Classifying Data - The Basics
By: Ross Saunders
Classification of data within your possession is not necessarily something that a lot of companies (particularly smaller ones) think of, but the practice is becoming a regular requirement of security attestations and Data Processing Agreements (DPAs). Within the privacy and information security spaces, different types of information are treated differently, be it relating to how it is stored, or even where it is transferred (for example, there may be restrictions on transferring medical details outside of your country of residence). Your Data Protection Policy or IT Security Policy may detail how your business classifies data, or you may have a dedicated Data Classification Policy. In this post we’ll introduce you to five basic classifications. It's important to note that while various standards such as ISO27001 refer to classification of data, they are not necessarily all prescriptive of the labels, and you may define these for yourself.
Restricted / Sensitive Information
Restricted or Sensitive information is information that is often available internally at a company, but would be seen as embarrassing or inconvenient if the knowledge got out into the public domain or to clients. This often relates to internal information and "work in progress" communications when dealing with delivery on projects or similar. There will likely be policies governing how this kind of information may be shared outside of the company.
Confidential Information
Confidential information is the next step up, being information that is likely governed by an agreement with a client or related to trade secrets of the company. This information could be materially damaging to the business if it was leaked, either affecting competitiveness or opening the door for legal action.
Secret / Classified / Proprietary Information
You may have a level up from Confidential information, whereby only select staff members have access to a piece of information. This can be seen as Secret information. This could be related to research and development, as well as sensitive legal issues. Classified information is generally seen as information that is governed by law or regulation.
Personal Information
Data protection regulation enters the fray! Personal information is seen as information that can identify an individual. This could be a name, surname, email address, Social Insurance Number, and so forth. This information is often governed by data protection regulation such as the Personal Information Protection and Electronic Documents Act (PIPEDA) at a federal level in Canada, BC or Alberta’s Personal Information Protection Acts (PIPA), Quebec’s Bill 64, or the General Data Protection Regulation in the EU and UK (EU/UK GDPR).
Special Personal Information
Also defined in GDPR is the concept of Special Personal Information (SPI). This information is most often information that can be or has been used to discriminate against individuals. This includes religious beliefs, sexuality, health information, race, and a few other categories. In general, you would need additional consent and safeguards to process this kind of information if it is not required by law for you to process.
Within the Canadian context, such as under Bill 64 in Quebec, certain information can be defined as sensitive when “due to its nature or the context of its use or communication, it entails a high level of reasonable expectation of privacy.” In August 2021, the Office of the Privacy Commissioner of Canada (OPC) published guidance on the use of sensitive personal information.
Other Categories
There are other categories that you may explore or define dependent on your business - such as details of minors or multiple levels of confidentiality. You may even have subcategories - such as personal information falling under confidential. It is up to you to define this. The important thing is that you should work towards tagging information and labelling it accordingly in your systems so that staff are aware of the sensitivity involved with what they are working on, how to store the data, the level of protection the information requires, and permission rights associated with the information.
