Personal and Work-related Information

Why does work-related information need to be protected?

Information and data are work-related if you process them in your everyday activities at the University of Münster. Personal data can also be work-related information. For criminals, work-related information is interesting for various reasons: access and personal data, for example, can be misused for identity fraud, among other things. If unauthorized individuals gain access to IT systems at the University of Münster, they can prepare attacks. As a result, they might steal, destroy and/or make data unavailable. Thus, sensitive information, such as unpublished research data, could also find its way into the wrong hands and be published undesirably. Many criminals sell the data they have captured on the darknet and use it to make a lot of money from your information. In such cases, there is no control over which data is passed on to which person. Therefore, work-related data should never leave the jurisdiction of the University of Münster and has to be stored in a correspondingly secure manner. For more information on the secure storage of work-related information, please refer to tips for storing information.

• What is personal information?

  According to the State Commissioner for Data Protection and Freedom of Information in North Rhine-Westphalia, personal information include "individual details about personal or factual circumstances of an identified or identifiable natural person. "¹  Individual details include, for example:

  • Name, age, family status, date of birth
  • Address, telephone number, e-mail
  • Bank account number, credit card number
  • Motor vehicle number, license plate number
  • Identity card number, social security number
  • Documents about previous convictions
  • Genetic and medical data
  • Value judgments (e.g. certificates)

  ---

  1) Landesdatenschutzbeauftragter NRW: Personenbezogene Daten (29.12.2022).

• Why does personal information need to be protected? 

  The Federal Constitutional Court demands "under the modern conditions of data processing (...) the protection of the individual against unlimited collection, storage, use and disclosure of his or her personal data "² for the free development of personality. "The collection, processing and use of personal data are only permissible insofar as this law or another legal provision permits or orders this or the person concerned has consented." (§4 I BDSG)

  This means for the affected individuals that they should think very carefully about whether they want to give this consent and for those who are entrusted with the collection, processing or use of this data for work-related purposes that they must handle this data responsibly.

  If you have any doubts as to whether current security measures are adequate for the intended purpose of protection, you can contact the data protection officer.

  ---

  2) BVerfG, Urteil v. 15. Dezember 1983, Artikel 1 (27.09.2012).

Classification of information

All information processed at the University of Münster can be classified by employees into confidentiality classes. For each confidentiality class, a description is given on how information should be processed, passed on, stored and deleted in an appropriately secure manner. Confidentiality classification supports the secure handling of various forms of information. Careful procedures are required when classifying. If the classification is too low, the risk of information misuse exists; if the classification is too high, an unjustifiable amount of work is required during information processing.

If you have any questions about the handling of information in your area of work, first contact your responsible executive.

Further information and support on classifying information can be found here: Classification of Information

If you need further clarification, you can also contact the Information Security Office or the Data Protection Officer.

• Confidentiality class: public (V1)

  • Information for unrestricted publication. This information includes released press or marketing information and information published on the online websites of the University of Münster.
  • Examples: University of Münster News, public websites, university newspaper wissen|leben, public course catalog, flyers, public events, publications

• Confidentiality class: internal (V2)

  • Information intended only for university employees, but which is not confidential or strictly confidential. Information whose unauthorized processing cannot adversely affect the social standing or economic circumstances of the individuals concerned.
  • Examples: Information from the intranet, internal guidelines, service instructions, correspondence, internal events, business distribution plans

• Confidentiality class: confidential (V3)

  • Information which, if published, lost or accessed without authorization, could lead to damage or loss of image of the University of Münster. Information, whose unauthorized processing could not insignificantly affect the social position or economic circumstances of the persons concerned.
  • Examples: Travel expense reports, salary statements, certificates of incapacity to work, examination data (examinations, grades), confidential research data, technical and infrastructural information (construction plans and locations of sensitive rooms, network plans), draft contracts and agreements (framework agreements), confidential financial data

• Confidentiality class: strictly confidential (V4)

  • Information which, if published, lost or accessed without authorization, could lead to serious damage or considerable loss of image for the University of Münster. This includes, in particular, information that must be kept secret due to contractual obligations. Information, whose unauthorized processing could significantly affect the social position or economic circumstances of the persons concerned.
  • Examples: Special scientific data (patent documents prior to publication), passwords, health information with possibly stigmatizing results