Information Classification

All College information, regardless of where it resides or what purpose(s) it serves, must be carefully and consistently protected throughout its life cycle based on its sensitivity and its importance to College operations.

All College information is categorized into one of three classifications:

1. Public Information

This is information intended for public use and when used as intended, will have no adverse effect on the operations, assets, or reputation of the College, or the College’s obligations concerning information privacy. The College reserves the right to control the content and format of Public information that it creates.

Public information examples include program monographs, syllabi, business phone numbers of staff, campus maps and any other information published on our external websites.

2. Internal Information

Internal information is intended for use by and made available to members of the College Community who have clearly identified a business need (often referred to as a “need-to-know”). If this information is disclosed, it may have minor adverse effect on the operations, assets, or reputation of the College, or the College’s obligations concerning information privacy. Internal information may be released to external parties to the extent there is a legitimate business needto do so and if non-disclosure agreements are in place beforehand. The College reserves the right to control the content and format of internal information when it is published to external parties.

Examples include internal memos, minutes of meetings, internal project reports, and other information stored on internal SharePoint, internal websites, or databases.

Internal information should never be stored on unencrypted portable media, such as USB drives or portable hard drives.

3. Sensitive Information

This is information intended for limited use and be made available only to authorized persons within the College who have a bona-fide need-to-know. If accidentally or deliberately disclosed, Sensitive information can be expected to have a serious, adverse effect on the operations, assets, or reputation of the College, or the College’s obligations concerning information privacy.

A breach of Sensitive information may result in the College undertaking voluntary or involuntary breach notification to affected individuals.

Examples include employee and student information, appeal and grievances, medical information, logical or physical architectures, third-party applied research data, accounting information, and information protected by legislation.

Sensitive information must be labelled as “Confidential”, must always be securely locked when in physical form or electronically protected while in electronic form, and never left unattended or unsecured. Sensitive information should never be stored on unencrypted portable media, such as USB drives or portable hard drives.

The College also holds highly sensitive medical related Personal Health Information (PHI) within its medical, dental and therapy clinics, nursing and para-medicine programs, Centre for Students with Disabilities (CS), as well as various program intake processes. Should PHI become accidentally or deliberately disclosed, the College must undertake immediate, mandatory breach notification to affected individuals under the Personal Health Information Protection Act (PHIPA). This would likely cause a severe adverse effect on the College’s assets and reputation. For this reason, medical related information must never be stored on portable media of any kind, including USB drives or portable hard drives.

Should you have any questions regarding Information classification or safeguarding, please contact the Manager, Information Security at infosec@algonquincollege.com