Classification of data within your possession is not necessarily something that a lot of companies (particularly smaller ones) think of, but the practice is becoming a regular requirement of security attestations and Data Processing Agreements (DPAs). Within the privacy and information security spaces, different types of information are treated differently, be it relating to how it is stored, or even where it is transferred (for example, there may be restrictions on transferring medical details outside of your country of residence). Your Data Protection Policy or IT Security Policy should detail how your business classifies data, and in this post I will take you through 5 basic classifications. It’s important to note that while various standards such as ISO27001 refer to classification of data, they are not necessarily prescriptive of the labels, and you may define these for yourself.
Restricted / Sensitive Information
Restricted or Sensitive information is information that is often available internally at a company, but would be seen as embarrassing or inconvenient if the knowledge got out into the public space or to clients. This often relates to internal information and “work in progress” communications when dealing with delivery on projects or similar. There will likely be policies governing how this kind of information may be shared outside of the company.
Confidential information is the next step up, being information that is likely governed by an agreement with a client or relates to trade secrets of the organisation. This information could be materially damaging to the business if it was leaked, either affecting competitiveness or opening the door for legal action.
Secret / Classified Information
You may have a level up from Confidential information, whereby only select staff members have access to a piece of information. This can be seen as Secret information. This could be related to research and development, as well as sensitive legal issues. Classified information is generally seen as information that is governed by law or regulation.
Data Protection regulation enters the fray! Personal information is seen as information that can identify an individual. This could be a name, surname, email address, identity / social security number and so forth. This information is often governed by data protection regulation such as the Protection of Personal Information Act in South Africa (POPIA) or the General Data Protection Regulation in Europe (EU GDPR).
Special Personal Information
Also defined in POPIA and GDPR is the concept of Special Personal Information (SPI). This information is most often information that can be or has been used to discriminate against individuals. This includes religious beliefs, sexuality, health information, race, and a few other categories. In general, you would need additional consent to process this kind of information if it is not required by law for you to process.
There are other categories that you may explore or define dependent on your business – such as details of minors or multiple levels of confidentiality. You may even have subcategories – such as personal information falling under confidential. It is up to you to define this. The important thing is that you should work towards tagging information and labelling it accordingly in your systems so that staff are aware of the sensitivity involved with what they are working on.
Ross G Saunders Consulting offers a number of solutions that can drive your compliance and security maturity; from affordable 16 week group coaching programmes to comply on your own, through to advisory retainers and full programme management. To find out more about the offerings available, book time directly with Ross using the calendar below.