Information Sensitivity
   HOME

TheInfoList



OR:

Information sensitivity is the control of
access to information Access may refer to: Companies and organizations * ACCESS (Australia), an Australian youth network * Access (credit card), a former credit card in the United Kingdom * Access Co., a Japanese software company * Access Healthcare, an Indian BPO se ...
or
knowledge Knowledge can be defined as awareness of facts or as practical skills, and may also refer to familiarity with objects or situations. Knowledge of facts, also called propositional knowledge, is often defined as true belief that is distinc ...
that might result in loss of an advantage or level of security if disclosed to others. Loss, misuse, modification, or unauthorized access to sensitive information can adversely affect the
privacy Privacy (, ) is the ability of an individual or group to seclude themselves or information about themselves, and thereby express themselves selectively. The domain of privacy partially overlaps with security, which can include the concepts of a ...
or
welfare Welfare, or commonly social welfare, is a type of government support intended to ensure that members of a society can meet basic human needs such as food and shelter. Social security may either be synonymous with welfare, or refer specificall ...
of an individual,
trade secret Trade secrets are a type of intellectual property that includes formulas, practices, processes, designs, instruments, patterns, or compilations of information that have inherent economic value because they are not generally known or readily asc ...
s of a business or even the
security Security is protection from, or resilience against, potential harm (or other unwanted coercive change) caused by others, by restraining the freedom of others to act. Beneficiaries (technically referents) of security may be of persons and social ...
and international relations of a nation depending on the level of sensitivity and nature of the information.


Non-sensitive information


Public information

This refers to information that is already a matter of public record or knowledge. With regard to government and private organizations, access to or release of such information may be requested by any member of the public, and there are often formal processes laid out for how to do so. The accessibility of government-held public records is an important part of government transparency, accountability to its citizens, and the values of democracy.
Public records Public records are documents or pieces of information that are not considered confidential and generally pertain to the conduct of government. For example, in California, when a couple fills out a marriage license application, they have the optio ...
may furthermore refer to information about identifiable individuals that is not considered confidential, including but not limited to:
census A census is the procedure of systematically acquiring, recording and calculating information about the members of a given population. This term is used mostly in connection with national population and housing censuses; other common censuses incl ...
records,
criminal records A criminal record, police record, or colloquially RAP sheet (Record of Arrests and Prosecutions) is a record of a person's criminal history. The information included in a criminal record and the existence of a criminal record varies between coun ...
,
sex offender registry A sex offender registry is a system in various countries designed to allow government authorities to keep track of the activities of sex offenders, including those who have completed their criminal sentences. In some jurisdictions, registration i ...
files, and
voter registration In electoral systems, voter registration (or enrollment) is the requirement that a person otherwise eligible to vote must register (or enroll) on an electoral roll, which is usually a prerequisite for being entitled or permitted to vote. The ru ...
.


Routine business information

This includes business information that is not subjected to special protection and may be routinely shared with anyone inside or outside of the business.


Types of sensitive information

''Confidential information'' is used in a general sense to mean sensitive information whose access is subject to restriction, and may refer to information about an individual as well as that which pertains to a business. However, there are situations in which the release of personal information could have a negative effect on its owner. For example, a person trying to avoid a stalker will be inclined to further restrict access to such personal information. Furthermore, a person's SSN or
SIN In a religious context, sin is a transgression against divine law. Each culture has its own interpretation of what it means to commit a sin. While sins are generally considered actions, any thought, word, or act considered immoral, selfish, s ...
, credit card numbers, and other financial information may be considered private if their disclosure might lead to
crime In ordinary language, a crime is an unlawful act punishable by a State (polity), state or other authority. The term ''crime'' does not, in modern criminal law, have any simple and universally accepted definition,Farmer, Lindsay: "Crime, definit ...
s such as
identity theft Identity theft occurs when someone uses another person's personal identifying information, like their name, identifying number, or credit card number, without their permission, to commit fraud or other crimes. The term ''identity theft'' was co ...
or
fraud In law, fraud is intentional deception to secure unfair or unlawful gain, or to deprive a victim of a legal right. Fraud can violate civil law (e.g., a fraud victim may sue the fraud perpetrator to avoid the fraud or recover monetary compens ...
. Some types of private information, including records of a person's
health care Health care or healthcare is the improvement of health via the prevention, diagnosis, treatment, amelioration or cure of disease, illness, injury, and other physical and mental impairments in people. Health care is delivered by health profe ...
, education, and employment may be protected by
privacy law Privacy law is the body of law that deals with the regulating, storing, and using of personally identifiable information, personal healthcare information, and financial information of individuals, which can be Personally identifiable information ...
s. Unauthorized disclosure of private information can make the perpetrator liable for civil remedies and may in some cases be subject to criminal penalties. Even though they are often used interchangeably, personal information is sometimes distinguished from private information, or personally identifiable information. The latter is distinct from the former in that Private information can be used to identify a unique individual. Personal information, on the other hand, is information belonging to the private life of an individual that cannot be used to uniquely identify that individual. This can range from an individual's favourite colour, to the details of their domestic life. The latter is a common example of personal information that is also regarded as sensitive, where the individual sharing these details with a trusted listener would prefer for it not to be shared with anyone else, and the sharing of which may result in unwanted consequences.


