Fleming introduced information sensitivity (or data classification) labels as part of 6-604 Electronic Information Security Policy & OP #6-604A Information Security Classification Procedure. Every college community member is responsible for protecting all sensitive College information entrusted to them. Establishing classification levels & the use of labels helps to identify the amount of risk and care that must be taken when handling data at each level. Each sensitivity level has associated handling instructions for labelling, access control, storage and email restrictions.

The table below is only a summary.  Please see OP #6-604A Information Security Classification Procedure – Appendix B for full details.

Label	Risk – Definition	Handling Instructions	Examples
Public	Low Risk – Information that has been approved for distribution to the public by the office of primary interest, administrative authority, or through some other valid authority such as legislation or policy.	No special handling is required.	Annual reports Advertising & media releases Academic Calendar Name and work contact information of employees Open session meeting minutes
Internal	Medium Risk – Information that is intended for use within the College or within a specific department, school, committee, workgroup, or any group of individuals with a legitimate need to know. Internal information is not approved for general circulation outside the group.	Label as “Internal” is recommended but optional. Access is limited to employees and other authorized users for business-related purposes. Stored in a secure and password-protected College system.	Student or staff number (*) Fleming network username and email address (*) Budget information Student grades and assessment scores Some department procedures
Confidential	High Risk – Information is highly sensitive business or Personal Information, or a critical system. It is intended for very specific use and may not be disclosed except to those who have explicit authorization to review such information, even within a workgroup	Labelling documents and emails with “Confidential” is required. Access is limited to individuals in a specific function, group, or role. Principles of least privilege and need-to-know must be applied. Stored in a secure and password-protected College system. Storage encryption is required on mobile devices & laptops. External Email: Avoid where possible. If required, the use of email encryption is recommended.	Personal Information such as home address, home/cell phone number, personal email address. Personnel Files Personal financial information (bank accounts, payment history, financial aid/grants) Payroll information (tax records, employee payroll, etc.) Student contact or class list Enrolment status of an individual Academic advising and counselling information Granting agency agreements Sensitive research data Business/vendor data & contract information
Highly Confidential	Very High Risk – Information is so sensitive or critical that it is entitled to extraordinary protections.	Labelling documents and emails as “Highly Confidential” is required. Access is limited to specifically named individuals. Principles of least privilege and need-to-know must be applied. Stored in a secure and password-protected College system. Storage encryption is required on mobile devices & laptops. External Email: Strongly discouraged. If absolutely required, the use of email encryption is required. Internal Email: The use of email encryption is strongly recommended.	Social Insurance Number (SIN) Official government identity card (e.g., Passport ID, Driver’s License, etc.) Date of Birth (DoB) Full face images and other biometric identifiers Criminal record checks Personal Health Information (PHI), medical records & any defined under PHIPA Disability and medical accommodation information Legal suits Closed or in-camera Board of Governors documents Academic concessions Appeals and grievances Harassment and discrimination reports

(*) where the disclosure of the name, number or email address would NOT reveal other personal information about the individual.

How To:

The proper handling of sensitive information can be achieved in your daily work by following these practices and tools:

• For work that required the use of a desktop/laptop computer, use a Fleming device if you have been provided with one. If not, use Fleming’s virtual desktop service or web-browser-based applications, Office365, Evolve, D2L, etc.
• Use the Outlook mobile app to access email from a personal or College smartphone.
• Label MS Office files and emails using Sensitivity Labels.
• Use Office Message Encryption (OME) email encryption for Confidential emails being sent externally or any Highly Confidential emails.

Things to Avoid:

• Avoid downloading and saving sensitive information to a personal (non-Fleming asset) device. (Use Fleming’s VDI service instead).
• Avoid storing sensitive information in any system or application not provided by Fleming.

References:

• 6-604 Electronic Information Security Policy
• OP #6-604A Information Security Classification Procedure 
• How to Apply Sensitivity Labels to Files and Emails