How To Use The Classification Matrix

1 Identify which column covers the information / data you wish to handle.

2 You do this by looking at the Key at the top of the Classification Matrix

For example, let's say that you need to send the hard copy personnel file of a staff
member to another person in the NHSBSA. You would look at the key in the
Classification Matrix and see that as you are dealing with person-identifiable
information you need to be looking in the "Confidential" column

Now you need to look down the first and second columns of the Classification Matrix
3
until you find the action that you want to take.

In the example we are using this would be "Transmission by Post, Fax or e-mail",
"Mail within the NHSBSA (i. e. between buildings)"

Now you need to look along the row until you get to the relevant column which lists
4
what you must do.

In the example we are using this would be the "Confidential" column where you
would find that you must send the personnel file in a "Sealed inter-office envelope
marked Confidential"

F:\BSA\IGM\Info Gov Mgt\BSA\NHSBSA Data Classification Matrix.xls Page 1 of 7 Last Updated: 11 August 2010

Examples of information / data
Key
to be handled
The consequences if the
information / data is
mishandled
Transmission by Spoken Word
Conversation / Meetings
Landline Telephones
Mobile telephones (including
voice enabled blackberries)
Voicemail or answering
machines
F:\BSA\IGM\Info Gov Mgt\BSA\NHSBSA Data Classification Matrix.xls
How To Use The Classification Matrix
PUBLIC INTERNAL
Routine correspondence,
employee newsletters, internal
Brochures, News releases, phone directories, inter-office
Marketing Materials memoranda, non person
identifiable information, internal
policies and procedures
Unauthorised disclosure would
not significantly impact
None
NHSBSA, or any of its
stakeholders or employees
No special precautions Ensure that you are not
required overheard
Avoid proximity to unauthorised
No special precautions Ensure that you are not
required overheard
No special precautions Ensure that you are not
discouraged, digital telephones
required overheard
No special precautions Ensure that you are not
required overheard
Page 2 of 7
CONFIDENTIAL RESTRICTED
Person identifiable information
Statutorily protected and
(except that which is
sensitive information e.g.
Restricted), financial data,
strategic corporate plans /
purchasing information, vendor
financial information
contracts
Unauthorised disclosure could Unauthorised disclosure likely
result in significant adverse to result in significant adverse
impact or penalties to impact, embarrassment or
NHSBSA, its stakeholders or penalties to NHSBSA, its
employees stakeholders or employees
Private setting / lowered
voices. Avoid public areas, Enclosed meeting area. Public
e.g. elevators, hallways, areas prohibited
cafeterias etc.
Avoid proximity to unauthorised
listeners. Speakerphone in
listeners. Speakerphone in
enclosed area. Use generally
secure area
discouraged
Use of analogue telephones
Use of digital telephones
discouraged, landline preferred
preferred
Only leave name and contact Only leave name and contact
details details
Last Updated: 11 August 2010

