Understanding Data Classification

Understanding Data Classification
PUBLIC — No restriction INTERNAL — Staff only CONFIDENTIAL — Limited SECRET — Strict controls SENSITIVITY DATA CLASSIFICATION Know what you hold ✓ Label documents correctly ✓ Store per classification level ✓ Destroy securely when done ✗ Email Secret data unencrypted ✗ Store on personal devices

Learn how to classify, handle, and dispose of information correctly to meet privacy and security obligations.

Understanding Data Classification

Not all data deserves the same level of protection. Data classification assigns sensitivity labels to information so that everyone in the organisation handles it appropriately.

The Classification Pyramid

PUBLIC INTERNAL CONFIDENTIAL RESTRICTED Website, press releases, job ads Policies, internal comms, project plans Customer data, financial reports, contracts Health records, credentials, strategic M&A

What Each Classification Means

Label Description Example Handling
Public Approved for public release Marketing materials, website content No restrictions
Internal For staff only, not public Policy documents, org charts Don’t share externally
Confidential Business-sensitive, limited distribution Customer PII, financial data Encrypt in transit; need-to-know access
Restricted Highest sensitivity, strictly controlled Legal files, health records, credentials Encrypted at rest; strict access logs

Your Responsibilities

When you create, receive, or handle information, you are responsible for identifying its classification and handling it accordingly.
⚠ Warning
Misclassification causes real harm. Treating Confidential data as Internal and emailing it without encryption — or sharing it with people who don’t need it — may breach the Australian Privacy Act and your employment obligations. When unsure, classify upward (treat it as more sensitive, not less).

Practical Classification Decisions

Ask yourself these questions when handling information:
  1. Who is this information about? If it involves identifiable individuals — customers, employees, patients — it is at minimum Confidential.
  2. What would happen if it were leaked? Embarrassment = Internal. Financial or legal consequences = Confidential or Restricted.
  3. Is it covered by law or regulation? Health records, tax file numbers, and account data have legal protections.
  4. Was it explicitly labelled? Respect the classification the creator assigned.
✓ Key Point
Microsoft Purview (formerly Information Protection) can apply sensitivity labels automatically to emails and documents in Microsoft 365. If your organisation uses it, the label visible in the email header or document tells you exactly how to handle that file — apply the required handling rules.

Disposal of Classified Information

Classification doesn’t end when you’re done using the data:
Format Disposal Method
Paper documents (Confidential+) Cross-cut shredding or locked destruction bin
Electronic files Secure deletion tool or IT-managed process
USB drives / hard drives Return to IT for certified destruction
Emails with sensitive data Don’t forward unnecessarily; delete from Sent and Deleted folders
Do you know where your sensitive data lives?
You can’t protect data you haven’t identified — and mishandled customer information can put you in breach of the Privacy Act. Mobile Techs IT Service helps Gold Coast businesses get their data under control — data audits, sensitivity labelling in Microsoft 365, access controls that match each classification level, encrypted storage, and certified destruction of old drives and devices. Home users welcome too — on-site or remote, anywhere in Australia.