Classification system of ETH Zurich
The classification of data confidentiality allows the information owners to signal to others what level of protection their data requires or what protective measures should be taken.
Some data in research, teaching or administration at ETH are confidential and therefore require a high level of protection, either to ensure the security of individuals, research results or processes.
Distinction between Personal and Technical (Non-Personal) Data
At ETH Zürich, we essentially distinguish between two types of data:
- Personal Data: According to the Swiss external page Federal Act on Data Protection, personal data includes all information relating to an identified or identifiable natural person (see Article 5). Examples include name and first name; telephone number; date of birth; health data, provided they can be associated with a natural person.
- Technical Data: Technical data includes all other data. Examples are weather data series, such as temperature, pressure, rainfall; office files and research data, etc., as long as they cannot be associated with an identified or identifiable natural person.
The four levels for the classification of confidentiality
The information owners are responsible for the classification of all information that is collected and processed by them or on their behalf. These can be professors, staff or department heads.
The classification is primarily risk-based, which is also illustrated by the four classification levels. The level of confidentiality is derived from the risk to ETH should the relevant information fall into the hands of unauthorized persons. The risk thus provides the framework for the protective measures that are necessary to ensure confidentiality.
Information is classified as “internal” if unauthorised individuals’ becoming aware of it could damage the interests of ETH Zurich. Consequently, this information is generally only intended for members of ETH Zurich.
All data or information at ETH, unless otherwise indicated, is considered "internal".
Information is classified as “confidential” if unauthorised individuals’ becoming aware of it could significantly damage the interests of ETH Zurich.
This data should only be accessible to a specific group of people, function or role. This includes, for example, performance appraisals of any kind, personnel dossiers, financial or risk reports, personal data requiring special protection or research data prior to publication. This type of data must be kept under lock and key or appropriately secured electronically.
CONFIDENTIAL data must be clearly labelled as such (in capital letters).
Information is classified as “strictly confidential” if unauthorised individuals’ becoming aware of it could severely damage the interests of ETH Zurich.
This type of information or data is not to be posted to external cloud services, is accessible only to a named group of people (authorization for disclosure only by information owners) and can be disclosed only under the highest security precautions, e.g., confidentiality agreements, documentation of access authorizations for electronic documents, acknowledgements of receipt, and storage only on encrypted media.
STRICTLY CONFIDENTIAL data must be clearly labelled as such (in capital letters).
MS-Office Templates with Classification Notes
Official ETH templates are available for common Microsoft Office documents (e.g. reports, letters, agendas, presentations) with corresponding classification notes to indicate confidentiality. These can be downloaded from the template page of the Communications unit of ETH Zurich.
On the Windows PCs of the central bodies, the Word templates are automatically available under "File" → "New" → "Personal". Members of the departments or decentralized units can contact their IT service group (ISG) for setup.
Directive
The classification system is defined in the Directive on Information Security at ETH Zurich.
Appendices 1a and 1c of the directive list examples of how which type of data should be classified, as well as guidelines for protecting appropriately labelled data.
The handling of classified information, and thus the necessary protective measures to be applied, are presented in detail in Appendix 2.
Internal News articles on classification
- Now available: ETH Office templates with classification note (8.02.2022)
- Protecting confidential data: the new classification system at ETH (12.11.2021)
- Secure use of the cloud: When can confidential data be transferred to external cloud services? (20.10.2021)
- Cloud usage and classification of data confidentiality: new policies now in effect (19.08.2021)