Skip to content

Data Classification & Handling

A practical guide to classifying and handling data based on sensitivity and business value.

Purpose

Data classification enables organisations to:

  • Apply appropriate security controls based on data sensitivity
  • Comply with regulatory requirements (GDPR, HIPAA, PCI DSS)
  • Manage data lifecycle (retention, disposal)
  • Communicate data handling requirements clearly
  • Reduce risk of data breaches

Data Classification Schemes

Standard Four-Tier Classification

Most organisations use a 4-tier classification scheme:

Classification Description Examples
PUBLIC Information intended for public disclosure Marketing materials, published reports, public website content
INTERNAL Information for internal use only, low impact if disclosed Internal policies, org charts, meeting notes
CONFIDENTIAL or PRIVATE Sensitive information requiring protection, moderate-high impact if disclosed Financial data, customer lists, employee data, contracts
RESTRICTED Highly sensitive information, severe impact if disclosed Payment card data, health records, trade secrets, M&A plans

Alternative Classification Schemes

Three-Tier (Simplified for SMBs)

Classification Description
PUBLIC Publicly available information
INTERNAL Internal use only
CONFIDENTIAL Sensitive information requiring protection

Best for: Small organisations (<100 employees) with limited data sensitivity variance.

Government Classifications (UK)

Classification Description Examples
OFFICIAL Routine public sector business Majority of government information
OFFICIAL-SENSITIVE Damaging if compromised Personal data, policy development
SECRET Serious damage to national security Intelligence, military operations
TOP SECRET Exceptionally grave damage Highest level classified information

Applicability: UK government departments and contractors.

Link: UK Government Security Classifications

Healthcare-Specific (US HIPAA)

Classification Description
PHI (Protected Health Information) Individually identifiable health information
ePHI (Electronic PHI) PHI in electronic form
De-identified Information with identifiers removed per HIPAA Safe Harbor or Expert Determination

Data Classification Definitions (Four-Tier Model)

PUBLIC

Definition: Information approved for public disclosure with no negative impact to the organisation.

Characteristics:

  • No confidentiality requirement
  • Available on public website or published materials
  • No harm from disclosure

Examples:

  • Marketing brochures and press releases
  • Published annual reports
  • Public job postings
  • Published product specifications

Handling Requirements:

  • No encryption required
  • No access controls required
  • Can be freely shared externally

INTERNAL

Definition: Information for internal use within the organisation. Unauthorised disclosure could cause minor inconvenience but no significant harm.

Characteristics:

  • Default classification for most business information
  • Not sensitive, but not intended for public
  • Low impact if disclosed

Examples:

  • Internal policies and procedures
  • Organisational charts
  • Meeting minutes (non-sensitive)
  • Internal project plans
  • Employee directories

Handling Requirements:

  • Access limited to employees and authorised contractors
  • Basic access controls (authentication required)
  • Can be shared with business partners under NDA
  • Encryption recommended but not required for storage
  • Encryption required for email transmission outside organisation

CONFIDENTIAL / PRIVATE

Definition: Sensitive information requiring protection. Unauthorised disclosure could cause significant harm to the organisation, individuals, or partners.

Characteristics:

  • Requires protection via technical and administrative controls
  • Moderate to high impact if disclosed
  • Subject to regulatory requirements (GDPR, CCPA, etc.)

Examples:

  • Personal data (names, addresses, email, phone numbers)
  • Customer lists and CRM data
  • Employee personal information (salaries, performance reviews)
  • Financial information (budgets, forecasts, unpublished results)
  • Contracts and agreements
  • Proprietary business information
  • Internal audit reports
  • Strategic plans (pre-approval)

Handling Requirements:

  • Access limited to authorised personnel (need-to-know basis)
  • Role-based access control (RBAC)
  • Encryption required at rest and in transit
  • Multi-factor authentication (MFA) for access
  • Audit logging of access
  • Data Loss Prevention (DLP) monitoring
  • Secure disposal when no longer needed
  • Cannot be shared externally without approval (legal/data owner)

RESTRICTED

Definition: Highly sensitive information where unauthorised disclosure could cause severe harm to the organisation, result in legal liability, or endanger individuals.

