Data/Information Classification Scheme

Table of Contents



This classification applies to data/information that is very sensitive in nature and is strictly restricted by the University, the government or any other agreements between the University and third parties.


Such data/information is considered critical to the University’s capacity to conduct its business. Generally, this data/information shall be used exclusively by a limited number of predetermined and authorised named individuals or positions and business partners.


Either disclosure of such data/information to unauthorised parties or being shared internally could have significant adverse impact on the University’s reputation, its staffs, students and other relevant stakeholders. Inappropriate disclosure or release could cause significant inconvenience to or endanger an individual, and result in financial lost or damage to standing or reputation at University level.

Illustrative examples:

  • Examination papers before official release
  • Privileged accounts’ passwords of the University’s key information systems
  • Sensitive information concerning a pending criminal investigation
  • Sensitive personal data (e.g., HKID number, credit card information, personal financial or medical information of Staff, Student and research information)



This classification applies to sensitive data/information that is intended for use by specific group of authorised personnel within the University and business partners, assigned on a need-to-use basis and for authorised intended purpose.


The unauthorised disclosure, modification or destruction of this data/information would adversely affect the business performance or the continuity of operations.


Inappropriate disclosure or release could cause reasonable inconvenience to individuals, and result in limited financial lost or damage to a standing or reputation at unit level. Data/Information of interest for news media, pressure group or electorates also belongs to this classification.


Such data/information shall not be copied or removed from the University’s control without specific authorisation by the appropriate Data/Information Owner/designee.

Illustrative Examples:

  • Student and staff personal#1 information (e.g., Personal#1 contact phone number, home address, academic results, performance appraisal)
  • Student and staff disciplinary details
  • Patent pending
  • Unpublished research information (exclude sensitive personal data)
  • Identifiable research subject data (exclude sensitive personal data)



This classification related to non-sensitive operational data/information. It applies to data/information that is intended for use within by members of the University and authorised services providers. Disclosure of such data/information could have moderate adverse impact. Disclosures or release are not expected to cause serious harm to the University and access may be provided to a staff or a specific group of staffs based on respective roles and responsibilities.

Illustrative examples:

  • Staff handbooks
  • Internal policies
  • Training materials
  • Manuals
  • Internal procedures (e.g., system hardening procedures, etc.)



This classification applies to data/information that has been approved by the appropriate University authority for public consumption. Such data/information shall present minimal perceived risk to the University, its staff, students and/or relevant stakeholders.

Illustrative examples:

  • University policy
  • Programme and admission information
  • Published academic literature
  • Press releases, etc.


#1 Change made by ISDM Working Group on November 22, 2017. “Student and staff personal data/information” is the major concern in relating to the classfication of “confidential” data/information.