Confidential business information

Confidential business information refers to information whose disclosure may harm the business. Such information may include
trade secret Trade secrets are a type of intellectual property that includes formulas, practices, processes, designs, instruments, patterns, or compilations of information that have inherent economic value because they are not generally known or readily asc ...
s, sales and marketing plans, new product plans, notes associated with patentable inventions, customer and supplier information, financial data, and more.


Classified

Classified information Classified information is material that a government body deems to be sensitive information that must be protected. Access is restricted by law or regulation to particular groups of people with the necessary security clearance and need to know, ...
generally refers to information that is subject to special security classification regulations imposed by many national governments, the disclosure of which may cause harm to national interests and security. The protocol of restriction imposed upon such information is categorized into a hierarchy of classification levels in almost every national government worldwide, with the most restricted levels containing information that may cause the greatest danger to national security if leaked. Authorized access is granted to individuals on a
need to know The term "need to know", when used by government and other organizations (particularly those related to the military or espionage), describes the restriction of data which is considered very sensitive. Under need-to-know restrictions, even if one ...
basis who have also passed the appropriate level of
security clearance A security clearance is a status granted to individuals allowing them access to classified information (state or organizational secrets) or to restricted areas, after completion of a thorough background check. The term "security clearance" is ...
. Classified information can be reclassified to a different level or declassified (made available to the public) depending on changes of situation or new intelligence. Classified information may also be further denoted with the method of communication or access. For example, Protectively Marked "Secret" Eyes Only or Protectively Marked "Secret" Encrypted transfer only. Indicating that the document must be physically read by the recipient and cannot be openly discussed for example over a telephone conversation or that the communication can be sent only using encrypted means. Often mistakenly listed as meaning for the eyes of the intended recipient only the anomaly becomes apparent when the additional tag "Not within windowed area" is also used.


Legal protection from unauthorised disclosure


Personal and private information

Data privacy concerns exist in various aspects of daily life wherever personal data is stored and collected, such as on the
internet The Internet (or internet) is the global system of interconnected computer networks that uses the Internet protocol suite (TCP/IP) to communicate between networks and devices. It is a '' network of networks'' that consists of private, pub ...
, in
medical records The terms medical record, health record and medical chart are used somewhat interchangeably to describe the systematic documentation of a single patient's medical history and care across time within one particular health care provider's jurisdict ...
,
financial records Financial statements (or financial reports) are formal records of the financial activities and position of a business, person, or other entity. Relevant financial information is presented in a structured manner and in a form which is easy to un ...
, and expression of political opinions. In over 80 countries in the world, personally identifiable information is protected by
information privacy law Information privacy, data privacy or data protection laws provide a legal framework on how to obtain, use and store data of natural persons. The various laws around the world describe the rights of natural persons to control who is using its dat ...
s, which outline limits to the collection and use of personally identifiable information by public and private entities. Such laws usually require entities to give clear and unambiguous notice to the individual of the types of data being collected, its reason for collection, and planned uses of the data. In consent-based legal frameworks, explicit consent of the individual is required as well. The EU passed the
General Data Protection Regulation The General Data Protection Regulation (GDPR) is a European Union regulation on data protection and privacy in the EU and the European Economic Area (EEA). The GDPR is an important component of EU privacy law and of human rights law, in partic ...
(GDPR), replacing the earlier
Data Protection Directive The Data Protection Directive, officially Directive 95/46/EC, enacted in October 1995, is a European Union directive which regulates the processing of personal data within the European Union (EU) and the free movement of such data. The Data Pr ...
. The regulation was adopted on 27 April 2016. It became enforceable from 25 May 2018 after a two-year transition period and, unlike a directive, it does not require national governments to pass any enabling legislation, and is thus directly binding and applicable. "The proposed new EU data protection regime extends the scope of the EU data protection law to all foreign companies processing data of EU residents. It provides for a harmonisation of the data protection regulations throughout the EU, thereby making it easier for non-European companies to comply with these regulations; however, this comes at the cost of a strict data protection compliance regime with severe penalties of up to 4% of worldwide turnover." The GDPR also brings a new set of "digital rights" for EU citizens in an age when the economic value of personal data is increasing in the digital economy. In Canada, the
Personal Information Protection and Electronic Documents Act The ''Personal Information Protection and Electronic Documents Act'' (PIPEDA; french: Loi sur la protection des renseignements personnels et les documents électroniques) is a Canadian law relating to data privacy. It governs how private sector ...
(PIPEDA) regulates the collection and use of personal data and electronic documents by public and private organizations. PIPEDA is in effect in all federal and provincial jurisdictions, except provinces where existing privacy laws are determined to be “substantially similar”. Even though not through the unified sensitive information framework, the United States has implemented significant amount of privacy legislation pertaining to different specific aspects of data privacy, with emphasis to privacy in healthcare, financial, e-commerce, educational industries, and both on federal and state levels. Whether being regulated or self regulated, the laws require to establish ways at which access to sensitive information is limited to the people with different roles, thus in essence requiring establishment of the "sensitive data domain" model and mechanisms of its protection. Some of the domains have a guideline in form of pre-defined models such as "Safe Harbor" of HIPAA, based on the research of Latanya Sweeny and established privacy industry metrics. Additionally, many other countries have enacted their own legislature regarding data privacy protection, and more are still in the process of doing so.


