As a researcher it is important to determine the security classification of the data you are generating or collecting as part of your research. The security classification of your data will determine your responsibilities around storage, sharing, publishing, ethics and consent, and retention and disposal, and what Monash services are suitable for you to use.
This classification applies to very sensitive information where:
Unauthorised access or disclosure would seriously and adversely impact the University, its employees, its students and/or its partner organisations;
Access, modification, distribution, retention and/or destruction of information is subject to restrictive regulatory obligations;
Access is strictly limited to a selected group or process; and
If compromised, would place the University in breach of its legal and regulatory responsibilities.
Examples
Identifiable data containing direct identifiers e.g. Name, MRN, DOB and contact details
Information classified by Human and Animal Ethics Committees
Any information on children or young persons
Sensitive
This classification applies to sensitive information where:
Unauthorised access or disclosure may adversely impact on the University, its employees, its students and/or its partner organisations;
Access, modification, distribution, retention and/or destruction is limited to a selected group or process; and
If compromised, may place the University in breach of its legal and regulatory responsibilities.
Examples
Re-identifiable data where direct identifiers have been removed but other indirect identifiers may be present e.g. Postcode + rare ICD-10 code still present
Research datasets where data is not combined with personal identifiable information
Communications with research partners
Restricted
This classification applies to restricted information where:
Unauthorised access, modification, distribution, retention and/or destruction or disclosure may have a negligible impact on the University, its employees, its students and/or its partner organisations;
Does not include very sensitive or sensitive information, but is created or received within the University (including by students) and used internally;
Disclosure would not cause damage to the University, its employees, its students and/or its partner organisations;
Examples
De-identified data that is aggregate data with no identifying information included e.g. Counts of patient admissions to ICU ward per month
Drafts of research publications
Data from instruments and imaging systems (excluding those linked to an MRN or patient ID)
Data from sensors, cameras, recorders etc. that do not contain identifiers (e.g. faces)
Public
This classification applies to publicly available information where:
It Is made available, or released to the general public; and
No adverse effects are expected to result from the wide circulation of this information.
Examples
Monash research achievements and broadcast events
Publicly released annual reports (e.g. clinical study reports)
Published research data/information in Bridges or discipline repositories
.
Understanding the different classifications
If you would like assistance in classifying your research data, please contact the University's Data Protection and Privacy Office.
The table below shows how the new classifications relate to the previous University security classifications and to Australian Government classifications.