Information Classification
What is Information Classification?
Information classification is a way to communicate the sensitivity of information that you create or come in contact with, providing a framework for how RRC Polytech’s information assets are classified. The purpose of an information classification system is to recognize that different information requires different levels of controls, helping people take appropriate actions to protect information and ensure proper safeguards are in place.
Information classification covers all information, whether physical or digital:
- Physical information is usually paper including posters and diagrams. Physical information is also the objects or media used to store digital information, such as USB keys, CD/DVDs, and hard drives.
- Digital information refers to documents, spreadsheets, presentations, video and audio recordings, email and social media. This information may be stored on a network folder, OneDrive, email systems, or physical media such as USB keys, hard drives, etc.
Your Role in Information Classification
We all play a role in protecting and securing RRC Polytech’s information from risk, including unauthorized access, modification, use, disclosure, removal, and destruction. In order to help ensure our information is protected from potential breaches, RRC Polytech has developed a four-level information classification system. Classifying information helps the author communicate the sensitivity of the information to people who may come in contact with it. And it helps those people treat it appropriately, making sure our sensitive information is always secured.
Information Classification Levels
RRC Public
- Information that is not confidential and is created to be shared or made available to the public.
- Information with this label can be freely shared without restriction.
- Most staff are unlikely to create this kind of information unless it is specifically part of their job. Usually, this information is created as part of formal processes.
Examples
- Marketing material
- Course information
- Published policies
- Published strategy
Sharing
Public documents can be shared freely without any restrictions on how they are shared or secured.
See more detailed guidance on how RRC Polytech employees should share and handle RRC Public information.
RRC Internal
Information that is relevant to an internal RRC Polytech audience and not confidential within the College. This information is not intended to be shared externally but poses no harm if made public, e.g., Staff News posts or Staff Forum (Intranet) content. The majority of the documents staff create are likely to be internal. In general, this information can be shared with RRC Polytech employees as required.
Examples
- Staff News
- Blank staff forms
- Staff training material
- Staff Forum (Intranet) content
Sharing
Internal documents can be shared freely amongst RRC Polytech staff. Caution should be taken, and often permission sought when sharing Internal documents outside of RRC Polytech.
See more detailed guidance on how RRC Polytech employees should share and handle RRC Internal information.
RRC Protected
This information is confidential and sensitive, and access is limited to specific roles or groups of individuals. The inappropriate release of this information would reasonably be expected to cause minimal to moderate harm to individuals, businesses, other third parties, or the College.
Generally, this is the minimum classification for any document governed by legislation, e.g., the Personal Health Information Act (PHIA).
Examples
- Vendor contracts
- Employment records
- Student records
- Planning documents
- Building floorplans
- Donor prospect files
Sharing
Protected documents can be shared with specific groups or amongst known individuals who would have a reasonable need to access the information. When in doubt, check with the document creator.
These files should be shared with adequate security measures in place to ensure the information is properly protected and only accessible to those who need to view it.
If RRC Protected information must be shared with external entities, it should be access controlled and encrypted. All custodians of such information should ensure that it is adequately protected.
See more detailed guidance on how RRC Polytech employees should share and handle RRC Protected information.
RRC Restricted
This information is highly confidential. This information is restricted to specific named individuals or very specific roles.
Unauthorized access could reasonably be expected to cause serious harm to individuals, businesses, other third parties, or the College. Significant controls are required to protect information.
Examples
- Personal Health Information
- Draft strategic plans
- Legal files
- Payroll data
- Network system information
- Research data
Sharing
Restricted documents should only be shared by the content owner or other designated individual. Recipients of restricted information should not share it without specific and express permission.
If RRC Restricted information must be shared with external entities, it should be access controlled and encrypted. All custodians of such information should ensure that it is adequately protected.
See more detailed guidance on how RRC Polytech employees should share and handle RRC Restricted information.
What Should You Do When You Suspect a Breach Has Taken Place?
A breach is defined as information that is disclosed, or potentially disclosed, inappropriately or to inappropriate or unintended audiences.
If you know or suspect a breach has taken place, please contact Information Protection and Compliance or Legal Counsel.
RRC Polytech campuses are located on the lands of Anishinaabe, Ininiwak, Anishininew, Dakota, and Dené, and the National Homeland of the Red River Métis.
We recognize and honour Treaty 3 Territory Shoal Lake 40 First Nation, the source of Winnipeg’s clean drinking water. In addition, we acknowledge Treaty Territories which provide us with access to electricity we use in both our personal and professional lives.