Data set Classification for Security and Sharing Protocols
Recently our Insights Analyst and Digital Storyteller Deborah Tan shared these best practices for securing and sharing data in a lunch-n-learn session with the team. Today we’ve summarised them in a short post so you can review and assess your internal processes.
As the world comes to grips with GDPR regulations, data privacy and security it’s important to have clear guidelines around how you classify data and how you store, protect and share that information.
Data Insight often works with clients through a Data Audit process, reviewing what data the company owns, classifying data sets based on the type of information they contain and setting best practices for storage and transfer.
There are four types of Data Classification
Extremely sensitive data including bank balance, bank account or customer number and DOB.
Contains proprietary information but not personally identifiable data.
Data that includes customer name and address.
No personal data or proprietary data, though there may be legal, privacy, contractual or commercial restrictions.
Should your data be stored in a shared drive?
For Strictly Confidential Data, this should never be stored in a shared drive. It should only be accessible for individual staff that need to have access for the work required. It should be stored using Encrypted technologies (BitLocker, TrueCrypt) to protect if the computer or device is lost. When sharing this data staff should always use Encryption and Password Protection Internally and Externally.
For Confidential, Sensitive or Commercial Data, storing in a shared drive is acceptable as long as you have data transfer policies in place as below.
For Confidential Data, Files should be stored , Zipped and Password Protected and transferred using Encryption and Password Protection Internally and Externally.
For transfer and sharing of Sensitive Data, Encryption and Password Protection should be used Externally.
For other Commercial Data, generally no encryption is applied or password protection but people should always consider the legal, privacy, contractual and commercial restrictions on any data that is to be transferred.
When sharing or transferring data with password protection ensure passwords are sent in a separate email, SMS message or by phone call so they are not sent together.
For Strictly Confidential Data and Confidential data you should always send files via SFTP/SSH, ensure that text files are deleted after loading is complete.
Also take into consideration due process for deleting data that you no longer need to store, but retain a data register so you know what you did hold and how that information was managed.
Deborah advises that companies should have clear processes that are shared with staff on a regular basis to remind them of their obligations. “Under The Privacy Act every organisation is required to have a Privacy Offer, a key internal and external contact point to ensure policies are being adhered to”.
If you would like further advice or support around your company data classification and best practice please get in touch with our team.
About Data Insight
Data Insight is an intelligent business insights and analytics partner helping high growth and enterprise clients leverage the power of data-driven decisions.
Every organisation is collecting and creating huge amounts of data. Understanding that data, interrogating data to tell relevant and meaningful stories and making those insights available for everyone is how modern businesses scale at pace.
Data Insight partners with companies to generate value from their data. To empower staff to make Data Driven Decisions in real-time from business insights they trust. Backed by a Data Strategy and Policies to manage data and protect privacy.
Clients work with our Data Analysts to deliver organisational change, to reinvent and innovate, leveraging owned and public data sets to produce business insights that create commercial value.