Brasenose College Information Classification and Handling Scheme v4 (June 2024)

Last Review Date: June 2024
Next Review Date: June 2025

Overview

This scheme helps College members process data easily and securely, balancing security with usability.
It aims to minimise the number of platforms storing College data and to maximise use of University / College-hosted or approved cloud systems (for example Office 365).

Data Breach Rules

A data breach is any incident where internal or confidential data is copied, transmitted, viewed, stolen, destroyed or used by an unauthorised individual.
Examples include mis-sent emails or leaving sensitive papers in public spaces. All breaches or near-misses must be reported immediately to a line manager, ICT Director or Infrastructure Officer. Failing to report may result in disciplinary action.
Incidents should be logged centrally (data.protection@bnc.ox.ac.uk).

Help Encrypting and Sending Documents Securely

Guides on encrypting files and using secure transfer tools (such as OneDrive) are available on the College Staff website:
https://staff.bnc.ox.ac.uk/guides/

Common Data Definitions

Public data – Unauthorised disclosure causes no harm; information already intended for the public domain.

Internal data – Disclosure could cause some damage or distress; for a defined audience but not highly sensitive.

Confidential data – Disclosure could cause serious or long-term harm to College interests or individuals. All special-category data is Confidential.

General Data Protection Regulation & Other Terms

Personal data – Information identifying a living person (e.g. name, ID number, online identifier or any personal factor).

Special category personal data – Sensitive information needing extra protection (race, politics, religion, trade-union membership, genetics, biometrics for ID, health, sex life or orientation). Age alone is not special category data.

Basic personal data – Already public personal details (e.g. published academic names or official College email addresses).

How to Identify What Class of Data You Are Accessing / Storing / Sending

Classification Level Information Examples Rationale
Confidential
  • Teaching & Research: Special Category or large (>100) student records, patient data, intellectual property, exam papers in prep.
  • Development & Fundraising: Special Category or large alumni data, major donations.
  • Operations: Staff Special Category data, unpublished accounts, payment details, passwords, hazardous materials info.
  • Admissions & Outreach: Special Category applicant data, large public datasets, under-16 data.
  • Severe financial or reputational harm if disclosed.
  • Possible regulatory action or research contract revocation.
  • Risk to safety or well-being of individuals.
Internal (Default)
  • Teaching & Research: Non-public student or participant data, marks, appeals, unpublished papers.
  • Development & Fundraising: Routine alumni or donor records, gift administration.
  • Operations: Staff data (>50 records), HR files, financial records, governance documents, IT systems info, supplier contracts, CCTV.
  • Admissions & Outreach: Applications, interview notes, funding assessments, commercial activity info.
  • Disclosure may cause financial or reputational damage.
  • Possible regulatory action or distress to personnel.
Public
  • Names & contacts for fewer than 50 staff or students (basic data)
  • Brochures, prospectuses, press releases, published reports
  • No harm if disclosed
  • Information already public
  • Routinely published

Data Handling Rules

Action Public Internal Confidential
Marking Identify as from Brasenose College; record decision to publish. Mark “INTERNAL” on front pages or binders. Mark “CONFIDENTIAL” on all pages and folders and in email subject / body; same for removable media.
Dissemination Available to anyone subject to law. Members of College or University only; password-protected access on need-to-know basis. Authorised recipients only on need-to-know basis; use access controls and retention schedules.
Termination of Employment No restrictions. Ensure return of information and revoke access rights. Return all confidential data and revoke access before leaving.
Document Creation No restrictions. Protect as needed: mark final, restrict permissions (edit/copy/print). Restrict permissions to need-to-know, mark final, consider password encryption for sensitive drafts. Guides: staff.bnc.ox.ac.uk/guides
Digital Storage No restrictions. Use College / University-approved systems; risk-assessed external storage allowed with IT consultation. Use approved monitored drives only; third-party storage requires Bursar approval; restrict folder permissions and password-protect files.
Paper Storage No restrictions. Store in locked cabinets or offices; no papers left unattended. Locked storage in restricted rooms (SALTO access where possible).
Taking Off-site No restrictions. Keep securely in holder; encrypt USB devices. Only with data owner or Bursar authorisation; encrypt devices and do not leave unattended.
Faxing No restrictions. Check number before sending. Not permitted.
Posting Normal mail services. Sealed envelope. Use sturdy envelope marked “Confidential”; hand delivery preferred; otherwise recorded delivery or courier.
Printing No restrictions. Print only when necessary using College printers. Print only as needed; dispose securely after use.
College Owned Devices & Portable Media No restrictions. Use College devices with Sophos protection and updated OS; full-disk encryption recommended. Encryption mandatory for off-site devices; avoid local file downloads and delete temporary files quickly.
Personally Owned Devices No restrictions. Permitted if compliant with University guidance (infosec.ox.ac.uk/protect-my-computer). Only with Bursar or IT Director approval and per University guidance; no confidential data without permission.
University SharePoint & O365 SharePoint No restrictions. Use Owner/Member/Visitor permission groups; break inheritance only as needed. Assign specific named permissions (MANDATORY); check with IT before granting wide access; use “ALERT ME” for change notifications.
University OxFile N/A Retired service – Do not use. Use OneDrive instead.
University O365 OneDrive No restrictions. Default private to owner until sharing enabled. Approved for confidential sharing with appropriate permissions set on a need-to-know basis.
University O365 MS Teams Platform No restrictions. Ensure team access based on need-to-know; remove guest access after projects. Confidential sharing is secure; remove files from Teams after meetings or projects end.
University O365 Email No restrictions. Internal distribution within O365 is secure.
  • Internal emails encrypted in transit and at rest.
  • Use Outlook PROTECT for external encryption (Microsoft docs).
  • Encrypt attachments for external recipients; send password separately (e.g. Teams message).
  • Do not send to personal (non-University) addresses without Bursar approval.
Telephony No restrictions. No restrictions. Assume caller ID can be spoofed; authenticate before sharing confidential data; prefer Teams calls for secure voice.
Disposal No restrictions. Use bins or shredders; erase copies when no longer needed; IT to dispose hardware securely (computer.office@bnc.ox.ac.uk). Use confidential waste bins or shredders; erase copies per retention policy; contact IT for secure hardware destruction.

 

Version: v4 (June 2024)

Last Review Date: June 2024
Next Review Date: June 2025