Confidential business information

The
confidentiality Confidentiality involves a set of rules or a promise usually executed through confidentiality agreements that limits the access or places restrictions on certain types of information. Legal confidentiality By law, lawyers are often required ...
of sensitive business information is established through
non-disclosure agreements A non-disclosure agreement (NDA) is a legal contract or part of a contract between at least two parties that outlines confidential material, knowledge, or information that the parties wish to share with one another for certain purposes, but wish ...
, a legally binding contract between two parties in a professional relationship. NDAs may be one-way, such as in the case of an employee receiving confidential information about the employing organization, or two-way between businesses needing to share information with one another to accomplish a business goal. Depending on the severity of consequences, a violation of non-disclosure may result in employment loss, loss of business and client contacts, criminal charges or a civil lawsuit, and a hefty sum in damages. When NDAs are signed between employer and employee at the initiation of employment, a
non-compete clause In contract law, a non-compete clause (often NCC), restrictive covenant, or covenant not to compete (CNC), is a clause under which one party (usually an employee) agrees not to enter into or start a similar profession or trade in competition agains ...
may be a part of the agreement as an added protection of sensitive business information, where the employee agrees not to work for competitors or start their own competing business within a certain time or geographical limit. Unlike personal and private information, there is no internationally recognized framework protecting
trade secrets Trade secrets are a type of intellectual property that includes formulas, practices, processes, designs, instruments, patterns, or compilations of information that have inherent economic value because they are not generally known or readily as ...
, or even an agreed-upon definition of the term “trade secret”. However, many countries and political jurisdictions have taken the initiative to account for the violation of commercial confidentiality in their criminal or civil laws. For example, under the US
Economic Espionage Act of 1996 The Economic Espionage Act of 1996 () was a 6 title Act of Congress dealing with a wide range of issues, including not only industrial espionage (''e.g.'', the theft or misappropriation of a trade secret and the National Information Infrastructu ...
, it is a federal crime in the United States to misappropriate trade secrets with the knowledge that it will benefit a foreign power, or will injure the owner of the trade secret. More commonly, breach of commercial confidentiality falls under civil law, such as in the United Kingdom. In some developing countries, trade secret laws are either non-existent or poorly developed and offer little substantial protection.


Classified information

In many countries, unauthorized disclosure of
classified information Classified information is material that a government body deems to be sensitive information that must be protected. Access is restricted by law or regulation to particular groups of people with the necessary security clearance and need to know, ...
is a criminal offence, and may be punishable by fines, prison sentence, or even the death penalty, depending on the severity of the violation. For less severe violations, civil sanctions may be imposed, ranging from reprimand to revoking of security clearance and subsequent termination of employment.
Whistleblowing A whistleblower (also written as whistle-blower or whistle blower) is a person, often an employee, who reveals information about activity within a private or public organization that is deemed illegal, immoral, illicit, unsafe or fraudulent. Whi ...
is the intentional disclosure of sensitive information to a third-party with the intention of revealing alleged illegal, immoral, or otherwise harmful actions. There are many examples of present and former government employees disclosing classified information regarding national government misconduct to the public and media, in spite of the criminal consequences that await them.
Espionage Espionage, spying, or intelligence gathering is the act of obtaining secret or confidential information (intelligence) from non-disclosed sources or divulging of the same without the permission of the holder of the information for a tangibl ...
, or spying, involves obtaining sensitive information without the permission or knowledge of its holder. The use of spies is a part of national intelligence gathering in most countries, and has been used as a political strategy by nation-states since ancient times. It is unspoken knowledge in international politics that countries are spying on one another all the time, even their allies.


