HKUST Data Classification Guidelines

Revised: 2021 by ITSC

HKUST takes seriously its commitment to respect and protect the personal data privacy of its staff, faculty, students and alumni. For that reason, HKUST has classified its information assets into three categories for the purpose of determining who is allowed to access the information and what security precautions must be taken to protect it against unauthorized access. 

All the University members that may come into contact with such information shall familiarize themselves with this data classification scheme and follow it consistently. Please contact the University’s Data Privacy Officer with any questions about the appropriate classification of information.

Data Classification Scheme

The University must classify all its information assets to indicate the need, priority and degree of protection required. The degree of protection required for different categories of information is based on security and legislative compliance requirements. The following three classifications with different security levels shall be used for categorizing University’s information assets. 

  • Sensitive (high protection)
  • Sensitive (normal protection)
  • Non-Sensitive

Classification Matrix

  Sensitive (high protection) Sensitive (normal protection) Non-Sensitive
Information Classification Guideline
  • This is the most sensitive information category. Your data in this group has to be protected because of policies, regulations, legal stature, or deemed necessary by data custodian. 
  • As such, your information, which intended for a few specific audience, has to be protected by authentication or identity verification, and should not be disclosed even within a workgroup or department.
  • For this category, your information is primarily related to University business, and your data is typically intended for use within the HKUST community with a legitimate need-to-know. 
  • As such, your information has to be guarded due to proprietary or privacy considerations and should be protected by authentication or identity verification.
  • For this category, your information may be or must be open to the general public, and your data may be freely disseminated without any potential harm. This includes data which are restricted to HKUST Intranet access but do not need authentication (e.g. ITSC communication directory). 
  • Data not classified as Sensitive falls in this category. 
Some Examples
  • Student academic record.
  • HKID, passport, visa.
  • Student loans.
  • Exam questions.
  • Academic personnel information.
  • Recruitment records.
  • Staff MPF and income data.
  • Medical records.
  • Financial data.
  • Non-disclosure agreements.
  • Senate paper.
  • Council paper.
  • Date of birth.
  • Nationality.
  • Budgets.
  • Course Assessment & Survey results.
  • University internal policy & guideline.
  • Department or committee meeting minutes and internal documents.

The followings are also included unless data custodians treat them as non-sensitive information.

  • Course materials.
  • Exchange partner list.
  • Conference paper.
  • Research project materials.
  • Research proposal & research data.
  • Patent, Invention and project records.
  • Research funding data.
  • Course catalog.
  • Service information.
  • Certain university contact information not designated by individual as private.
Applying Azure Information Protection for supported electronic document
  • Apply AIP label “Highly Confidential” to restrict access to selected users
  • Apply AIP label “HKUST Restricted” to restrict access to HKUST community
  • Optionally apply AIP label “Public” to indicate the nature of the document without extra protection
Access
  • Access is protected by authentication or identity verification. 
  • Access is protected by authentication or identity verification.
  • May be freely disseminated without potential harm. 
Transmission
  • Encryption is required when transmitting information through a network if AIP is not applied. 
  • Encryption is strongly recommended when transmitting information through a network if AIP is not applied 
  • No encryption is required. 
Storage
  • Encryption is required if information is stored on non-central Computing Equipment and when AIP is not applied. 
  • Encryption of Confidential information is strongly recommended if information is stored on non-central Computing Equipment and when AIP is not applied. 
  • No encryption is required. 

Risk Classification and Acceptable Practice

The risk associated with the use of the data shall also be mapped to one of the three Risk Categories, namely high-risk, moderate-risk and low-risk published in the Risk Classification by the ITSC, based on the outcome of risk assessment.   
 
Risk assessment would take into account the purpose of particular use case, and understanding of the business and operational concerns.   And in particular, the handling of high-risk data shall conform to the Acceptable Practice for Handling High Risk data published by the ITSC so as to have the necessary protection of individuals, units, and the University.