Policy Statement

In order to protect the security and integrity of Business data, as well as to comply with applicable state and federal laws and regulations where appropriate, all Business data must be classified as either high risk (confidential), moderate risk (restricted), or low risk (public). Managers and administrators of information technology resources are responsible for this classification.

Reason for Policy

Information technology and data constitute valuable Business assets. Depending on their classification, these assets may additionally be subjected to state and federal regulation. This policy is designed to provide a launching point for facilitating compliance with these regulations and adherence to commonly accepted security best practices..

Who Should Read this Policy

All users of Business accessing, storing, sending, receiving, or transmitting any Business data.

1. Classifications

The following risk categorization levels must be adhered to when determining classification for data.

Data Classification Table

Please review the detailed bullets below for additional details.

High Risk
Moderate Risk
Low Risk
  1. Protected Health Information
  2. Personal Identifiable Information
  3. Financial Data
  4. Employment Records
  5. Business privilege information.
  6. User Account or System Passwords providing Access to the above elements
  1. Any business data, except where covered under high risk.
  2. Unpublished regulated business data.
  3. Any personal or health related data.
  4. Operational Data
  5. Intellectual Property which Business Users are authorized to access.
  6. All other Business data limited by intention or discretion of author or owner.

  1. Public Websites
  2. Public directory data
  3. Public available information
  4. Unrestricted Business information
  5. Press releases
  6. Job postings

1.1 High Risk (Confidential)

This includes data that could have a significant adverse impact on Business's safety, finances, or reputation if improperly disclosed. Confidential data includes, without limitation, the following:

The Privacy Act 1988 is largely the Australian counterpart to HIPAA. As patient health data is easily one of the most sensitive kinds of personal information out there, the Privacy Act was partly designed to give further layers of protection to safeguard said data, amongst other material. In an example provided by the Australian government, any given company is required to obtain the consent of an individual before it can collect their health information. What’s more, each and every health service in Australia – no matter how large or small – is bound by the Privacy Act, further cementing patient confidentiality. 

As such, anyone owning or operating a healthcare business in Australia needs to adhere to the rules and regulations set out by the Privacy Act. It’s enforceable legislation, meaning that it’s illegal for any affected party to opt out. With this in mind, it’s of paramount importance that healthcare organisations both understand the terms laid out by the Privacy Act, and vigorously enforce them.

The concept of ‘personal information’ is broad, and in most cases, whether or not information is personal information will be a straightforward question. However, in some cases it may not be as clear, and the answer will depend on the context and circumstances.

Where there is uncertainty, the Office of the Australian Information Commissioner (OAIC) encourages entities to err on the side of caution by treating the information as personal information, and handle it in accordance with the Australian Privacy Principles (APPs).

The term ‘personal information’ encompasses a broad range of information.

A number of different types of information are explicitly recognised as constituting personal information under the Privacy Act. For example, the following are all types of personal information:

  1. ‘sensitive information’ (includes information or opinion about an individual’s racial or ethnic origin, political opinion, religious beliefs, sexual orientation or criminal record, provided the information or opinion otherwise meets the definition of personal information)
  2. ‘health information’ (which is also ‘sensitive information’)
  3. ‘credit information’
  4. ‘employee record’ information (subject to exemptions), and
  5. ‘tax file number information’.

Common examples of personal information

  1. Information about a person’s private or family life.
    1. A person’s name, signature, home address, email address, telephone number, date of birth, medical records, bank account details and employment details will generally constitute personal information.
    2. Information about a person’s working habits and practices.
  2. A person’s employment details, such as work address and contact details, salary, job title and work practices.
  3. Certain business information — for example, information about a loan taken out by a sole trader to purchase tools for their business, or information about utility usage — may be personal information about the sole trader.
  4. Commentary or opinion about a person.
  5. In certain circumstances, a referee’s comments about a job applicant’s career, performance, attitudes and aptitude is ‘personal information’ as it is information about that person. The referee’s comments may also be personal information about the referee given that they provide information about the referee’s views on a particular subject. Likewise, a trustee’s opinion about a bankrupt’s affairs and conduct can be personal information about both the bankrupt and the trustee.
  6. An opinion about an individual’s attributes that is based on other information about them, such as an opinion formed about an individual’s gender and ethnicity, based on information such as their name or their appearance. This will be personal information about the individual even if it is not correct.
  7. Information or opinion inferred about an individual from their activities, such as their tastes and preferences from online purchases they have made using a credit card, or from their web browsing history.

Financial data, including data and the information pertaining to credit cards covered by the Payment Card Industry Data Security Standard (PCI DSS) and all financial data that is internal to the business.

Employment records, including pay, benefits, personnel evaluations, and other staff records

Business privilege information consists of all information that a business undertakes throughout the operations of business. 

Due to the broad classification of Business privilege information, you’ll want to start the process by looking at data that is directly related to core business functions like revenue generation, accounting, logistics and more. Even customer service and certainly regulatory compliance would be worth a closer look. Whenever it comes to categorizing data, ask yourself questions like the following:

  1. If I lost access to this data, would it result in lost sales or even lost customers?
  2. If this data were suddenly unavailable, would it end with financial and/or regulatory penalties?
  3. If this information were to fall into the wrong hands, would it damage my company’s reputation in a way that I may not ever be able to recover from?

If the answers to ANY of those questions were “yes,” you’re looking at something that matches the textbook definition of critical business data.

User account or system passwords that provide access to information systems or applications containing any of the above confidential data elements.

1.2      Moderate Risk (Restricted)

This includes information that would not cause material harm, but has a moderate risk on business's safety, finance, or operations if improperly disclosed. Restricted data requires protection from unauthorized use, disclosure, modification, and/or destruction, but is not subject to any of the items listed in the confidential definition above.

1.3      Low Risk (Public)

This includes data that can be disclosed to any individual or entity inside or outside of Business, with minimal risk to Business's safety, finance, or operations. Security measures may or may not be needed to control the dissemination of this type of data.