Characteristics:

  • Highest level of protection
  • Severe impact if disclosed
  • Subject to strict regulatory requirements
  • Limited access on strict need-to-know basis

Examples:

  • Payment card data (PAN, CVV) - PCI DSS scope
  • Protected Health Information (PHI) - HIPAA scope (US)
  • Health records - UK GDPR special category data
  • Biometric data, genetic data
  • Authentication credentials (passwords, API keys, certificates)
  • Encryption keys
  • National Insurance / Social Security numbers
  • Trade secrets and intellectual property
  • Merger & acquisition plans (pre-announcement)
  • Legal privileged communications
  • Security vulnerability details (unpatched)

Handling Requirements:

  • Access limited to specifically authorised individuals only
  • Privileged Access Management (PAM) for credentials
  • Strong encryption at rest (AES-256) and in transit (TLS 1.2+)
  • MFA required for all access
  • Session recording for privileged access
  • Comprehensive audit logging
  • Data masking/tokenization where possible
  • DLP with blocking (not just alerting)
  • Secure disposal with certification (shredding, cryptographic erasure)
  • Cannot be stored on personal devices or consumer cloud services
  • Cannot be shared externally without executive approval
  • Physical security for printed materials

Data Classification Matrix

By Control Type

Control PUBLIC INTERNAL CONFIDENTIAL RESTRICTED
Access Control None Authentication RBAC, MFA recommended RBAC, MFA required
Encryption at Rest No Recommended Required Required (AES-256)
Encryption in Transit No Required (external) Required (TLS 1.2+) Required (TLS 1.2+)
Audit Logging No Basic Detailed Comprehensive
DLP Monitoring No No Recommended Required (blocking)
Backup Encryption No Recommended Required Required
Retention Indefinite Per policy Per policy / regulation Per policy / regulation
Disposal Standard Standard Secure deletion Certified destruction
External Sharing Freely NDA required Approval required Executive approval only
Storage Location Any Corporate systems Corporate systems, approved cloud Secure corporate systems only

Data Lifecycle Management

flowchart TD
    A[Creation/Collection] --> B[Classification]
    B --> C[Storage]
    C --> D[Use/Processing]
    D --> E[Sharing/Transmission]
    E --> F[Archival]
    F --> G[Disposal]
    D -.Review.-> B

1. Creation/Collection

  • Classify data at point of creation or collection
  • Document lawful basis for processing (GDPR)
  • Implement privacy by design

2. Classification

  • Apply classification label (manual or automated)
  • Document data owner and classification rationale
  • Review classification periodically

3. Storage

  • Store according to classification requirements
  • Encrypt CONFIDENTIAL and RESTRICTED data
  • Implement access controls

4. Use/Processing

  • Process only for authorised purposes
  • Log access to CONFIDENTIAL and RESTRICTED data
  • Implement least privilege access

5. Sharing/Transmission

  • Encrypt data in transit
  • Verify recipient authorisation
  • Use DLP to prevent unauthorised transmission

6. Archival

  • Archive data per retention policy
  • Maintain encryption and access controls
  • Document retention period and legal basis

7. Disposal

  • Securely delete or destroy at end of retention
  • Certify destruction for RESTRICTED data
  • Update data inventory

Data Retention Policies

General Retention Guidelines (UK)

Data Type Retention Period Legal Basis
Employee Records 6 years after employment ends Limitation Act 1980
Payroll Records 6 years after tax year HMRC requirement
Contracts 6 years after expiry Limitation Act 1980
Tax Records 6 years after tax year HMRC requirement
Accounting Records 6 years from end of financial year Companies Act 2006
Health & Safety Records 3-40 years (varies by type) Various H&S regulations
Recruitment Records (unsuccessful candidates) 6-12 months GDPR - reasonable period
CCTV Footage 30 days (typical) GDPR - proportionate
Email Per business need (typically 2-7 years) Business requirement

