Information sensitivity


Information sensitivity is the control of access to information or knowledge that might result in loss of an advantage or level of security if disclosed to others.
Loss, misuse, modification, or unauthorized access to sensitive information can adversely affect the privacy or welfare of an individual, trade secrets of a business or even the security and international relations of a nation depending on the level of sensitivity and nature of the information.

Non-sensitive information

Public information

This refers to information that is already a matter of public record or knowledge. With regard to government and private organizations, access to or release of such information may be requested by any member of the public, and there are often formal processes laid out for how to do so. The accessibility of government-held public records is an important part of government transparency, accountability to its citizens, and the values of democracy. Public records may furthermore refer to information about identifiable individuals that is not considered confidential, including but not limited to: census records, criminal records, sex offender registry files, and voter registration.

Routine business information

This includes business information that is not subjected to special protection and may be routinely shared with anyone inside or outside of the business.

Types of sensitive information

Confidential information is used in a general sense to mean sensitive information whose access is subject to restriction, and may refer to information about an individual as well as that which pertains to a business.
However, there are situations in which the release of personal information could have a negative effect on its owner. For example, a person trying to avoid a stalker will be inclined to further restrict access to such personal information. Furthermore, a person's SSN or SIN, credit card numbers, and other financial information may be considered private if their disclosure might lead to crimes such as identity theft or fraud.
Some types of private information, including records of a person's health care, education, and employment may be protected by privacy laws. Unauthorized disclosure of private information can make the perpetrator liable for civil remedies and may in some cases be subject to criminal penalties.
Even though they are often used interchangeably, personal information is sometimes distinguished from private information, or personally identifiable information. The latter is distinct from the former in that Private information can be used to identify a unique individual. Personal information, on the other hand, is information belonging to the private life of an individual that cannot be used to uniquely identify that individual. This can range from an individual’s favourite colour, to the details of their domestic life. The latter is a common example of personal information that is also regarded as sensitive, where the individual sharing these details with a trusted listener would prefer for it not to be shared with anyone else, and the sharing of which may result in unwanted consequences.

Confidential business information

Confidential business information refers to information whose disclosure may harm the business. Such information may include trade secrets, sales and marketing plans, new product plans, notes associated with patentable inventions, customer and supplier information, financial data, and more.

Classified

generally refers to information that is subject to special security classification regulations imposed by many national governments, the disclosure of which may cause harm to national interests and security. The protocol of restriction imposed upon such information is categorized into a hierarchy of classification levels in almost every national government worldwide, with the most restricted levels containing information that may cause the greatest danger to national security if leaked. Authorized access is granted to individuals on a need to know basis who have also passed the appropriate level of security clearance. Classified information can be reclassified to a different level or declassified depending on changes of situation or new intelligence.
Classified information may also be further denoted with the method of communication or access. For example, Protectively Marked "Secret" Eyes Only or Protectively Marked "Secret" Encrypted transfer only. Indicating that the document must be physically read by the recipient and cannot be openly discussed for example over a telephone conversation or that the communication can be sent only using encrypted means. Often mistakenly listed as meaning for the eyes of the intended recipient only the anomaly becomes apparent when the additional tag "Not within windowed area" is also used.

Legal protection from unauthorised disclosure

Personal and private information

Data privacy concerns exist in various aspects of daily life wherever personal data is stored and collected, such as on the internet, in medical records, financial records, and expression of political opinions. In over 80 countries in the world, personally identifiable information is protected by information privacy laws, which outline limits to the collection and use of personally identifiable information by public and private entities. Such laws usually require entities to give clear and unambiguous notice to the individual of the types of data being collected, its reason for collection, and planned uses of the data. In consent-based legal frameworks, explicit consent of the individual is required as well.
In the European Union, the Data Protection Directive provides a rigorous standard for privacy protection legislation across all member states. Although the Directive is not legally binding in itself, all member states are expected to enact their own national privacy legislation within three years of the Directive’s adoption that conforms to all of its standards. Since adoption, the Directive has demonstrated significant influence on the privacy legislation of non-EU nations, through its requirements on the privacy laws of non-member nations engaging in transborder flows of private data with EU member nations.
The EU has passed the General Data Protection Regulation, which will replace the Directive. The regulation was adopted on 27 April 2016. It becomes enforceable from 25 May 2018 after a two-year transition period and, unlike a directive, it does not require national governments to pass any enabling legislation, and is thus directly binding and applicable.
"The proposed new EU data protection regime extends the scope of the EU data protection law to all foreign companies processing data of EU residents. It provides for a harmonisation of the data protection regulations throughout the EU, thereby making it easier for non-European companies to comply with these regulations; however, this comes at the cost of a strict data protection compliance regime with severe penalties of up to 4% of worldwide turnover."
The GDPR also brings a new set of "digital rights" for EU citizens in an age when the economic value of personal data is increasing in the digital economy.
In Canada, the Personal Information Protection and Electronic Documents Act regulates the collection and use of personal data and electronic documents by public and private organizations. PIPEDA is in effect in all federal and provincial jurisdictions, except provinces where existing privacy laws are determined to be “substantially similar”.
Even though not through the unified sensitive information framework, the United States has implemented significant amount of privacy legislation pertaining to different specific aspects of data privacy, with emphasis to privacy in healthcare, financial, e-commerce, educational industries, and both on federal and state levels. Whether being regulated or self regulated, the laws require to establish ways at which access to sensitive information is limited to the people with different roles, thus in essence requiring establishment of the "sensitive data domain" model and mechanisms of its protection. Some of the domains have a guideline in form of pre-defined models such as "Safe Harbor" of HIPAA, based on the research of Latanya Sweeny and established privacy industry metrics.
Additionally, many other countries have enacted their own legislature regarding data privacy protection, and more are still in the process of doing so.

