Protecting confidential data: the new classification system at ETH

A revised system for classifying data confidentiality was introduced at ETH on 12 July 2021 to facilitate the exchange, use and protection of research and administrative information. At the same time, the previous classification system set out in the Directive on Information Security at ETH Zurich was adapted accordingly. An overview of changes can be found in the Internal news article Cloud usage and classification of data confidentiality: new policies now in effect.

Why is classification necessary?

Some of the data handled at ETH for research, teaching and administration purposes is confidential and requires a high level of protection to safeguard personal privacy, research results or processes. By classifying the confidentiality of this data, the authority responsible for classification (i.e., information owner) can show other users what level of protection the data (e.g., a document) requires, and what security measures are to be taken.

The information owner is responsible for classifying all the data that they, or someone on their behalf, collects and processes. This could be a professor or the head of a staff unit or administrative department, for instance. By assigning a classification, the information owner determines what security measures are mandatory for handling their information (see Appendix 2 to the Directive on Information Security at ETH Zurich).

Four classification levels

The four confidentiality levels below are defined in Article 22 of the information security directive:

1. PUBLIC: Public information is any information that has been approved for publication by the relevant authority. This includes the ETH websites, press releases, and previously published dissertations and research data. No special security measures are necessary here.

2. INTERNAL: Information is classified as “internal” if its disclosure to unauthorised individuals could damage the interests of ETH Zurich. This information is thus generally intended for members of ETH Zurich only and covers lecture scripts, ETH’s internal address book and town hall meetings. Information designated “internal” can be accessed by members of ETH Zurich (authorised individuals only); certain measures such as a clear-desk policy apply for this data, i.e., before a member of staff leaves their workstation, they first have to clear any internal information from their desk and, of course, lock their computer. All information at ETH is presumed to be “internal” unless marked otherwise.

3. CONFIDENTIAL: Information is classified as “confidential” if its disclosure to unauthorised individuals could significantly damage the interests of ETH Zurich. This data may be accessed by a specific group of people, functions, or roles only. Such information includes any kind of performance assessment (e.g., exam results, marks, evaluations etc.), HR files, financial or risk reports, personal data of a particularly sensitive nature or research data prior to publication. This type of data has to be kept under lock and key or adequately secured in electronic form. CONFIDENTIAL data must be clearly marked as such (in capital letters).

4. STRICTLY CONFIDENTIAL: Information is classified as “strictly confidential” if its disclosure to unauthorised individuals could severely damage the interests of ETH Zurich. This type of data is subject to the highest level of security. It is not permitted to be stored in external cloud services; it can be accessed only by one group of people designated by name (forwarding must be approved by the information owner only) and may be shared only under the most stringent security precautions. Examples for such precautions are the signing of confidentiality agreements (even among ETH employees), documenting the individuals who hold access rights for electronic documents, confirmation of receipt notifications and storage on encrypted data carriers only. Data designated “strictly confidential” may include:

• research results that could cause serious damage in the event of premature disclosure,
• special data relating to industry projects, for which the highest security measures have been contractually agreed, and
• medical data that falls under the Swiss Human Research Act.

STRICTLY CONFIDENTIAL data must be clearly marked as such (in capital letters).

Classification based on risk potential

Classification is primarily risk-based (see Appendix 1b of the Directive on Information Security at ETH Zurich), as illustrated in the definitions of the four classification levels above. The respective level of confidentiality thus arises from the risk posed to ETH if the information in question were to land in the hands of unauthorised individuals. In other words, the level of risk provides the framework for the security measures that are to be taken to ensure confidentiality.

Further common examples of how certain types of data should be classified as well as data protection requirements for the different classifications are outlined in the appendices to the information security directive. Appendix 1a provides a list of examples on how certain types of information could be classified. Appendix 1c shows how classified information can be designated as such across different information media.

Appendix 2 presents a detailed guide on how to handle classified information and what security measures must be applied in each case.

Advantages of the new system

The expanded classification system offers many benefits, especially as the technical challenges posed by the digitally connected world and, in particular, the use of cloud services requires a differentiated approach to data handling.

With regard to the use of external cloud services, information classified under the new system as “confidential” or “internal” can now be stored and processed in rigorously tested external cloud services that have sufficiently high security and data protection standards. The responsibility for transferring the data into the cloud remains with the information owners. The rules covering such use are found in the IT Guidelines and IT Baseline Protection Rules of ETH Zurich.

Transitional provisions

The following transitional provisions apply to the implementation of the new classification system:

• Starting on 1 December 2021, the classification system is mandatory for all newly created documents. Templates will be made available for commonly used Office documents (e.g., reports, letters, agendas, presentations).
• With regard to existing data, information owners should also adapt old documents in line with the new classification system by 1 December 2023. Information owners are responsible for checking, in particular, whether information previously classified as “CONFIDENTIAL” qualifies for reclassification as “STRICTLY CONFIDENTIAL”.