Transmission by Post, Fax or e-
mail
Mail within the NHSBSA (i.e.
between buildings)
Mail outside of the NHSBSA
E-mail within the NHSBSA
E-mail outside of the NHSBSA,
including internet, N3 &
NHSnet Mail
Fax Location
accessible to the general public accessible to the general public accessible to the general public accessible to the general public
Use of a Fax Coversheet
Fax Transmission safeguards
F:\BSA\IGM\Info Gov Mgt\BSA\NHSBSA Data Classification Matrix.xls
How To Use The Classification Matrix
PUBLIC
No special handling required
No special handling required
No special handling required
No special handling required
Not to be located in an area
Required
Reasonable care in dialling
Page 3 of 7
INTERNAL
No special handling required
2nd class mail. No special
handling required
No special handling required
personal data prohibited unless
No special handling required
situation. Use of e-mail strongly
distribution lists is prohibited
Not to be located in an area
Required
Reasonable care in dialling
CONFIDENTIAL
Sealed inter-office envelope
marked Confidential
2nd class mail. Marked Private
and Confidential with return
address on the back.
Traceable delivery preferred,
e.g. Recorded delivery, special
delivery etc.
Refrain from use of personal
data. Use of e-mail
discouraged where practical
Use of e-mail containing
encrypted or emergency
discouraged. Broadcast to
Not to be located in an area
Required. Coversheet to be
labelled Confidential
Telephone before transmission Telephone before transmission
to ensure that recipient is
waiting by the fax machine for waiting by the fax machine for
the transmission. Subsequent the transmission. Subsequent
telephone call to confirm
successful receipt of the
transmission
RESTRICTED
Sealed inter-office envelope
marked Restricted and
Confidential. Notify recipient in
advance
Traceable delivery preferred,
e.g. Recorded delivery, special
delivery etc.
Use of any personal data is
prohibited. Use of e-mail
strongly discouraged, unless
encrypted
Use of e-mail containing
personal data prohibited unless
encrypted. Use of e-mail
strongly discouraged unless
encrypted or emergency
situation.. Notify recipient in
advance. Broadcast to
distribution lists is prohibited
Not to be located in an area
Required. Coversheet to be
labelled Restricted and
Confidential
to ensure that recipient is
telephone call to confirm
successful receipt of the
transmission
Last Updated: 11 August 2010
 How To Use The Classification Matrix
PUBLIC
Content to be promoted must
Internet and Intranet be authorised by head of
section
Magnetic media (including
CDs, DVDs, Memory Sticks No special handling required
and Data Cartridges
Electronic File Transfer No special handling required
Web Portals (i.e. NHSBSA web-
No special handling required
enabled applications)
Print, Film, Fiche, Video, DVD
Images
No special precautions
Printed Materials
required
No special precautions
Sign-in sheets / Sign-in logs
required
No special precautions
Monitors / Computer Screens
required
No special precautions
Copying Standards
required
F:\BSA\IGM\Info Gov Mgt\BSA\NHSBSA Data Classification Matrix.xls Page 4 of 7
INTERNAL
Content to be promoted must
be authorised by head of
section
No special handling required
Use of personal data prohibited Use of personal data prohibited
unless encrypted (i.e. using
No special handling required
SFTP, FTPS or secure VPN) or SFTP, FTPS or secure VPN) or
a one-off emergency situation a one-off emergency situation
No special handling required
Store out of sight of non-
employees
Placement out of sight of non-
employees
Positioned or shielded to
prevent viewing by non-
employees
No special precautions
required
CONFIDENTIAL RESTRICTED
Must not appear on intranet / Must not appear on intranet /
internet internet
Use of personal data prohibited
Use of personal data prohibited
unless encrypted or an
unless encrypted or an
emergency situation. Notify
emergency situation
recipient in advance
unless encrypted (i.e. using
Use of personal data prohibited Use of personal data prohibited
unless encrypted (i.e. using unless encrypted (i.e. using
HTTPS) HTTPS)
Store out of sight in a secure Enclosed meeting area. Public
area areas prohibited
Subsequent signers can not Subsequent signers can not
identify signer identify signer
Positioned or shielded to Positioned or shielded to
prevent viewing by prevent viewing by
unauthorised parties. Possible unauthorised parties. Possible
measures include physical measures include physical
location in a secure area, location in a secure area,
positioning of screen, use of positioning of screen, use of
password protected screen password protected screen
saver, etc. saver, etc.
Photocopying can only be done
Photocopying to be minimised
with approval from the owner of
and only when necessary
the information
Last Updated: 11 August 2010
 How To Use The Classification Matrix

PUBLIC INTERNAL CONFIDENTIAL RESTRICTED

Storage Standards
Reasonable precautions to Storage in a secure manner
No special precautions
Print Material prevent access by non- (e.g. secure area, lockable Storage in a lockable enclosure
required
employees enclosure)
Storage on secure drives.
Storage on secure drives only.
No special precautions Storage on non-public drives Storage on shared drives
Electronic Documents Password protection of
required only without password protection for
document preferred
reading is prohibited
Storage in a secure manner
(e.g. password access or
Reasonable precautions to Reduce to written form if
No special precautions reduce to written form, delete
E-mail prevent access by non- necessary secure manner or
required electronic form and store in
employees store in a lockable enclosure
accordance with storage of
printed materials)

