One part of an information strategy is how to classify information used in and by the organization and external parties, but it’s not as easy as thought of at first sight.
Let’s continue with our film production example where we have four levels:
Public information is shared to the world without restrictions, but how to define the rules for the other three levels are a little more tricky.
Internal information is available to all employees, but what about contractors and partners who we are working close with? The more we close down access, the more hurdles for collaboration.
Confidential information is restricted to a group of individuals, both inside and outside the company. The challenge here is how to protect information from hackers and leaking by mistake.
Secret information is even more restricted than confidential and need even more protection mechanisms. Question how to differ to confidential?
Then there is GDPR and other privacy regulations that need to fit into this model with personal information and sensitive personal information, but implementation is not crystal clear.
A call sheet in a film production is a well defined meeting request, and it includes who should be in a film production, at a certain time and place. We could all agree that this call sheet includes personal information. This information is only relevant for those that are involved in this specific film production, not other persons in the organization.
A reasonable classification of this call sheet should then be confidential, and as it doesn’t contain sensitive personal information it’s not classified as secret. (If we are hired to make the next James Bond movie, I would probably raise the sensitivity to secret).
Then back to reality. Call sheets are printed on paper and shared to everybody on set. They are normally sent via e-mail and/or as messages to mobile phones.
If we set a rule that confidential information is not allowed to be sent by e-mail to external individuals, (without encryption), we make it very complicated for cast & crew on set, as they normally not are technical computer experts.
Film productions are either filmed in studios or on locations. In both cases we need to limit physical access to the set, unless the shooting location is in a public place where we can’t control access in the same way.
If confidential information should be locked in when not used, then we need to provide everybody on set with places where to lock in their papers.
If we set a GDPR policy that says that all personal information should be treated as confidential information, the above example is very valid.
On the other hand, (not legally confirmed), if we say that personal information is classified as internal or confidential depending on the type of information, purpose for usage of information and the amount of individuals in the information collection.
A single call sheet describes a limited number of individuals, their location and time at that location. All call sheets for one production is a bit larger dataset, but doesn’t include many more individuals. All call sheets for all productions done by the company will have a larger impact if leaked.
But, a register of all customers watching our movies, where they were at a certain time, is much more intimidating and if collected, it should have a much higher information classification.
This is why the rules for information classification and design for privacy are complex, if we want to design rules that are used in reality by human beings.