On ownership – how to decide which class to use
All our information shall have an unambiguous and identifiable owner. Anyone should easily be able to find out who is responsible for keeping the information updated, maintained and correctly labeled. The ?information owner? is responsible for the assessment used to place the information in its given category. In those cases where an owner cannot be identified, the University Director is responsible for the information.
The information owner is responsible for
- making sure the information is placed in the correct class in accordance with these rules
- making a new assessment when the information changes class
- making sure that all storage, handling and processing of information is done using technical equipment approved for this – see this guide
- periodically checking that any changes in these rules are noted and that the chosen information class reflects this.
Always put the information in a sufficiently safe class. If you are not sure whether to your information is red or yellow, choose red.
Note that the university has some clear rules on how to classify certain types of information, such as medical research and personnel files.
Open or freely available (Green)
Information that may or should be available to the general public, with no special access restrictions.
Most of the information managed by the university is open, either because of the general objective of the university as such, or because the law or other official regulations dictates that the information should be open. Other parts of the information does not need special protection even though it is not openly available.
This class is to be used if the university or its partners are not subject to any harm if the information is exposed to third parties.
Examples are
- a webpage presenting a department or a class, published openly on the internet.
- material for a course which is openly published, but marked with a certain license and/or copyright.
- research data that does not need any protection (the researcher is responsible for this assessment)
- teaching material that does not need any protection (the teacher is responsible for this assessment)
Note that even though some information is meant to be available for all, it is still important so ensure the integrity of this information by making sure that only people and users with the correct credentials have access to changing the information. Note also that even though some information may be open, you still cannot choose freely what you do with it.
Restricted (Yellow)
This is basically information which is not open for everyone. There are no laws or regulations saying that the information should be open. This is all information which is not classified as ?open?, ?in confidence? or ?strictly in confidence?.
The information needs a certain protection, and may be accessible to people both within and outside the university, provided that the access is limited and controlled per user. This class is to be used if the university or its partners may be subject to limited harm if the information is exposed to third parties.
The information only has relevance for, or is focused on, a limited set of users, either within the university or with other institutions or organizations that we cooperate with.
Examples may be
- certain work documents
- information which is to be kept from the public
- many types of personal data
- grades
- work by students
- examination answers
- unpublished research data and corresponding works
In confidence (Red):
This is information which the university is obliged to protect by law, agreements and other regulations. This corresponds to the information class ?In confidence? in the official Norwegian instructions for information protection. ?In confidence? is used if the university, its partners, public interests, or individuals, may be subject to harm if the information is exposed to third parties.
Examples may be
- certain types of sensitive personal data
- personnel files
- certain information about for example protection and safety of buildings and IT systems
- information about a person's health
Strictly in confidence (Black):
This category encompasses the same type of information as ?In confidence (red)?, but where special circumstances makes it necessary to protect the information even more. Demands on protection and safety are to be written down in agreements or other written documentation.
This corresponds to the information class ?Strictly in confidence? in the official Norwegian instructions for information protection. ?Strictly in confidence? is used if the university, its partners, public interest, or individuals, may be subject to considerable harm if the information is exposed to third parties.
Placement of data and information in this category should be done in cooperation with the lawyers at USIT and the IT security manager.
Examples may be
- large amounts of sensitive personal data
- large amounts of data about people's health
- research data and datasets of huge economic value
Approved by the Director of Information Technology in june 2018