The overview below will help you assess what class of information you are working with, and what the requirements are for this type of information with regard to information security.
Different types of classification
Information that can or should be available to anyone without special access rights.
The vast majority of the information the university manages is open, either as a consequence of the purpose and purpose of the university's activities or as a result of requirements for transparency in laws and other regulations that control public administration and activities.
This class is used if it does not cause any harm to the institution, or partner if the information becomes known to unauthorized persons.
Examples of such information are
- A web page that presents a department, course, or entity that is openly posted on the Internet
- study material that is open, but which is marked with a license and / or copyright
- research data that does not need any protection (the researcher is responsible for this assessment)
- teaching materials that does not require any protection (the teacher is responsible for this assessment)
Note that even if some of this information is to be available to everyone, the integrity of the information must still be ensured by only giving people with the correct rights access to change the information. Also note that although the information may be open, you are not free to choose what you do with it..
This is information that is not open to everyone. In laws or other regulations, there is no requirement that this type of information should be openly accessible. This is all information that is not classified as open, confidential, or strictly confidential.
This type of information must have some protection and can be available to both external and internal users, with controlled access rights. This class is used if it could cause some damage to the institution, or partner if the information becomes known to unauthorized persons. The information is only relevant to, or is directed at, a limited group, either at the university or at institutions and organizations the university collaborates with.
Examples of such information can be:
- Internal work documents
- Information that is internal to UiS
- Common types of personal information such as name, email address, telephone number etc.
- Student work documents
- Exam answers
- Unpublished research data
This is information that the university is required to restrict access to in laws, regulations, agreements, regulations and other regulations. This corresponds to the degree of confidentiality in the public Protection Instruction.
"Confidential" is used if it will cause harm to public interests, the university, individual or partner if the information becomes known to unauthorized persons
Examples of such information may be
- Special categories of personal data (formerly called "sensitive personal data")
- Data subject to export control rules and regulations
- Large amounts of ordinary personal information which can create a detailed profile of an individual should be considered red data.
- Business sensitive data.
- Data which a researcher, or others, are given access to from an external business/organization. These will often demand that the data is protected with extra confidentiality, and in these cases this data should be treated as RED.
- Data which can affect UiS negatively when it comes to economic consequences or health and environmental damage if it is authorized by other than the intended recipients can also be considered business sensitive data.
This category includes the same type of information as Confidential (red), but where special considerations make you want to further protect the data. Regulations for protection and security in addition to the statutory ones shall be laid down in agreements or documented in writing in another way.
This corresponds to the degree of strict confidentiality in the public Protection Instruction. "Strictly confidential" is used if it could cause significant harm to public interests, the university, individual or partner that the information becomes known to unauthorized persons.
Placement of data and information in this category is done in collaboration with UiS-IT.
Some examples of this type of information:
- Large amounts of sensitive personal information
- Large amounts of information about persons health and health conditions
- Research data and data sets of great economic value
- Certain types of data from Statistics Norway with personal information
You have to determine if you are treating large amounts of data yourself based on context, amount and type of data. Typically, register data with personal information will always be considered large amounts of data, and similarly register data with health information will always be considered large amounts of sensitive data (BLACK).
- Ensure that the information is placed in the correct class based on this document.
- Make an assessment when the information changes class.
- Ensure that all storage, processing and processing of information takes place on technical solutions that have been approved for this - see separate storage guide.
- Regularly check that any changes in the requirements are met.
The information must always be placed in a sufficiently secure class. For example, if you are in doubt about whether to choose red or yellow, choose to classify it as red information.
Connection keys are name lists or files that enable the identification of individuals in a dataset. Names, email addresses, social security numbers, etc. are replaced with fictional names, numbers, or codes, ensuring that the dataset itself is de-identified. As long as the connection key exists, the data is not anonymized. This means that:
- The connection key should be considered and treated with the same classification as the information it is linked to. This means that if the dataset contains special categories of personal data (RED data), the connection key must also be treated and stored as RED data.
- Connection keys must be kept separate from the dataset. This can be done, for example, by storing the dataset in Teams and the connection key in your UiS OneDrive.
An anonymous dataset consists of information that does not in any way identify individuals, either directly through names or indirectly through addresses, email addresses, IP addresses, and connection keys. This means that de-identified or pseudonymized data cannot be considered as anonymous. There are several advantages to using or collecting anonymous data; in research and student projects, there is no need to report the project to SIKT, and there are less stringent requirements for data security. Read more about how to carry out a project without processing personal data here.
When handling data anonymously, it is also important to consider the composition of information that may indirectly identify a person. For example, it would not be anonymous if you describe someone as a "school principal in Helleland" (Helleland being a small village with only one school), whereas "principal at an elementary school in Western Norway" would not be personally identifying.
Therefore, you must assess whether it is possible to deduce the identities of individuals based on the information you register about them.
If a collaborator or entity other than yourself possesses a connection key and can identify individuals in the dataset, the dataset cannot be considered anonymous. This is important to be aware of if you are accessing datasets from an internal or external collaborator.
- In case of anonymous collection of, for example, health information for a research project, you don't necessarily need to classify and handle the data as confidential (RED), unless other circumstances or collaborators require a higher degree of confidentiality. However, it is still important to obtain informed consent and inform respondents that they will be anonymized and how the anonymous data may be shared or deleted.
Book borrowed from the library
|General personal data (name, e-mail address etc.)|
Unpublished research data
Unpublished student work and assignments
|Special categories of personal data, e.g. personal health data, religion etc. |
Data covered by export control regulations
Exam answers exempt from public viewing
Business sensitive data which is defined as sensitive by a partner organization, for example information about technology which gives a business a competitive advantage
|Large amounts of special categories of personal data|
Research data or datasets of large economic value