Information Security Classification Policy

1. STRATEGIC PLAN THEME AND COMPLIANCE OBLIGATION SUPPORTED

Strategic Plan Theme: Sustainable Future

2. PURPOSE
The Information Security Classification Policy provides a framework to assist members of the
University Community assess and label the sensitivity and importance of University information.

3. POLICY STATEMENT
3.1 All University information will be assigned an Information Security category so that it will be
managed and secured in a manner appropriate with its sensitivity and importance.
Information Security Categories
3.2 University Information will be assigned one the the following categories:

Public Information that has been authorised for public access and
circulation, or deemed public by legislation or routine disclosure. This
includes, but is not limited to, prospective students course outlines,
the academic calendar and Curtin's public website.

For Official Use Only Information intended for internal Curtin use only. This includes, but is
not limited to, staff meeting minutes, information on routine building
maintenance, room booking information.

Confidential: Legal Information relating to legal advice provided between Counsel and
their client.

Confidential:Personal Information that is for internal Curtin use only and, if released, could
be expected to cause limited damage to the University (according to
the University’s Risk Appetite), individuals, or Australia’s National
Interest. Used for information that is deemed sensitive personal
information as defined in the Australian Privacy Act 1988 or that
relates to staff or student discipline or other confidential human
resource matters.

Confidential Confidential information that does not meet the usage requirements
for the other categories listed in this table. This may include
information relating to research, commercial activities, University
committees and other matters.

Protected Information where any compromise to the confidentiality of

information may be expected to cause serious harm or damage to
the University (according to the University’s Risk Appetite),
individuals, or Australia’s National Interest. Information categorised
as Protected may relate to personal, legal, research, commercial,
University committees, cabinet and other types of information.
Strict restrictions on the use, sharing and storing of this information
apply. Additional labelling may be applied to Protected information to
indicate restrictions.

Access to University information

3.3 Members of the University Community are provided with the required level of access to
University information in order to effectively carry out their activities. Where there are
confidentiality or privacy requirements, access is restricted to specific staff positions or
organisational units according to business, legislative and regulatory requirements.
Responsibility
3.4 The creator of University Information is responsible for assessing the sensitivity and
importance of the information they have created. The creator is also responsible for ensuring
G50-746-355 1
June 2020 (Admin)
that the information is appropriately marked with a protective label. The protective label
indicates the level of harm resulting from unauthorised release of the information as well as
the sensitivity of the information. Where information is received from external parties, the
recipient is responsible for assessment and labelling of the information.
3.5 The Curtin recipient is responsible for taking all reasonable steps to handle the information in
accordance with its Information Security category with respect to its:
• physical and/or digital storage; and
• further dissemination to internal and external parties.

4. SCOPE OF POLICY
This policy applies to the Curtin Community, including Council members, students, staff, University
Associates, Curtin controlled entities, and all persons participating in University business or activities,
including whether as a visitor, adjunct appointee, service provider, contractor or volunteer who
manages Curtin information.

5. DEFINITIONS
(Note: Commonly defined terms are located in the Curtin Common Definitions. Any defined terms below are
specific to this document)
Information Security Classification
A process where the creator of University Information assesses the sensitivity and importance of the
information and assigns a label to the information so that it can be managed or stored with
consideration to its sensitivity and importance.
Protective Labels
Protective Labels are physical or electronic labels attached to information that specify the Information
Security Category and level of sensitivity assigned to the information. The label indicates both the
level of damage that would result from the unauthorised release of the information and indicates
where information may require special handling and limited distribution.
University Information
Any information, irrespective of format, that is created, collected, generated, received, maintained or
used in the course of carrying out Curtin’s functions and activities or in the transaction of Curtin
business.

6. SUPPORTING PROCEDURES
N/A

7. RELATED DOCUMENTS/LINKS
State Records Act 2000
Evidence Act 1906
Freedom of Information Act 1992
Criminal Code 1913
Electronic Transactions Act 2011
Australian/International Records Management Standard ISO/AS 15489 Information Security
Management System ISO/IEC AS/NZS 27001
Information Management Policy
Information and Communication Technology (ICT) Appropriate Use Procedures
Curtin Information Statement
Australian Privacy Principles (under Commonwealth Privacy Act 1988)
Information Security Classification Decision Matrix
Information Security Classification Flowchart

G50-746-355 2
June 2020 (Admin)
Sue Aldenton, Associate Director, Curtin Information
Policy Compliance Officer
Management and Archives

Policy Manager Chief Operating Officer

Approval Authority Planning and Management Committee

Review Date 1st April 2023

REVISION HISTORY
Approved/ Approval /
Committee / Board /
Version Amended/ Date Resolution Key Changes & Notes
Executive Manager
Rescinded Number

Planning and Management Attachment 2 to Document No

Approved 28/07/2006 PMC 79/09
Committee 010154/09

Administratively Director, Legal and

15/09/2015 Policy Contact Updated
Updated Compliance Services

Administratively Director, Legal and

06/10/2015 EC 76/15 Executive Manager Title Changes
Updated Compliance Services

Administratively Director, Legal and

18/01/2017 Review date updated
Updated Compliance Services

Administratively Director, Legal and

12/10/2017 Policy Compliance Officer updated
Updated Compliance Services

Attachment A to Item 10
Planning and Management (previously titled Information
Approved 27/03/2018 PMC 31/18
Committee Security Classification Policy and
Procedures)

G50-746-355 3
June 2020 (Admin)