Security Classifications

Security classifications for research data

As a researcher it is important to determine the security classification of the data you are generating or collecting as part of your research. The security classification of your data will determine your responsibilities around storage, sharing, publishing, ethics and consent, and retention and disposal, and what Monash services are suitable for you to use.

The University has developed a security classification framework for information and data. These classifications form part of the University’s Electronic Information Security – Information Classification Procedure

.

Security Classifications

ClassificationDefinition
Very Sensitive

This classification applies to very sensitive information where:

  • Unauthorised access or disclosure would seriously and adversely impact the University, its employees, its students and/or its partner organisations;
  • Access, modification, distribution, retention and/or destruction of information is subject to restrictive regulatory obligations;
  • Access is strictly limited to a selected group or process; and
  • If compromised, would place the University in breach of its legal and regulatory responsibilities.

Examples

  • Identifiable data containing direct identifiers e.g. Name, MRN, DOB and contact details
  • Information classified by Human and Animal Ethics Committees
  • Any information on children or young persons
Sensitive

This classification applies to sensitive information where:

  • Unauthorised access or disclosure may adversely impact on the University, its employees, its students and/or its partner organisations;
  • Access, modification, distribution, retention and/or destruction is limited to a selected group or process; and
  • If compromised, may place the University in breach of its legal and regulatory responsibilities.

Examples

  • Re-identifiable data where direct identifiers have been removed but other indirect identifiers may be present e.g. Postcode + rare ICD-10 code still present
  • Research datasets where data is not combined with personal identifiable information
  • Communications with research partners
Restricted

This classification applies to restricted information where:

  • Unauthorised access, modification, distribution, retention and/or destruction or disclosure may have a negligible impact on the University, its employees, its students and/or its partner organisations;
  • Does not include very sensitive or sensitive information, but is created or received within the University (including by students) and used internally;
  • Disclosure would not cause damage to the University, its employees, its students and/or its partner organisations;

Examples

De-identified data that is aggregate data with no identifying information included e.g. Counts of patient admissions to ICU ward per month

  • Drafts of research publications
  • Data from instruments and imaging systems (excluding those linked to an MRN or patient ID)
  • Data from sensors, cameras, recorders etc. that do not contain identifiers (e.g. faces)
Public

This classification applies to publicly available information where:

  • It Is made available, or released to the general public; and
  • No adverse effects are expected to result from the wide circulation of this information.

Examples

  • Monash research achievements and broadcast events
  • Publicly released annual reports (e.g. clinical study reports)
  • Published research data/information in Bridges or discipline repositories
.

Understanding the different classifications

If you would like assistance in classifying your research data, please contact the University's Data Protection and Privacy Office.

.

The following tables may also assist researchers in understanding how to accurately classify their research data.

Examples using different types of data

.

In relation to other classification frameworks

The table below shows how the new classifications relate to the previous University security classifications and to Australian Government classifications.

Monash University classificationsFormer Monash classificationsAustralian Government classifications*
Not UsedNot Used Top Secret
Very Sensitive Critical Secret
Sensitive Protected Confidential
Restricted Restricted Protected
Public Public Information Not Requiring Additional Protection
.