Know your data

Understand your data classification level View

What to do

As a Monash staff member it is important to determine the security classification of the data or information you are working with. This security classification will determine your responsibilities around storage, sharing, publishing, ethics and consent, and retention and disposal, and what Monash services are suitable for you to use.

How to do it

Use the Digital Research Capability Catalogue (DRCC) to determine the most appropriate service to protect your data and meet your obligations.

Check our Data classification table (staff login required) to see which classifications of data are allowed on core IT services.

Why it matters

Data classification allows for tailored data protection and management of sensitive information like Personally Identifiable Information (PII) or Protected Health Information (PHI) based on its importance to Monash University.

Policies, procedures and standards
Security classifications
Very Sensitive
This classification applies to very sensitive information where:
- Unauthorised access or disclosure would seriously and adversely impact the University, its employees, its students and/or its partner organisations;
- Access, modification, distribution, retention and/or destruction of information is subject to restrictive regulatory obligations;
- Access is strictly limited to a selected group or process; and
- If compromised, would place the University in breach of its legal and regulatory responsibilities.
Examples
Institutional:
- Payment Card Information
- Tax File Numbers
- Any personally identifiable information combined with health or sensitive information
- Information that could be associated to an individual’s racial or ethnic origin, religious beliefs, sexual orientation, etc.
Research:
- Identifiable data containing direct identifiers e.g. Name, MRN, DOB and contact details
- Information classified by Human and Animal Ethics Committees
- Any information on children or young persons.
Sensitive
This classification applies to sensitive information where:
- Unauthorised access or disclosure may adversely impact on the University, its employees, its students and/or its partner organisations;
- Access, modification, distribution, retention and/or destruction is limited to a selected group or process; and
- If compromised, may place the University in breach of its legal and regulatory responsibilities.
Examples
Institutional:
- Financial Information
- Student information e.g. exam results and material
- Staff information e.g. details of employment
- Student Evaluation of Teaching and Units data
- Personal information.
Research:
- Re-identifiable data where direct identifiers have been removed but other indirect identifiers may be present e.g. Postcode + rare ICD-10 code still present
- Research datasets where data is not combined with personal identifiable information
- Communications with research partners.
Restricted
This classification applies to restricted information where:
- Unauthorised access, modification, distribution, retention and/or destruction or disclosure may have a negligible impact on the University, its employees, its students and/or its partner organisations;
- Does not include very sensitive or sensitive information, but is created or received within the University (including by students) and used internally;
- Disclosure would not cause damage to the University, its employees, its students and/or its partner organisations;
Examples
Institutional:
- Course materials and content
- Educational resources
- Training material
- Building plans and associated information
- Internal processes and procedures.
Research:
- De-identified data that is aggregate data with no identifying information included e.g. Counts of patient admissions to ICU ward per month
- Drafts of research publications
- Data from instruments and imaging systems (excluding those linked to an MRN or patient ID)
- Data from sensors, cameras, recorders etc. that do not contain identifiers (e.g. faces)
Public
This classification applies to publicly available information where:
- It's made available, or released to the general public; and
- No adverse effects are expected to result from the wide circulation of this information.
Examples
Institutional:
- The Monash University home page (www.monash.edu) and web presence
- Faculty course lists and the University Handbook
- Monash research achievements and broadcast events
- Information in the public domain
- General institutional and business information.
Research:
- Monash research achievements and broadcast events
- Publicly released annual reports (e.g. clinical study reports)
- Published research data/information in Bridges or discipline repositories.

Share files securely View

What to do

Always check the settings when you share a file. Always choose the most ‘restricted’ and least privileged option available for files that contain confidential and sensitive information.

If you send a file as an email attachment, double check that you’re sending it to the correct recipients.

How to do it

When using Google Drive you can choose from the following sharing settings:

Restricted – only the people you have added can access the file
Monash University – only people within Monash can access the file
Anyone with the link – anyone can access this file.

These permissions can be altered at any time in the life of the document.

To make sure you're giving the correct people permissions to access files and correspondence, always:

Choose the correct sharing settings for the purpose of the file.
Ensure that the email addresses that you enter are correct and you've Cc'd or Bcc'd correctly.
Be mindful that using sharing settings other than the 'Restricted' setting can put your file at risk of being shared without your knowledge.

Why it matters

Accidentally sending a message or file to someone could be embarrassing but it could become a big problem if that document includes confidential information. It could lead to a violation of someone’s privacy or even to a data breach.

If you have difficulties using Google Drive, visit the eSolutions Google Drive page or explore Google Drive Help.
For more information visit the Data Protection and Privacy at Monash site.
You can also read the Monash DPPO FAQs (staff login required).

Be aware of data exfiltration risk View

Use AI responsibly View

What to do

Only use AI tools authorised by Monash University when you are doing Monash University work.

How to do it

Read Monash University’s Generative AI Shared Responsibility Model to see which Monash approved AI tools are appropriate for the data you’re entering.

See the GenAI services currently offered page for a list of tools and instructions for accessing each one.

Private, confidential or commercially sensitive information should never be disclosed when using AI tools. Whilst they may claim data is ‘protected’, many tools use global data centres and may process data outside Australia.

Why it matters

Public AI platforms often retain input data for training purposes. Anything you share could be used to refine future AI responses and could be inadvertently exposed to other users outside of Monash.

Many AI platforms allow you to opt out of sharing your inputs with them as training data, but you shouldn’t rely on this. Think of AI platforms as social media: if you wouldn’t post it, don’t enter it into AI.

The major risks of entering sensitive data into public AI platforms:

Exposure of private company data
Proprietary company data, such as project details, strategies, software code, and unpublished research, could be retained and influence future AI outputs.
Exposure of confidential customer information
Personal data or client records should never be entered, as this could lead to privacy violations and legal repercussions.

Use of generative AI tools must adhere to the University’s Information Technology Acceptable Use Policy and Generative AI Shared Responsibility Model (staff only).

Contact the Cyber Team

Email the cyber team at cyberteam@monash.edu

Contact the Service Desk

Contact the Monash University Service Desk.

Cyber Security at Monash University

Cyber Security at Monash University

Know your data

Understand your data classification level View

What to do

How to do it

Why it matters

Policies, procedures and standards

Security classifications

Very Sensitive

Sensitive

Restricted

Public

Share files securely View

What to do

How to do it

Why it matters

Be aware of data exfiltration risk View

What to do

How it happens

Outsider attacks

Insider threats

Why it matters

Use AI responsibly View

What to do

How to do it

Why it matters

Contact the Cyber Team

Contact the Service Desk