Digital sensitive information

Computer security Computer security, cybersecurity (cyber security), or information technology security (IT security) is the protection of computer systems and networks from attack by malicious actors that may result in unauthorized information disclosure, the ...
is information security applied to computing and network technology, and is a significant and ever-growing field in computer science. The term
computer insecurity Computer security, cybersecurity (cyber security), or information technology security (IT security) is the protection of computer systems and networks from attack by malicious actors that may result in unauthorized information disclosure, the ...
, on the other hand, is the concept that computer systems are inherently vulnerable to attack, and therefore an evolving arms race between those who exploit existing vulnerabilities in security systems and those who must then engineer new mechanisms of security. A number of security concerns have arisen in the recent years as increasing amounts of sensitive information at every level have found their primary existence in digital form. At the personal level,
credit card fraud Credit card fraud is an inclusive term for fraud committed using a payment card, such as a credit card or debit card. The purpose may be to obtain goods or services or to make payment to another account, which is controlled by a criminal. The P ...
,
internet fraud Internet fraud is a type of cybercrime fraud or deception which makes use of the Internet and could involve hiding of information or providing incorrect information for the purpose of tricking victims out of money, property, and inheritance. Inte ...
, and other forms of
identity theft Identity theft occurs when someone uses another person's personal identifying information, like their name, identifying number, or credit card number, without their permission, to commit fraud or other crimes. The term ''identity theft'' was co ...
have become widespread concerns that individuals need to be aware of on a day-to-day basis. The existence of large databases of classified information on computer networks is also changing the face of domestic and international politics. Cyber-warfare and
cyber espionage Cyber may refer to: Computing and the Internet * ''Cyber-'', from cybernetics, a transdisciplinary approach for exploring regulatory and purposive systems Crime and security * Cyber crime, crime that involves computers and networks ** Conventio ...
is becoming of increasing importance to the national security and strategy of nations around the world, and it is estimated that 120 nations around the world are currently actively engaged in developing and deploying technology for these purposes. Philosophies and internet cultures such as
open-source governance Open-source governance (also known as open governance and open politics) is a political philosophy which advocates the application of the philosophies of the open-source and open-content movements to democratic principles to enable any intere ...
,
hacktivism In Internet activism, hacktivism, or hactivism (a portmanteau of ''hack'' and ''activism''), is the use of computer-based techniques such as hacking as a form of civil disobedience to promote a political agenda or social change. With roots in hack ...
, and the popular hacktivist slogan "
information wants to be free "Information wants to be free" is an expression that means all people should be able to access information freely. It is often used by technology activists to criticize laws that limit transparency and general access to information. People who cri ...
" reflects some of the cultural shifts in perception towards political and government secrecy. The popular, controversial
WikiLeaks WikiLeaks () is an international Nonprofit organization, non-profit organisation that published news leaks and classified media provided by anonymous Source (journalism), sources. Julian Assange, an Australian Internet activism, Internet acti ...
is just one of many manifestations of a growing cultural sentiment that is becoming an additional challenge to the security and integrity of classified information.Ludlow, P
"WikiLeaks and Hacktivist Culture"
''The Nation'': Sep. 15 2010. Retrieved Feb. 9 2013.


See also

*
Espionage Espionage, spying, or intelligence gathering is the act of obtaining secret or confidential information (intelligence) from non-disclosed sources or divulging of the same without the permission of the holder of the information for a tangibl ...
*
Federal Standard 1037C Federal Standard 1037C, titled Telecommunications: Glossary of Telecommunication Terms, is a United States Federal Standard issued by the General Services Administration pursuant to the Federal Property and Administrative Services Act of 1949, a ...
and the
National Information Systems Security Glossary Committee on National Security Systems Instruction No. 4009, National Information Assurance Glossary, published by the United States federal government, is an unclassified glossary of Information security terms intended to provide a common vocabula ...
*
Mandatory Access Control In computer security, mandatory access control (MAC) refers to a type of access control by which the operating system or database constrains the ability of a ''subject'' or ''initiator'' to access or generally perform some sort of operation on a ...
* Privacy protocol *
Information privacy law Information privacy, data privacy or data protection laws provide a legal framework on how to obtain, use and store data of natural persons. The various laws around the world describe the rights of natural persons to control who is using its dat ...


External links


ISOO

CIA



Notes

{{DEFAULTSORT:Information Sensitivity Information Data security Security National security