Restricted information
Class 4
Access restriction
Access to restricted data must be limited to named authorized individuals and access lists must be maintained. Restricted information must not be shown to or discussed with anyone not authorized. Access to restricted information by external parties must be subject to a non-disclosure agreement (NDA) on a need-to-know basis.
Data protection controls
Protection such as encryption is required for all restricted data at-rest and in-transit whether internal or external.
Frequently asked questions
When storing restricted data, avoid the use of external media (e.g. USB drives). If external media must be used, encrypt all files. Using access controls to restrict to selected individuals, restricted information can be stored in:
- Teams
- Network shared drives
Sharepoint (restricted) – with Multi Factor Authentication (MFA)
- Sharepoint (modern) – with MFA
Restricted data must be kept in a locked filing cabinet, in a non-public area. Ensure adherence to ‘clean desk’ practices when working with restricted data.
Restricted data can be transferred/shared encrypted over email.
Mark all restricted data as ‘RESTRICTED’ in header or footer of every page in document, and on cover page.
Restricted physical documents must not be left unattended and must be stored appropriately when not in use (see physical storage above).
Responsible Directors can decide who can have access to restricted data. If sharing externally, consult with Concordia’s Legal Services to ensure an information sharing agreement is in place and privacy has been consulted as appropriate.
Restricted information can be archived or be disposed in a secure shredding bin according to Records Management Guidelines.
Restricted information should be archived or deleted from workstations or devices according to Records Management Guidelines. All workstations and devices used to house restricted information must be returned to IITS at the end of life or when the user leaves Concordia for decommissioning.