It is important to think about the type of information you are working on. This will help you decide how well the information needs to be secured.
The overview below will help you assess what class of information you are working with, and what the requirements are for this type of information with regard to information security. Our data storage guide shows where we can store information in the various information classes at UiS.
If you work with red/confidential information, there are stricter requirements for security than for yellow/internal information. It may therefore be a good idea to find out if there is a need for all the information to be secured in the same way, or if something needs less security. This exercise can be used to simplify your work.
- ensure that the information is placed in the correct class based on this document.
- make an assessment when the information changes class.
- ensure that all storage, processing and processing of information takes place on technical solutions that have been approved for this - see separate storage guide.
- regularly check that any changes in the requirements are met.
The information must always be placed in a sufficiently secure class. For example, if you are in doubt about whether to choose red or yellow, choose to classify it as red information.
Different types of classification
Information that can or should be available to anyone without special access rights.
The vast majority of the information the university manages is open, either as a consequence of the purpose and purpose of the university's activities or as a result of requirements for transparency in laws and other regulations that control public administration and activities.
This class is used if it does not cause any harm to the institution, or partner if the information becomes known to unauthorized persons.
Examples of such information are
- A web page that presents a department, course, or entity that is openly posted on the Internet
- study material that is open, but which is marked with a license and / or copyright
- research data that does not need any protection (the researcher is responsible for this assessment)
- teaching materials that does not require any protection (the teacher is responsible for this assessment)
Note that even if some of this information is to be available to everyone, the integrity of the information must still be ensured by only giving people with the correct rights access to change the information. Also note that although the information may be open, you are not free to choose what you do with it..
This is information that is not open to everyone. In laws or other regulations, there is no requirement that this type of information should be openly accessible. This is all information that is not classified as open, confidential, or strictly confidential.
This type of information must have some protection and can be available to both external and internal users, with controlled access rights. This class is used if it could cause some damage to the institution, or partner if the information becomes known to unauthorized persons. The information is only relevant to, or is directed at, a limited group, either at the university or at institutions and organizations the university collaborates with.
Examples of such information can be:
- Internal work documents
- Information that is internal to UiS
- Common types of personal information such as name, email address, telephone number etc.
- Student work documents
- Exam answers
- Unpublished research data
This is information that the university is required to restrict access to in laws, regulations, agreements, regulations and other regulations. This corresponds to the degree of confidentiality in the public Protection Instruction.
"Confidential" is used if it will cause harm to public interests, the university, individual or partner if the information becomes known to unauthorized persons
Examples of such information may be
- Special categories of personal data (formerly called "sensitive personal data")
- Data subject to export control rules and regulations
- Large amounts of ordinary personal information which can create a detailed profile of an individual should be considered red data.
- Business sensitive data.
- Data which a researcher, or others, are given access to from an external business/organization. These will often demand that the data is protected with extra confidentiality, and in these cases this data should be treated as RED.
- Data which can affect UiS negatively when it comes to economic consequences or health and environmental damage if it is authorized by other than the intended recipients can also be considered business sensitive data.
This category includes the same type of information as Confidential (red), but where special considerations make you want to further protect the data. Regulations for protection and security in addition to the statutory ones shall be laid down in agreements or documented in writing in another way.
This corresponds to the degree of strict confidentiality in the public Protection Instruction. "Strictly confidential" is used if it could cause significant harm to public interests, the university, individual or partner that the information becomes known to unauthorized persons.
Placement of data and information in this category is done in collaboration with UiS-IT.
Some examples of this type of information:
- Large amounts of sensitive personal information
- Large amounts of information about persons health and health conditions
- Research data and data sets of great economic value
- Certain types of data from Statistics Norway with personal information
You have to determine if you are treating large amounts of data yourself based on context, amount and type of data. Typically, register data with personal information will always be considered large amounts of data, and similarly register data with health information will always be considered large amounts of sensitive data (BLACK).
Examples of classification:
Book borrowed from the library
|General personal data (name, e-mail address etc.)|
Unpublished research data
Unpublished student work and assignments
|Special categories of personal data, e.g. personal health data, religion etc. |
Data covered by export control regulations
Exam answers exempt from public viewing
Business sensitive data which is defined as sensitive by a partner organization, for example information about technology which gives a business a competitive advantage
|Large amounts of special categories of personal data|
Research data or datasets of large economic value