Learn how to classify, handle, and dispose of information correctly to meet privacy and security obligations.
Understanding Data Classification
Not all data deserves the same level of protection. Data classification assigns sensitivity labels to information so that everyone in the organisation handles it appropriately.
The Classification Pyramid
What Each Classification Means
| Label | Description | Example | Handling |
|---|---|---|---|
| Public | Approved for public release | Marketing materials, website content | No restrictions |
| Internal | For staff only, not public | Policy documents, org charts | Don’t share externally |
| Confidential | Business-sensitive, limited distribution | Customer PII, financial data | Encrypt in transit; need-to-know access |
| Restricted | Highest sensitivity, strictly controlled | Legal files, health records, credentials | Encrypted at rest; strict access logs |
Your Responsibilities
When you create, receive, or handle information, you are responsible for identifying its classification and handling it accordingly.
⚠ Warning
Misclassification causes real harm. Treating Confidential data as Internal and emailing it without encryption — or sharing it with people who don’t need it — may breach the Australian Privacy Act and your employment obligations. When unsure, classify upward (treat it as more sensitive, not less).
Practical Classification Decisions
Ask yourself these questions when handling information:
- Who is this information about? If it involves identifiable individuals — customers, employees, patients — it is at minimum Confidential.
- What would happen if it were leaked? Embarrassment = Internal. Financial or legal consequences = Confidential or Restricted.
- Is it covered by law or regulation? Health records, tax file numbers, and account data have legal protections.
- Was it explicitly labelled? Respect the classification the creator assigned.
✓ Key Point
Microsoft Purview (formerly Information Protection) can apply sensitivity labels automatically to emails and documents in Microsoft 365. If your organisation uses it, the label visible in the email header or document tells you exactly how to handle that file — apply the required handling rules.
Disposal of Classified Information
Classification doesn’t end when you’re done using the data:
| Format | Disposal Method |
|---|---|
| Paper documents (Confidential+) | Cross-cut shredding or locked destruction bin |
| Electronic files | Secure deletion tool or IT-managed process |
| USB drives / hard drives | Return to IT for certified destruction |
| Emails with sensitive data | Don’t forward unnecessarily; delete from Sent and Deleted folders |
Do you know where your sensitive data lives?
You can’t protect data you haven’t identified — and mishandled customer information can put you in breach of the Privacy Act. Mobile Techs IT Service helps Gold Coast businesses get their data under control — data audits, sensitivity labelling in Microsoft 365, access controls that match each classification level, encrypted storage, and certified destruction of old drives and devices. Home users welcome too — on-site or remote, anywhere in Australia.
Book a data security audit → or call 1300 644 588


