Data Protection Impact Levels

With all Government and public sector systems there is a need to make sure that information stored in them is appropriately protected.  ‘Appropriate’ could range from:

  • open to the public;
  • to patient records;
  • right through to highly secret national security information.

So there needs to be a process to assess what is required in each case.  When you think about risks to a system, it makes sense to think about the “What if” should the system be compromised.  The impact that it would have on the school is a logical place to start.  If you group that into levels, you get Business Impact Levels.  They are currently defined from 0 (no impact) to 6 (severe impact).

An Impact Level (IL) comes from consideration of 3 potential compromise areas:

  • Confidentiality – the potential impact if the information is seen by those who should not see it;
  • Integrity – the potential impact if the accuracy or completeness of the information is compromised,
  • Availability – the potential impact if the information becomes inaccessible.

It is very unlikely that a school will be responsible for datasets with a BIL (or IL) value of greater than 4.

The following table defines the Impact Levels most likely to require managing by schools and includes some examples:

Level Type Impact
IL1

Not sensitive

Personally identifiable, or aggregated beyond 1,000 records

  • Class list of names
Limited impact but caution must be taken at all times.
IL2

Protect

  • Class list of names and DoB
  • Attendance, Assessment information for a single or multiple students
The vast majority of data should be classified at IL2-Protect, or lower. Likely to cause embarrassment to an individual, or organisation.
IL3

Restricted

  • Free School Meals
  • Special Needs record
Most of the information in a school’s MIS is likely to fall into this category. Likely to cause loss of reputation to an individual, or organisation.
IL4 Additional detail to Special Needs, or Child in Care Likely to cause loss of reputation to an individual, or organisation.