All three examples are more or less real and good examples of why we need to manage information security and privacy regulations.

• XXXXXX describes his/her mental illness in an interview for a documentary

• XXXXXX and YYYYYY are fully nude in some shots done for a non X-rated feature film

• XXXXXX, a Hollywood star, participates in a commercial for a new product line.

Information classification

We start to define different levels of security within the company and with partners, customers, contractors etc. Those four levels are:

• Public

• Internal

• Confidential

• Secret

The next type of levels are about privacy and derived from GDPR.

• Non personal information

• Personal, but not identifiable information

• Personal identifiable information

• Personal sensitive identifiable information

In addition to these generic classifications for security do we have NDA’s and other terms in agreements to manage.

Ownership and responsibility

The ownership of the classification of the information objects belongs to the process owner for each capability.

The more difficult question is which level of classification each information object should have and if there are cases where we need more stringent classification.

Public is simple. Just assure that you can track who publish what and when externally.

Internal is information shared internally in the company and with key partners, contractors and clients.

Confidential is information shared within a specific group for a specific purpose. Need to be shared both internally and externally.

Secret is information shared with specific persons and is more sensitive than confidential. Need to be shared both internally and externally.

Implementation of information policy

How enforce security and privacy is another matter and we continue with the example.

Different types of media assets (video, photos, sound etc) belongs to the capability Production and the ownership and responsibility is therefore very clear.

Media assets should not be classified as public or internal as it could belong to different clients or key partners. This is why we need to have a higher classification.

The higher security classification the media assets have, the more time consuming and more expensive will it be to manage them.

Normally, confidential will be enough, but in these three cases do we have more sensitive information as it includes sensitive personal information or information under NDA’s with client.

1. Health information for an individual is sensitive personal identifiable information according to GDPR.

2. Nudity is very private, and even if nothing is shown in the released feature in cinemas, we still have revealing clips stored in the footage.

3. There are NDA’s in place and we are not allowed to reveal the participants until client allows this. I.e. after publishing and not before.

This is the reason why I recommend all three cases to be classified as secret information instead of confidential.

The next question is now how to implement this with state of art technology, while still be usable in real life and with a reasonable cost. It’s now time to have a look on this from a enterprise content management perspective.