Sector-Specific Retention (Examples)

Healthcare (UK NHS)

  • GP Records: 10 years after death or patient left practice
  • Hospital Records: 8 years after last treatment
  • Maternity Records: 25 years

Financial Services (UK)

  • Client Records: 6 years after relationship ends (FCA)
  • Transaction Records: 5 years (MiFID II)
  • AML Records: 5 years after relationship ends

Data Handling Procedures

Handling CONFIDENTIAL Data

Storage

  • Store on corporate file servers or approved cloud storage (SharePoint, OneDrive for Business, Google Workspace)
  • Do NOT store on personal cloud services (personal Dropbox, Google Drive)
  • Enable versioning and backup
  • Encrypt storage (AES-256 or equivalent)

Transmission

  • Email: Use encrypted email or secure file sharing link
  • Do NOT email to personal email addresses
  • File sharing: Use corporate file sharing with access controls
  • Physical transport: Use locked container or courier

Access

  • Grant access on need-to-know basis
  • Review access quarterly
  • Revoke access immediately when no longer needed

Disposal

  • Digital: Secure deletion (overwrite or cryptographic erasure)
  • Physical: Cross-cut shredding (min DIN P-4)
  • Hard drives: Degauss or physical destruction

Handling RESTRICTED Data

Storage

  • Store on corporate systems with enhanced security (dedicated secure servers, HSM for keys)
  • Do NOT store on laptops or mobile devices without full disk encryption and MDM
  • Implement data-at-rest encryption (AES-256)
  • Use database encryption or field-level encryption for structured data

Transmission

  • Email: Do NOT email RESTRICTED data (use secure portal or encrypted file sharing)
  • File sharing: Use secure portal with MFA and access expiry
  • Physical transport: Use approved courier with tracking and insurance

Access

  • Grant access only to specifically authorised individuals
  • Require MFA for all access
  • Log all access with audit trail
  • Session recording for privileged access

Disposal

  • Digital: Cryptographic erasure with certification
  • Physical: Cross-cut shredding (DIN P-7) with certificate of destruction
  • Hard drives: Physical destruction (shredding, crushing) with certificate

Special Category Data (GDPR)

Definition

Personal data revealing:

  • Racial or ethnic origin
  • Political opinions
  • Religious or philosophical beliefs
  • Trade union membership
  • Genetic data
  • Biometric data (for identification)
  • Health data
  • Sex life or sexual orientation

Additional Requirements

  • Higher standard for lawful basis: Explicit consent, legal obligation, vital interests, etc. (GDPR Article 9)
  • Data Protection Impact Assessment (DPIA): Required for high-risk processing
  • Enhanced security measures: Encryption, pseudonymisation, access controls
  • Classification: Treat as RESTRICTED (minimum CONFIDENTIAL)

Data Classification Labelling

Document Labelling

Email

  • Subject line: [CONFIDENTIAL] or [RESTRICTED]
  • Email footer: "This email contains CONFIDENTIAL information..."

Documents

  • Header/Footer: "CONFIDENTIAL - Internal Use Only"
  • Watermark (optional): "CONFIDENTIAL"
  • Metadata: Classification property in document properties

File Names

  • Include classification in file name (optional): Report_CONFIDENTIAL_2026.pdf

Automated Classification Tools

Tool Description Best For
Microsoft Purview (Azure Information Protection) Automated sensitivity labelling for Microsoft 365 Microsoft-centric organisations
Google Cloud DLP Data discovery and classification Google Workspace and GCP users
Varonis Data classification and access governance Enterprises with complex file shares
Spirion (Identity Finder) Data discovery for sensitive data (PII, PHI, PCI) Compliance-focused organisations
BigID AI-driven data discovery and classification Large enterprises, multi-cloud

Roles & Responsibilities

Data Owner

Who: Business unit leader or executive responsible for data domain

Responsibilities:

  • Classify data within their domain
  • Define access requirements
  • Approve access requests
  • Review access permissions quarterly
  • Define retention periods

Data Custodian

Who: IT or security team managing data storage and protection

Responsibilities:

  • Implement technical controls per classification
  • Manage backups and encryption
  • Monitor access and detect anomalies
  • Execute secure disposal

Data User

Who: Employees, contractors, partners accessing data

Responsibilities:

  • Handle data per classification requirements
  • Report suspected data breaches
  • Do not share credentials
  • Complete data protection training

Data Protection Officer (DPO)

Who: Person responsible for GDPR compliance

Responsibilities:

  • Advise on data classification and handling
  • Monitor compliance with data protection laws
  • Conduct DPIAs
  • Liaise with supervisory authority (ICO)

Data Classification Implementation

Step 1: Inventory Data

  • Identify all data sources (databases, file shares, cloud storage, SaaS applications)
  • Catalogue data types and locations
  • Use data discovery tools (DLP, CASB, data catalogues)

Step 2: Define Classification Scheme

  • Choose classification tiers (3 or 4-tier model)
  • Define criteria and examples for each tier
  • Document handling requirements per tier

Step 3: Classify Data

  • Identify data owners
  • Classify data (initial classification project)
  • Use automated tools where possible (pattern matching, machine learning)

Step 4: Implement Controls

  • Deploy technical controls (encryption, DLP, access controls)
  • Update policies and procedures
  • Implement labelling (manual or automated)

Step 5: Train Staff

  • Security awareness training covering data classification
  • Role-specific training for data owners and custodians
  • Test understanding

Step 6: Monitor & Review

  • Monitor compliance via DLP alerts, access logs
  • Review classifications annually or when data changes
  • Update controls as needed

Compliance Mapping

GDPR

  • Article 5: Principles (data minimisation, accuracy, storage limitation)
  • Article 25: Data protection by design and default
  • Article 32: Security of processing (appropriate technical measures)

Classification Alignment: Personal data = CONFIDENTIAL (minimum), Special category data = RESTRICTED

PCI DSS v4.0

  • Requirement 3: Protect stored account data
  • Requirement 4: Protect cardholder data with strong cryptography during transmission

Classification Alignment: Cardholder data (PAN, CVV, track data) = RESTRICTED

HIPAA (US)

  • 164.502: Uses and disclosures of PHI
  • 164.308: Administrative safeguards
  • 164.312: Technical safeguards

Classification Alignment: PHI/ePHI = RESTRICTED

ISO 27001:2022

  • 5.12: Classification of information
  • 5.13: Labelling of information
  • 8.10: Information deletion
  • 8.11: Data masking
  • 8.24: Use of cryptography

Quick Selection Guide

Organisation Profile Recommended Scheme Implementation Approach
Small business (<50) 3-tier (Public, Internal, Confidential) Manual classification, basic controls
Medium (50-500) 4-tier standard Semi-automated classification, DLP monitoring
Large enterprise (500+) 4-tier + automated labelling Fully automated classification, DLP blocking, comprehensive controls
Financial services 4-tier + PCI data separation Automated, strict PCI controls for cardholder data
Healthcare 4-tier + PHI/ePHI designation Automated, HIPAA-aligned controls
Government (UK) OFFICIAL/SECRET/TOP SECRET Government classification scheme, clearance-based access

Common Pitfalls

  1. No clear ownership: Data classified but no clear owner to approve access or review
  2. Over-classification: Everything marked CONFIDENTIAL, reducing effectiveness
  3. Under-classification: Sensitive data marked INTERNAL, insufficient protection
  4. Classification without controls: Data classified but no technical controls implemented
  5. No user training: Staff unaware of classification scheme or handling requirements
  6. Set and forget: Initial classification but never reviewed
  7. Inconsistent application: Different teams classify similar data differently
  8. No enforcement: Classification labels exist but DLP not configured