Confidential business information

The confidentiality of sensitive business information is established through non-disclosure agreements, a legally binding contract between two parties in a professional relationship. NDAs may be one-way, such as in the case of an employee receiving confidential information about the employing organization, or two-way between businesses needing to share information with one another to accomplish a business goal. Depending on the severity of consequences, a violation of non-disclosure may result in employment loss, loss of business and client contacts, criminal charges or a civil lawsuit, and a hefty sum in damages. When NDAs are signed between employer and employee at the initiation of employment, a non-compete clause may be a part of the agreement as an added protection of sensitive business information, where the employee agrees not to work for competitors or start their own competing business within a certain time or geographical limit.
Unlike personal and private information, there is no internationally recognized framework protecting trade secrets, or even an agreed-upon definition of the term “trade secret”. However, many countries and political jurisdictions have taken the initiative to account for the violation of commercial confidentiality in their criminal or civil laws. For example, under the US Economic Espionage Act of 1996, it is a federal crime in the United States to misappropriate trade secrets with the knowledge that it will benefit a foreign power, or will injure the owner of the trade secret. More commonly, breach of commercial confidentiality falls under civil law, such as in the United Kingdom. In some developing countries, trade secret laws are either non-existent or poorly developed and offer little substantial protection.

Classified information

In many countries, unauthorized disclosure of classified information is a criminal offence, and may be punishable by fines, prison sentence, or even the death penalty, depending on the severity of the violation. For less severe violations, civil sanctions may be imposed, ranging from reprimand to revoking of security clearance and subsequent termination of employment.
Whistleblowing is the intentional disclosure of sensitive information to a third-party with the intention of revealing alleged illegal, immoral, or otherwise harmful actions. There are many examples of present and former government employees disclosing classified information regarding national government misconduct to the public and media, in spite of the criminal consequences that await them.
Espionage, or spying, involves obtaining sensitive information without the permission or knowledge of its holder. The use of spies is a part of national intelligence gathering in most countries, and has been used as a political strategy by nation-states since ancient times. It is unspoken knowledge in international politics that countries are spying on one another all the time, even their allies.

Digital sensitive information

is information security applied to computing and network technology, and is a significant and ever-growing field in computer science. The term computer insecurity, on the other hand, is the concept that computer systems are inherently vulnerable to attack, and therefore an evolving arms race between those who exploit existing vulnerabilities in security systems and those who must then engineer new mechanisms of security.
A number of security concerns have arisen in the recent years as increasing amounts of sensitive information at every level have found their primary existence in digital form. At the personal level, credit card fraud, internet fraud, and other forms of identity theft have become widespread concerns that individuals need to be aware of on a day-to-day basis.
The existence of large databases of classified information on computer networks is also changing the face of domestic and international politics. Cyber-warfare and cyber espionage is becoming of increasing importance to the national security and strategy of nations around the world, and it is estimated that 120 nations around the world are currently actively engaged in developing and deploying technology for these purposes.
Philosophies and internet cultures such as open-source governance, hacktivism, and the popular hacktivist slogan "information wants to be free" reflects some of the cultural shifts in perception towards political and government secrecy. The popular, controversial WikiLeaks is just one of many manifestations of a growing cultural sentiment that is becoming an additional challenge to the security and integrity of classified information.