Information Classification. Don’t make it too complicated

Every organisation has a responsibility to protect the information that it creates and collects. Information classification is simply a mechanism that assigns sensitivity or value to a record and it’s been happening for centuries. Title deeds, contracts, birth certificates all have a level of classification that considers their importance or value.

Now that the majority of information is electronic it means things have changed but they don’t have to be more complicated.

When deciding what classification to assign to information, consider the risks associated with:

• Confidentiality – kept confidential as necessary

• Integrity - ensuring the information has not been changed (unauthorised modification)

• Availability – readily located when needed

• Retention - stored for an acceptable period to meet legislative compliance

Decide on an information classification framework that is workable for everyone that when necessary, allows some information access restrictions to meet business, privacy and legislative requirements. Other information however is shared to enable information use for practical business purposes.

Limit classification levels to a workable four hierarchical level such as confidential, restricted, internal and public access. Give the levels a practical name that explains what they are and keep it simple.

Start with CONFIDENTIAL CLASSIFICATION as the top level controls and put these rules in place first – example below. Then cascade down to less restricted controls.

RESTRICTED INFORMATION CLASSIFICATION can then be agreed as a lesser control, progressively working down to internal and public access classifications.

Standard protocols to be followed by information owners

• Information/document owners are responsible for setting classification levels and controlling access to their information. Consider applicable privacy legislation and contractual agreements when classifying information..

• Electronic information/document storage such as media, IT systems and networks shall be classified according to the highest category of information held or in transit.

• Information communications and technology systems controllers shall classify each IT system asset based on the most confidential information stored, transmitted or processed by the system as defined by and in collaboration with he information owner.

• If the classification of information is unknown then the default classification of Internal Only classification shall be applied.

• Only label CONFIDENTIAL or RESTRICTED classified documents - label clearly within the document content or within document meta data. IT system assets holding confidential or restricted information shall be listed in an information asset register along with the assigned classification, representing the highest classification of the information stored within the IT system asset

Information Owners should be realistic in the application of classification markings to prevent over classifying information which can impede productivity and over complicate systems.

Legislation to consider

Data privacy/protection in Australia is currently made up of a mix of Federal and State/Territory legislation.

The Federal Privacy Act 1988 (Cth) (Privacy Act) and its Australian Privacy Principles (APPs) apply to private sector entities with an annual turnover of at least AUD $3 million and all Commonwealth Government and Australian Capital Territory Government agencies.

The Privacy Commissioner has power under the Privacy Act to conduct investigations, ensure compliance with the Privacy Act and seek civil penalties for a serious/egregious breach or for repeated breaches of the APPs where remediation has not been implemented. This particularly applies to issues relating to information classification and subsequent breaches

Other State and Federal legislation that impact on or relate to data protection and impact privacy/data protection for specific types of data or for specific activities include:

• Telecommunications Act 1997 (Cth)

• National Health Act 1953 (Cth)

• Health Records and Information Privacy Act 2002 (NSW)

• Health Records Act 2001 (Vic)

• Workplace Surveillance Act 2005 (NSW)

European Union (EU) data considerations – transfer of data to/from the EU

The General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR) is a European Union law which entered into force in 2016 and became directly applicable law in all Member States of the European Union on 25 May 2018.

The GDPR has extra-territorial effect. An organisation that it is not established within the EU will still be subject to the GDPR if it processes personal data of data subjects who are in the Union where the processing activities are related "to the offering of goods or services" (Article 3(2)(a)) (no payment is required) to such data subjects in the EU or "the monitoring of their behaviour" (Article 3(2)(b)) as far as their behaviour takes place within the EU.