Information Classification, Handling and Data Protection
Classification in Brief
- Public, internal, confidential, restricted is the typical four-tier scheme
- Each tier has handling rules - storage, transmission, retention, disposal
- Workers know how to identify and handle each classification level
Information Classification and Protection
Information classification is the process of labelling each piece of information held by an organisation with its sensitivity, and applying protection that matches the label. Without classification, all information tends to be treated either too casually (with confidential material on shared drives that everyone can reach) or too restrictively (with public marketing collateral locked behind permissions). Classification gets the balance right by applying effort proportionally.
The labels themselves do not need to be elaborate. Three or four levels are enough for most organisations - a public level for material the company is happy for anyone to see, a default business-use level for ordinary internal information, a confidential level for sensitive material including personal data, and sometimes a restricted or secret level for the small amount of information that requires the strongest controls.
A Practical Information Classification Scheme
The classification used in our toolkits has three levels.
- Public is for material that can be openly shared - marketing content, published policies, anything intended for external consumption.
- Business Use is the default - ordinary internal documents, operational records, internal correspondence, anything that should not leak to competitors or customers but is not personally sensitive.
- Confidential is the elevated level - personal data covered by data protection law, commercially sensitive information, customer information, financial records, legal advice and anything subject to a non-disclosure agreement.
The labels feed into how the information is stored, transferred and disposed of. Public information needs no special protection. Business use information should sit on the company network with access limited to relevant teams. Confidential information may need encrypted storage, restricted folder access, encryption when transferred outside the organisation, and secure disposal when no longer needed.
For organisations that handle a meaningful volume of personal data, a fourth level may be useful for special category data under UK GDPR - health information, biometrics, data about criminal convictions and similar - which requires additional protections beyond ordinary personal data.
Labelling and Information Classification
Labelling is what turns a classification scheme into something useful. The labels need to be visible on the documents themselves so that anyone handling them knows the level applied. The simplest approach is to put the classification in the document footer, the email subject line, or the file name. Some organisations use coloured headers, watermarks or tags in document management systems.
The default classification matters. If a document does not have a label, what should it be assumed to be? The practical answer is the middle level - business use - rather than public, because applying business-use protection to something that turns out to be public is harmless, while treating confidential material as public is not. The policy should set out the default explicitly so that there is no ambiguity.
Personal Data and Information Protection
Personal data is any data that can be used to identify an individual, such as names, addresses, dates of birth etc. The Data Protection Act 2018 and UK GDPR requires that personal data is processed lawfully and held securely, and breaches involving personal data have to be reported to the Information Commissioner's Office within 72 hours, where there is a risk to the rights and freedoms of the individuals affected.
From an information security perspective, personal data should be treated as confidential by default. A data protection register or record of processing activities (RoPA) can be used to list where personal data is held, why it is processed and how long it is retained. An information assets register can also be implemented - this is populated with the types of information that is collected, such as customer personal details, training records and quotations etc.
The information assets register and the data protection register cover overlapping territory and should be cross-referenced rather than duplicated.
Detailed guidance on the data protection regime itself sits in our Legal and Compliance section. The information classification scheme is what puts data protection requirements into operation day-to-day - it is the mechanism by which "personal data must be held securely" turns into "files marked confidential are stored in encrypted folders".
Storing, Transferring and Disposing of Classified Information
Each classification level has implications for how information is handled. Storage controls limit who can reach the information at rest - file system permissions, encrypted drives, locked cabinets for paper. Transfer controls protect the information as it moves - encrypted email or secure file transfer for confidential information, no controls needed for public material. Disposal controls make sure information is removed properly when no longer needed - secure shredding for paper, secure deletion or device sanitisation for digital records.
The clear desk and clear screen approach supports all three. Confidential paper away in locked storage when the desk is not in use, screens locked when the workstation is unattended, no confidential information visible in public spaces or in shared workspaces. None of this is technically demanding but it requires consistent attention.
Classification often gets overcomplicated. Three levels handled consistently is much more useful than seven levels handled inconsistently. The point is to make handling decisions easy - if everyone knows what business-use means and what confidential means, the controls fall into place around them.
When I audit information classification I look for two things. First, does the policy define what each level means and how information gets labelled. Second, does the actual handling match the policy - confidential information stored where the policy says it should be, sent the way the policy requires, disposed of by the methods set out. The gap between policy and practice is where most findings come from.
I also may check the personal data register specifically. Organisations subject to data protection law need to know what personal data they hold, where it is and why. A missing or incomplete register is one of the most consistent gaps I see at audit.
The trick is making the classification scheme so simple that people actually use it. Public, internal, confidential. Three labels, clear definitions, examples that match what the company actually produces. If the rules take more than a minute to explain they will not stick, and a scheme nobody applies is no scheme at all. Stick to the labels you can describe on a Post-it note and the rest follows.
Practical Compliance Guidance
You can start off by identifying all of the different types of information you collect, this can be done by drafting a Record of Processing Activities (ROPA), and using this to detail the appropriate security controls, access, retention periods and relevant information on the data you collect.
Following this, establishing a Data Protection Policy, will then inform your staff on how data should be shared/not shared, protected and handled.
The IMS1 Manual covers information classification within the wider information security management section. The classification scheme runs alongside the information assets register and the personal data register, with each item recorded against the level that applies.
The following alphaZ documents support a practical approach to information classification and protection.
| alphaZ document | How to use it |
|---|---|
| ISO 27001 Toolkit | Full document set for setting up an information security management system, including the information classification policy and supporting registers. |
| P-31 Information Protection Policy | Policy covering how information is protected at each classification level, including storage, transfer and disposal arrangements. |
| P-39 Information Transfer Policy | Policy covering the secure transfer of information internally and externally, including encryption requirements and approved methods. |
| F-IMS30 Record of Processing Activities | Register for documenting overview of personal data processing activities. |
| F-IMS25 Information Assets Register | Register listing information assets held by the organisation, with the classification level and ownership recorded against each item. |
| F-IMS24 Personal Data Register | Register of personal data held, the lawful basis for processing, retention periods and the security measures applied. |
| PP-8-100 Information Security Policy Procedure | The master policy that sets out the classification scheme, the clear desk and clear screen requirements and the wider information protection controls. |
| GDPR / Data Protection Toolkit | This toolkit which includes various file templates that can be used when reviewing and documenting the collection and processing of personal data and preparing appropriate privacy notice(s). |
| P-25 Data Protection Policy | The Data Protection Policy states the company’s commitment to comply with Data Protection regulations including the General Data Protection Regulation (GDPR). It details the measures it has implemented to ensure this compliance. |
Note - all the above files can be downloaded with an alphaZ subscription.
Frequently Asked Questions
UK Legislation
The following UK legislation is directly relevant to information classification and protection. Organisations outside the UK should identify the equivalent legislation applicable in their jurisdiction.
