About Ownership - How to Evaluate Which Class to Use
All information must have a unique and identifiable owner. It should be possible to find out who is responsible for maintaining and updating the information, and for making sure that it is correctly marked. The owner of the information is responsible for the assessments that are the basis of placing the information in a given category. If the owner of a document or other piece of information at the University of Oslo can’t be identified, the Director of the University is responsible for the information.
The owner of the information must
- ensure that the information is placed in the correct class based on the requirements in this document.
- make an assessment of information class when the information changes.
- ensure that all storage and processing of the information is done with appropriate tools and technical solutions approved for this - see separate guide.
- regularly check for changes in the requirements for classification, and, if needed, re-assess the information according to the new requirements.
The information should always be placed in a sufficiently safe class. If you are in doubt whether to choose, for example red or yellow, choose red. Note that UiO has clear rules for placing some types of information, such as medical research and staff folders.
Green: Open or Freely Available
Information that may or must be available to anyone without special access rights.
Most of the information the university manages is open, either as a consequence of the purpose of the university's business or as a result of transparency laws and other regulations governing public administration and businesses. Information which is not classified as being in need of protection (yellow, red or black category), belongs in this category.
This class is used if it does not cause any harm to the institution or partner if the information becomes known to unauthorized persons.
Examples of such information are
- a web page that presents a department, a course or a unit that is open on the internet
- study material that is open but which is marked with a given license and/or copyright
- research data that does not require any protection (the researcher is responsible for this assessment)
- teaching materials that do not need any protection (the teacher is responsible for this assessment)
Note that although some of this information should be accessible to all, the integrity of the information shall be ensured by only allowing persons and users with the correct rights to change the information. Also note that although the information may be open and freely available, it is not necessarily open to be changed, distributed or used for other than its intended purpose.
Yellow: Limited access
This is information that is not open to everyone. In laws or other regulations, there is no requirement for the information to be open. This is all information that is not classified as open, confidential, or strictly confidential.
The information must have some protection and may be available for both external and internal users/readers, with controlled access rights. This class is used if it could cause a certain damage to the institution or a partner if the information becomes known to unauthorized persons. The information is only relevant to or targeted at a limited user group, either at the university or at institutions and organizations with which the university collaborates.
Examples of such information may be
- some unfinished documents
- information which is exempt from the public
- many types of personal information
- marks/grades
- student work
- examination papers
- unpublished research data and other work in progress
Red: Confidential
This is information that the university is required to restrict access to in law, regulations, agreements, regulations or by other measures. This corresponds to the class Confidential in the Public Confidentiality Instructions (Beskyttelsesinstruksen). "Confidential" is used if it will cause harm to public interests, the university, individuals or partners if the information becomes known to unauthorized persons.
Examples of such information may be
- specific categories of personal information (formerly known as "sensitive personal data")
- personnel files
- security related information about, for example, buildings and IT systems
- health information
- exam questions before they are given
Black: Strictly Confidential
This category includes the same type of information as Confidential (red), but includes special considerations which requires even further protection of the data. Instructions for protection and security beyond what is required by law must be established in agreements or documented in writing in another way.
This class corresponds to the class Strictly Confidential in the Public Confidentiality Instructions (Beskyttelsesinstruksen). "Strictly Confidential" is used if it could cause significant harm to public interests, the university, individuals or partners that the information becomes known to unauthorized persons.
Tools for processing and platform for storing data and information in this category is done in cooperation with the UiO IT lawyers and the UiO IT Security Manager.
Examples of such information are
- large amounts of sensitive personal information
- large amounts of health information
- research data and data sets of high economic value