2.2 Information Classification
Information can be classified in different ways, and multiple classifications can be applied to a single piece of data (e.g. someone's medical history is personal, private and sensitive).
Sensitive information should be protected from being publicly released as it could harm the safety or privacy of an organisation or an individual. An example of sensitive personal information is medical data that could be embarrassing to an individual if released. An example of sensitive business information is financial data that will negatively impact the company if made public to competitors.
Non-sensitive information can be released publicly with no fear of negative consequence. Non-sensitive information may include addresses of shops, opening hours and the names of senior managers. Some marketing information, such as product prices, online reviews and general availability, will also be non-sensitive.
Private information is often linked to sensitive information as it is kept restricted from public release. Personal private information includes home addresses, contact information, birth dates and banking details. Private business data includes employee data. Private information is protected by the Data Protection Act (1998) and would need to be stored securely so it cannot be accessed without authorisation.
Public information has been released to the public, possibly through a government report like the national census every ten years. Individuals, especially celebrities, will have personal information about them made public (such as full name and date of birth). Public business information includes addresses, promotional material and opening times.
Personal information is identifiable data about a specific individual. This includes their full name, date of birth, gender, marital status, medical history, sexual orientation, voting history and criminal offences. Most personal data is also private and sensitive, but some may be made public, either by choice - such as posting name, gender and marital status on social media - or not by choice - e.g. in the event of a crime.
Business information is any kind of data about a specific business. This information could be public - such as the address of its headquarters - or private / sensitive (such as financial data or employee details). Some businesses may release information to stakeholders or the public on certain occasions, like annual sales figures.
Confidential information is private data that is more restricted than sensitive information, with access limited to only those who need to know. Confidential information for individuals includes any information exchanged privately with a doctor or therapist. Confidential business information includes profits and loss as well as trade secrets. McDonald's' Big Mac burger sauce and KFC's '11 herbs and spices' recipes are both protected information that is restricted from the public and other competitors to avoid imitation. If confidential information is made public, it could lead to embarrassment, loss of reputation and loss of profit (if a business and following loss of reputation).
Classified information is regarded as highly sensitive information by a government institution, requiring the highest levels of restricted access. Access is usually restricted by law and only viewable / editable by authorised individuals or groups. Classified information must follow the three principles of information security (confidentiality, integrity and availability). Classified data loss can lead to financial penalties, legal action and even injury or death (if a matter of national security). In the UK, there are three levels of classified information: OFFICIAL, SECRET and TOP SECRET. Examples of classified information include crime scene reports, military data and terrorism precautions.
Anonymisation removes personally identifiable data from information so that an individual cannot be identified. This allows the information to be used in a much wider context without running the risk of legal action. There are two forms of information anonymisation - partially anonymised where some of the personal information has been removed and completely anonymised where all identifiable data has been removed.
Bank details are often partially or completely anonymised. A partially anonymised credit card number might be listed as:
4354 - 1632 - 2938 - ****
Whereas a completely anonymised bank card would have all 16 digits replaced by asterisks.
For each classification above briefly define it and list three examples of information.