Destruction Standards
No special precautions No special precautions Destroy in a manner that
Destruction
required required protects confidentiality
No special precautions Secure area not accessible to Secure area not accessible to Secure area not accessible to
Location of waste paper bins
required unauthorised persons unauthorised persons unauthorised persons
Prohibited, unless by special
No special precautions No special precautions Prohibited. Destruction or
Paper Recycling recycling programme for
required required shredding required
confidential information
No special precautions
Magnetic media / diskettes Overwrite or low-level reformat Overwrite or low-level reformat Overwrite or low-level reformat
required

F:\BSA\IGM\Info Gov Mgt\BSA\NHSBSA Data Classification Matrix.xls Page 5 of 7 Last Updated: 11 August 2010
 How To Use The Classification Matrix

PUBLIC INTERNAL CONFIDENTIAL RESTRICTED

Physical Security Standards

Password protected screen Password protected screen Password protected screen
saver to be used when briefly saver to be used when briefly saver to be used when briefly Do not leave data unattended.
unattended. Sign-off or power- unattended. Sign-off or power- unattended. Sign-off or power- Sign-off or power-off work
Computers / Work Stations
off work stations or terminals off work stations or terminals off work stations or terminals stations or terminals when not
when not in use or leaving work when not in use or leaving work when not in use or leaving work in use or leaving work area
area area area
Printing of documents
minimised and when necessary Printing of documents when
only. Unattended printing is necessary only. Printers must
No special precautions No special precautions permitted only if physical not be left unattended. The
Printing documentation
required required access are used to prevent person attending the printer
unauthorised persons from must be authorised to examine
viewing the material being the information being printed
printed
Access to areas containing Access to areas containing
sensitive information should be sensitive information should be
No special precautions No special precautions physically restricted. Sensitive physically restricted. Sensitive
Office access
required required information must be locked information must be locked
when left in an unattended when left in an unattended
room room
Password protected screen Password protected screen
saver to be used when briefly saver to be used when briefly
unattended. Sign-off or power- unattended. Sign-off or power-
Computers must not be left Computers must not be left
off work stations or terminals off work stations or terminals
Laptops, Palmtops, unattended at any time unless unattended at any time unless
when not in use or leaving work when not in use or leaving work
Blackberries etc. the confidential information is the confidential information is
area. Also laptops must be area. Also laptops must be
encrypted encrypted
secured using a locking device secured using a locking device
when outside of the office when outside of the office
environment environment

Must have a business need to Must have a business need to

Generally available to all staff know the information. Must know the information. Must
Access Control Available to the general public
on a need to know basis have written approval of the have written approval of the
data owner data owner

Access should be audited as Access should be audited as

Audit None None
determined by the data owner determined by the data owner

F:\BSA\IGM\Info Gov Mgt\BSA\NHSBSA Data Classification Matrix.xls Page 6 of 7 Last Updated: 11 August 2010
 How To Use The Classification Matrix

Term Definition
Secure area means an area not reasonably accessible to unauthorised persons or
an area where the protected information is not unattended by an authorised person.
Secure Area
Examples include: private offices, work areas monitored by a staff member or
receptionist, most employee only areas.
Lockable enclosure means an area or enclosure requiring a keypad entry.
Lockable
Examples include: locking cabinets, drawers, desks and storage areas, private
enclosure
offices with locking doors.
Need to know Need to know basis means that a staff member may only have access to that
basis information which is necessary to do their job.

F:\BSA\IGM\Info Gov Mgt\BSA\NHSBSA Data Classification Matrix.xls Page 7 of 7 Last Updated: 11 August 2010