domain.

(B) Personal information strictly necessary to be used to communicate e.g.:

  • The email address of a member of the public in order to send that person an email. All personal information in the email/body of the communication must be protected in accordance with the applicable classification.
  • A personal telephone number to call that person on a device that can’t be encrypted.
APPENDIX C INFORMATION CLASSIFICATION: SECURITY CONTROL REQUIREMENTS

Note: When sending information to third parties there needs to be explicitly agreed handling and storage procedures, and evidence that the third party is complying with these security requirements.

APPENDIX D INFORMATION CLASSIFICATION: DISPOSAL ADVICE

Your computers, tablets and smartphones are used to store and communicate data which – if in the wrong hands – could be used to compromise the safety and security of Trinity Rawdon members and employees. This data could be stored on the device itself, or accessible in the form of internet bookmarks, remote network access, or via email and social networking contacts.

Get Safe Online’s top tips…

Remember that even if you have deleted files and other content from computers and mobile devices, this data may not have been properly erased and can be retrieved by criminals with the minimum of effort. It is vital to safeguard data whilst devices are in use, but equally important to ensure that computers, tablets and smartphones do not remain vulnerable at the end of their life. This is done by disposing of
them correctly. Even data which you may think has been safely deleted can be retrieved with relative ease by both dedicated criminals and skilled opportunists.

Disposing of computers

If you have a computer with data on the hard disk that you need to retain, copy it across to another environment prior to deleting it. If you have a PC and wish to transfer data, settings and user profiles to another PC, you can download a free Microsoft utility called PCmover Express. You could also back up all unsaved data in the cloud.

Fully erase the hard disk(s) so that any confidential personal information is completely deleted. However, simply deleting files is not enough to permanently erase them. Instead, use a dedicated file deletion program or service, or physically destroy the hard drive to render it unusable. Alternatively, if the hard drive is still serviceable and reliable, you could re-house it in an external case with power supply and
USB connection and use it to back up or exchange your data.

CDs, DVDs, memory cards, USB sticks and other USB connected devices may also contain your sensitive data and care should be taken that they are removed. If appropriate, dispose of them with equal care.

If the computer equipment is at the end of its life and not to be re-used by you, it should be dismantled and the components recycled correctly and responsibly by a proper disposal facility in accordance with the WEEE (Waste Recycling and Electronic Equipment) Directive.

Disposing of smartphones & tablets

Ensure that any data or settings you need are copied from your device by syncing it with its associated computer – or backing it up to the cloud – then restoring it to factory settings.

In the case of Android devices you must enable encryption before applying the factory reset. Apple iPhones already feature hardware encryption by default – a feature that cannot be user-disabled. To be completely sure that your data and settings are deleted, however, download and use a reputable data deletion tool. If the device is at the end of its life and not to be re-used by you, it should be dismantled
and the components recycled correctly and responsibly by a proper disposal facility in accordance with the WEEE (Waste Recycling and Electronic Equipment) Directive.

 

Approval and Version Control
Status: Approved 01.06.18
By: Trinity Rawdon Leadership Team

Signed:
P Lambert Trinity Rawdon Administrator

Next Version Review Date: 14/07/2023