Classification of data
Confidentiality classes
OsloMet follows UNIT's guidelines for classification of information (in Norwegian). All information and data, including personal data and special categories (sensitive personal data) must always be classified and stored in a suitable storage location (storage guide) based on the confidentiality classes:
- Open or freely available information (green data)
- Limited information (yellow data)
- Confidential information (red data)
- Strictly confidential information (black data)
All information at OsloMet must also have an unambiguous and identifiable owner. It must be possible to find out who is responsible for the information being maintained, updated and correctly marked.
What is my responsibility?
- You must decide which class of confidentiality your information belongs to.
- If you are in doubt as to which class your data belongs to, you must choose the strictest confidentiality class. Classify information as confidential (red) if you are unsure whether your data should be classified as restricted (yellow) or confidential (red).
- In systems and tools with the ability to select a classification class, this functionality must be used (for example in Microsoft 365).
- Ensure that the information is sent, stored and processed in accordance with the storage guide.
- You should regularly review the classification of the information, and if necessary, change the classification and storage location.
-
Open or freely accessible (Green)
Green confidentiality class
Open or freely available information: Information that can or should be available to anyone without special access rights.
Most of the information the university manages is open, either because of the purpose and aim of the university's activities or as a result of orders for transparency in laws, regulations and other rules that regulate public administration and business. Other parts of the information have no protection requirements even if it is not openly available.
This class is used if it does not cause any harm to the institution, or partner if the information becomes known to unauthorized people.
Examples of open (green) information
- a website that presents a department, course or unit that is openly posted on the internet
- study material that is open, but is marked with a given license and/or copyright
- research data that does not need any protection; i.e., does not contain personal data (the researcher is responsible for this assessment)
- lecture materials that do not need any protection (the teacher is responsible for this assessment)
Note! Although some of this information must be available to everyone, the integrity of the information must still be ensured by only people and users with the correct rights having access to change the information. Also note that although the information may be open, you’re not free to choose what you do with it.
-
Limited (Yellow)
Yellow confidentiality class
Limited information: Information that is not open to everyone in the first place.
In laws or other regulations, there is no requirement that the information be open. This is all information that is not classified as open, confidential, or strictly confidential.
The information must have some protection and can be available to both external and internal people, with controlled access rights. This class is used if it could cause some damage to the institution, or partner if the information becomes known to unauthorized people. The information is only relevant to or is aimed at a limited user group either at the university or at institutions and organizations the university collaborates with.
Examples of limited information
- some work documents
- information that is exempt from the public
- many types of personal information
- grades
- student works
- exam answers
- unpublished research data and works
-
Confidential (Red)
Red confidentiality class
Confidential information: This is information that the university is required to restrict access to in laws, regulations and agreements.
This applies to the classification of red data in the public Protection Instruction (No. Beskyttelsesinstruksen). "Confidential" is used if it will cause harm to public interests, the university, individuals or partners if the information becomes known to unauthorized people.
Examples of such information
- special categories of personal data (formerly called "sensitive personal data")
- racial or ethnic background
- political, philosophical or religious beliefs
- health conditions
- sexual relations or orientation
- membership in trade unions
- genetic and biometric information for the purpose of identifying a physical person
- data subject to export control (regjeringen.no)
- personnel folders
- some information on, for example, securing buildings and IT systems
- health information
-
Strictly confidential (Black)
Black confidentiality class
Strictly confidential information: This category includes the same type of information as Confidential (red), but where special considerations make you want to further protect the data.
Orders for protection and security in addition to the statutory ones shall be laid down in agreements or documented in writing in another way.
This corresponds to the degree of strict confidentiality in the public Protection Instruction (No. Beskyttelsesinstruksen). "Strictly confidential" is used if it could cause significant harm to public interests, the university, individuals or partners that the information becomes known to unauthorized persons.
Placement of data and information in this category is done in collaboration with IT.
Examples of black information
-
large amounts of sensitive personal information
-
large amounts of health information
-
research data of great economic value
-
data covered by the security act and the protection instruction
-